Funny thing about auditors: They're not machines. They're people--people who are capable of pet peeves and whose emotions can color the way they approach their work. So wouldn't it make sense for an organization to do everything in its power to keep auditors happy since they hold your organization's compliance success in their hands?
We're not talking bribes or home-baked cookies. We mean engaging in common professional courtesy and a state of readiness that will smooth the way for an easier encounter. The following are three ways that organizations fail to do this on a regular basis.
1. Putting On Airs
Nothing steams an auditor like an IT staffer who tries to use jargon as a weapon, said Glenn Phillips, president of Forte, an audit firm that does IT security and HIPAA assessments.
"Many IT staff have learned that if they use big words or complicated technical language, management may leave them alone. It is also a means to show off how smart they are, and they may even learn to B.S. their way through things this way. After all, who will call them out?" Phillips said. "A good audit team won't fall for it and will know the language. But then management may be confused as to who to believe."
Not only does the baloney terminology and technical vagueness show the auditor there could be something the team is hiding, but it is also just plain insulting. Assuming the auditors don't have the technical mojo to keep up is a surefire way to hack them off.
"My biggest pet peeve as an IT auditor is when network administrators, developers, or any other positions that are more technical in nature attempt to undermine my technical knowledge. Because the developer assumes that I am technically inept, they think that they can give me a low-level answer [to] confuse me to believing that they know what they are talking about," said Andrew Weidenhamer, audit and compliance practice lead at SecureState. "Unfortunately for the developer, I used to be a penetration tester and used these types of vulnerabilities to break into organizations, which, in the end, simply makes the developer look silly."
Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenge, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)