At a previous employer, we recruited audit to support an initiative to develop a comprehensive access control and review tool. Having the auditors’ input and support early in the process helped to sell management on the wisdom and viability of our recommendation.
So while I occasionally (only occasionally) and good-naturedly (VERY good-naturedly!) poke fun at auditors, and I am not suggesting you have to bring one home to dinner tonight, there may be real benefits to working more closely with the ones just down the hall.
Popularity: 1%
2 Comments
I have been on both sides of the equation. I have a CISA and a CISSP. I started life on the IT Security side and then went to work for the big4.
I always thought that this was a well understood principal, but as I look for a new position, I find that this idea of Auditor and IT Security being friendly is not well understood.
Organizations that worked with me when I was auditing them, benefitted from the relationship. I was able to point out the areas that they knew needed fixed and didn’t have the budget to fix.
The groups that tried to keep me at arms length were looked at with a magnifying glass because we assumed that they MUST be hiding something large or they don’t know their environment or sometimes both.
Auditor being Auditor and IT Security/Engineer being what they are, I suggest finding someone with both skills to sit in between and manage the relationship, find data and get the auditors what they need and on their way. It saves money and can turn a bad audit finding into something more useful.
Thanks for your comments, Darian. I actually do play that “sit in between” role now, and the collaboration has paid huge dividends, though I’m not sure the detente will survive the current economic upheaval as our company cuts costs.