We recognize that it's not always possible to anticipate an audit.
The audit can present additional work to already full plates. Our processes are flexible and we are accustomed to working around departmental deadlines. Communicating your deadlines and schedule constraints to the auditor early in the planning will help build the best audit timeline for your department and the auditor.
There are a number of things you can do to prepare for the audit:
- Review the steps of the audit process.
- Share the Audit Announcement memo with the relevant staff and management in your department.
- Identify the appropriate staff to be in the Opening Meeting. Share these names with your auditor.
- Gather documentation about your department including org charts, strategic plans, operating policies, procedures, and process flowcharts.
- Assess what systems the auditor may need to review and access.
- Consult with your department's Security Unit Liaison or other IT security staff regarding relevant data security standards and policies. Specifically, discuss the current status of standard IT security work: Risk Evaluation of Computers and Open Networks (RECONs), and Risk Treatment Plans (Vulnerability Management).
Finally, the audit will be an opportunity to discuss many aspects of your department's operations. Auditors have and can access large amounts of information and best practices and are always willing to share. Consider challenges you and your department face and leverage the audit process as an opportunity for positive change.