Monthly Archives: September 2010

Recently a friend of mine told me how worried and how nervous she was about an impending audit to her systems. I tried to help calm her fears, and that led to this blog post about how to react to a system’s audit.

I am by no means an expert, but I have had my systems audited more than once, and with the proper attitude, it can actually be a positive thing, not necessarily a nuisance.

First of all, it’s your systems that are being audited. It isn’t about you. Of course, the results, good or bad, will reflect on you, But that is a fact of life, and now isn’t the time to worry about it. You should of course be familiar with your systems, their state of compliance with the law and with your company’s rules and guidelines, and if there are any known deviations, you should be prepared to explain them. Very few people run perfectly tight ships, and there is always room for improvement. Take this audit as a chance to identify any weak spots and thus help you fix them. If there were any previous audits, review them. If there were some actions they recommended you should take, be prepared to either show you have implemented them, or to provide some explanation as to why they haven’t been implemented.

Clearly understanding the objectives.

Before the audit even starts you should have a meeting with your management. What do they expect from the audit, and what limitations, if any, are in place. Depending on the size of your infrastructure, and the scope of the audit, you may be working solo, or heading a team. Make sure management is aware that time and resources will be allocated to the audit,

Then you should schedule a meeting with the auditing team. Sit down with them and make sure you are both working on common ground. Both teams must agree on what will be audited and how, and for how long. This doesn’t have to be set in stone, but it helps if both teams have a clear understanding of what they are doing before they actually start. This sometimes is a tricky situation. The auditors don’t always have a clear understanding of your system, and it is up to you to enable them to understand your system and how they can perform their audit without disrupting the operation of the system.

Use this meeting to make sure the audit team has all it needs to start working.

Agree on methodology

Usually the audit team will propose a methodology to use. Make sure you understand it, and are comfortable with it. If you have any questions ask them now, and they’ll be happy to explain, and eventually adjust to your concerns.

This is where you’ll define one of the most important features: who will actually access the data. Some audit teams insist on accessing the systems themselves, others are willing to ask you for the information they need. Both approaches have pros and cons. Having some other team accessing the systems can, eventually, disrupt daily activities. It will however grant them access to the data so they can collect exactly what they need. On the other hand, if you agree all requests come through you, you can collect the data they need whenever it is more appropriate, but that will add to your workload, and to your involvement in the audit.

Starting the audit

If this is a formal audit and you have a large team, it’s a good idea to schedule an informal meeting to present the auditors to the rest of the team. Explain what they will be doing, and make sure you identify anyone responsible for any major parts of your infrastructure. Make sure everyone is aware of the audit and if necessary instruct them on how to cooperate with the audit team.

Answer questions in a truthful manner

You are the expert when it comes to your systems. You can’t expect the auditors to get to know it as well as you do in a couple of days. Just think how long it took you to get to know it all. That means they will have questions, and you should be prepared to answer them. And, as with everything in life, you should give honest answers. Don’t lie to the auditors. At the very least you will loose self-respect, and at worst you can get fired, and eventually prosecuted. Be professional and they will respect that, even if there are some problems in your system.

As a side note, one of the best auditors I’ve worked with, started his work with some very, very basic questions, that could eventually lead you to  believe he wasn’t very knowledgeable about what he was auditing. As the audit progressed his questions became much more specific, and detailed, showing us that he did indeed fully understand the system, and that the initial questions were just part of his method.

Review the results (and act upon them)

The audit will produce at the very least a report on it’s findings. At the end of the audit you should have another meeting in which the auditors present their report. If possible try to get a draft copy of the report so you can be prepared for the meeting. The auditors will explain their findings and you have a chance to ask questions about any issues. Make sure you understand their findings.

After the audit

Use the information in the report to take another look at your systems, now through the auditor’s eyes. Prepare an answer for every issue they addressed. Maybe it isn’t an issue after all, and there is some reason for it’s existence? Then document it. If it is a real issue you should address, work the solution into your todo list, and write down that the issue is being addressed. This will eventually help your system when it comes to the next audit, and it will also leave you in control.

Prepare another meeting with management, who probably already received a copy of the report, and present your answers to the issues within it. This may be the end of the audit, but not necessarily of your evolvement with it. Present your plan to solve the issues in the report, and agree on a timeline to address those issues.


I ended up writing more than I intended, and I’m certain this is by no means an exhaustive list, but I think the basic ideas are present, and you can adapt them to your own situation. There is no reason to panic because of the audit. A set of fresh eyes looking at things can sometimes be very useful.