Recently I posted an article in the Security Group on Spiceworks from Network World on the benefits of failing an IT audit. I also posed the question to this group, “Would you rather fail an audit to uncover weaknesses, or rely on other means?” The responses were intriguing. Most agreed in general that an audit, when performed with good intentions, can be helpful even if there were problems found. Others responded that before resorting to a 3rd-Party to perform an audit, they believed performing a self-audit offered many of the same opportunities to reveal and thus correct problems.
The thought of an audit may strike fear in many individuals at all levels in an organization. For some, the stakes are very high from loosing insurance or dismissal from a trade group or even losing a critical industry credential that customers have come to expect. Mostly, audits are routine and serve to ensure there is at the minimum a check-and-balance to satisfy whichever regulatory body requires it.
Some felt the use of the term ‘fail’ was harsh in this context and not reflective of what auditing seeks to achieve. I felt the author’s use of the term was commensurate with audit success because it should be viewed as a pass/fail exercise. I would argue however that the implications of a failed audit should appropriately reflect the potential risks introduced as a result of such failure. What’s the use in getting a C+ on your audit? Shouldn’t an audit reflect complete adherence to the applicable body of standards? Is it acceptable to entrust numerous souls to a commercial airline pilot who demonstrates only above average skill when tested?
At NetWrix, we want to help organizations pass their audits. That why we actively and continually improve all of our products such as Change Reporter Suite and Identity Management Suite. These tools sustain compliance by detecting, storing, and reporting on all IT infrastructure changes through some of the largest enterprises in the world who are bound by regulations such as SOX, HIPAA and PCI. From network and storage appliances to Exchange and Active Directory to password security, NetWrix has a solution to achieve successful audits.
What are your thoughts on audits? Do you have any audit stories to share good and bad? What standard is the most challenging and potentially most damaging should an organization fail such an audit? Please share your thoughts below:
Image to use: