An Auditor’s Tip #2

In my previous post I tried to calm your fears about being audited by trying to help you understand the different types of audits you could be facing. However you can feel the fear creeping back in because they are auditors after all. So what can you do next to ensure you are prepared to survive an audit. In one simple word, documentation. I can hear the moaning even in my little post auditor safe house. Trust me, read on and your life will be a lot easier and so will your audit.

When you consider that an audit is looking at the controls around your IT environment, properly documented policies, processes, and procedures are critical. It is a formal way to show you and your staff have a proper understanding of the controls they must adhere to. Documentation is not fun, and your auditors are well aware. A large percentage of what auditors do is document their tests. This means you will find little comfort from them if yours is lacking. All is not lost though, if you start now you can have all the documentation you will need.

The trick is not to throw together stuff for them to read, it is to ensure what you do is precisely written down. This has multiple benefits. First, the auditors know what standard to audit too. If you don’t document controls the worst they can do is write you up and leave early, right? Second, the more you have documented the less time they have to be on-site asking you questions. I know auditors are warm and fuzzy so this may disappoint you, causing you to slack on your paperwork. Finally, if your procedures are well documented everyone should be doing it right and the auditors should find no control failures. No control failures means easy report writing, which means happy auditors.

Documentation shouldn’t be an audit exercise, it should be a control exercise. A well controlled environment means a lot less work doing the little things. In the end the benefits far exceed the pain of having to create documentation. Try it, you just might find the benefits go beyond happy auditors.


I was recently at my 7 year old sons soccer game. Standing on the sideline cheering him on it came to my mind that many sports have lessons for information security professionals. In baseball each team plays offense and defense, but there is a clear line between when you are playing each. For half an inning you play offense, trying to score as many points before you reach three outs. Everyone then leaves the field and changes roles from offense to defense. American football is very similar, however there are times where you defensive players are placed in a role to score which means the other teams offensive players must take a defensive position. In soccer and basketball players take on both defensive and offensive roles with very time of transition.

However, this wasn’t the connection I was making in my mind. You see, I had my 2 year old daughter and 4 year old son on the sidelines with me. For little ones, watching an hour long game were kids are running up and down a field kicking a ball is inspiring. So inspiring, they wanted to run out on the field with their sibling. My 4 year old was being very good and sat cheering for his brother. My daughter on the other hand kept attempting to become part of the game. I could walk away from the field and let my daughter run around the park, but this would mean I couldn’t watch my sons game. Another option was to hold my daughter for the rest of the game, but that would mean having to listen to her be very vocal which could distract the players and other parents. The only logical option then was for me to try and entertain her while watching the game.

No matter how hard you try and keep a toddler from getting out of your grip, it will eventually happen. My daughter would sit on the ground pretending to be all calm, then when I would turn away for a second she would dash towards the field. I had anticipated this and thus had us sitting far enough from the field so I could capture her before she crossed the sideline. However, no matter how calculated our position was she managed to cross onto the field during the game. Fortunately she was not in the zone of action and so I was able avert a major catastrophe. One attempt was not enough and so I spent the rest of the game diverting her from being plowed down by a bunch of 7 year old soccer players. I like to refer to this behavior as the Aggravatingly Persistent Toddler or APT.

The lesson wasn’t in the offense and defense of the game itself, it was the threat to the game that lurked unknown by the players. Had my daughter wandered onto the field while the players were close by, not only could she have gotten hurt but the games integrity could have been compromised. Despite my daughter gaining access to the playing field, the response was quick and prevented the comprise from affecting the game itself. We focus security sometimes so much on the known attack vectors, we forget there are holes we may not know about. The question is do we place other tools in our systems to detect a comprise so we can react before the damage becomes to costly. It is great to know what your defenses have prevented, like seeing the goalie block a goal. The question is, once compromised can you detect unusual behaviors that signal unauthorized access. Can you stop the agrevatingly persistent toddlers in your systems?


You have just gotten off the phone with the auditor who has informed you the audit is ready to begin. Before you allow panic to set in I would like to offer some advice which may alleviate some Fear, Uncertainty, and Doubt.


The first thing you need to understand is what type of audit is about to be conducted. An “Audit” generally will take a detailed look into your adherence to controls, but which ones. An audit of IT as part of a financial attestation is a general review of IT controls that affect the accuracy of applications that are responsible for material line items on your financial statements. A bit more scrutiny has been added due to SOX requirements, but the goal is to satisfy the auditors your financial statements are materially accurate. A SAS 70 is different, as there is a subset of controls you define which relate to the services your provide that auditors want to review. Defining scope in this review are very important and can be as restrictive as you want them to be. A compliance or regulatory audit defines the controls based on regulations for which you must show compliance. This is probably the most difficult of all audit types as the auditors are very specific in what they want to see and will accept as being compliant. Finally, an internal audit is based on organizational risk. Scope is focused on the highest risks your technology poses and tries to ensure you have appropriately addressed those risks. Generally speaking you want your internal auditors to find issues before the external auditors do, it tends to be less complicated for your organization. These are oversimplifications of the audit types, but i think simplification helps take the fear out of the equation.

Before you lose your cool in a panic, find out what type of audit you are about to experience. Armed with the knowledge of the audits scope, you can better prepare to have someone shine the light on your operations. Take a deep breath, you are one tip closer to surviving the audit.


The Recap

Officers responded to a residents call that a man asked to borrow a computer and then fled on a bicycle. Officers could not locate the suspect.

The Lesson

Not knowing all the details behind this story I can’t say it was unusual for someone to be asking to borrow a computer. What seems strange is that the person asking for the computer was traveling by bicycle. I am assuming it was the suspects bike since the report didn’t say the suspect then stole a bicycle to flee. This reminds me that although traffic we may see on our networks may not be unusual, the method of it’s transport may be out of the ordinary. The job of perimeter security is to stop traffic from connecting through certainĀ  protocols or from certain IP addresses. Knowing that most organizations block traffic, it would only make sense that those trying to gain access to our networks would try to mask themselves as legitimate traffic. However, at some point they have to reveal their true nature and we need to ensure we monitor for this type of behavior within our networks. Like the suspect in the story above, we can’t always assume the most sophisticated methods will be used to hide unauthorized access attempts.