question

profilejimpop1998
Chapter11TheAuditorsHaveArrivedNowWhat__InformationSecurityGovernanceSimplified.pdf

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 1/52

11

The Auditors Have Arrived, Now What?

Truth exists, only falsehood has to be invented.

Georges Braque, 1882–1963

Auditors perform an essential role in protecting the information assets of

the organization, which should be embraced versus feared. Many times

when an audit is scheduled, whether internally or externally initiated,

the response is one of fear of what the auditors will find as gaps in the in-

formation security program. Analogous to how many people feel when

they are scheduled for their annual performance review, anxiety is al-

most certain to be a normal response. Why is it that way? The answer is

simple: No one likes to criticized for what they have put their best efforts

into, and just like the potentially stressful performance reviews, audits

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 2/52

have the potential to be taken very personally and viewed as a negative

experience. A recent comment by an information security colleague

summed this up very well, in reference to the auditors judging his work

by saying, “Whose baby are you calling ugly?”

The truth is that audits typically do cause anxiety and cause people’s

stress levels and outward emotions to reflect the pressure of being

“judged.” The truth is also that these can be extremely valuable learning

experiences by which those leading information security programs can

learn greatly from the auditors. Auditors are typically very detail ori-

ented and as a result may see items that may be overlooked by big-picture

people. Auditors also typically follow a methodical, systematic approach

to analyzing what that organization asserts are the controls that are in

place. The systematic approach allows them to uncover what may be as-

sumed is actually occurring by the company. For example, a manager

may assume a policy in place that requires that all access be terminated

for an exiting employee within 72 hours is being followed. When the au-

ditor reviews the policy, he or she may find that there was no docu-

mented standard operating procedure, thus raising doubts that a consis-

tent procedure was actually being followed. The auditor may also find

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 3/52

that while logical access was promptly removed, there was no equivalent

procedure within physical security, creating a gap. Many times the audi-

tor will request a full population of employees and request a random

sample based upon the frequency of the process, say 25 or 45 for a daily

process, and test to determine if the requirement was consistently met.

How often do the operational departments within an organization per-

form an independent test of the product or service they are creating?

Companies are doing their utmost best to just get the product of service

out the door. This creates a situation where compliance with the com-

pany policies, procedures, standards, and guidelines is assumed and not

regularly tested. In this respect, we should be welcoming the auditors

with open arms.

A byproduct of performing audits on a regular basis is that managers

are more apt to pay attention to ensure that the standard operating pro-

cedures are actually accurate and reviewed on a periodic basis (mini-

mally on an annual basis). Knowing that they will be judged on the basis

of what process is written versus the current process, if different, even if

the current process is better, will encourage managers to take the docu-

mentation more seriously. Documentation should be regarded as manage-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 4/52

ment directives to ensure that the appropriate activities are being per-

formed at the right time.

Through experience gained through dozens of audits involving the Big

Four accounting firms, audit firms occupying the middle-market tier, and

boutique technical auditing firms, it is safe to say that no two audits are

conducted the same or necessarily have the same goals in mind.

However, there are some basic commonalities as to the flow of an audit

and how the information security department should interact with the

auditors. The next few sections walk through the anatomy of an IT audit

and how the security professional should best prepare for the audit.

Anatomy of an Audit

From a security officer’s point of view, the audit can be separated into

five phases: (1) audit planning, (2) on-site arrival, (3) audit execution, (4)

entrance/status/exit conferences, and (5) report issuance and finding re-

mediation. It is useful to look at the audit as a project, with a discrete set

of steps, a beginning, and an end. Viewing the audit as an activity in this

manner permits the prioritizing, scheduling, and resourcing of the audit

similar to other projects within the company. The success of an audit de-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 5/52

pends upon having knowledgeable individuals available to answer the

questions for which they are most qualified at the appropriate time.

External audits involve an up-front period of negotiations for the scope

and pricing of the audit. This process is normally administered through

the company’s internal audit department in response to a contractual re-

quirement for awarded business (e.g., government contract with Federal

Information Security Management Act [FISMA] provisions or Health

Insurance Portability and Accountability Act [HIPAA] compliance require-

ments). Since the internal audit department may have many internal and

external audits scheduled during a given year, the audit may not occur at

the best time for the information technology (IT) department to have the

resources available. Partnership with internal audit, information security,

information technology, and compliance areas can help mitigate the

scheduling disruptions that can occur. Once the external audit dates are

set, there is typically limited flexibility to move the schedule, as the exter-

nal audit firms also must balance their resources with the needs of other

clients. Teams are typically only put together a few weeks in advance at

the most for the audit firm, but once they are, they tend to be locked in.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 6/52

The phases shown in Figure 11.1 assume that the contract and sched-

ule are now in place, and information security and the other departments

need to prepare for the audit.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 7/52

Figure 11.1 Security audit phases and activities.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 8/52

Audit Planning Phase

The audit planning phase ensures that the auditors have most, if not all,

of the requested information delivered to them when they arrive for the

audit. With sufficient resources dedicated to the up-front planning phase,

the audit runs more smoothly as more time can be dedicated toward ac-

curately answering the auditor’s questions and responding to follow-up

requests versus scrambling for documentation or having less-than-opti-

mal facilities for the auditors to conduct the audit.

Preparation of Document Request List

The first step is to establish an audit coordinator for the information

security/IT portion of the audit. This individual is usually someone within

the IT organization that understands the interoperability of the technical

infrastructure, operations, and management of IT. Internal audit depart-

ments traditionally have focused upon the financial and operational au-

dit areas and may or may not have the IT auditing skills. Even if they do

have individuals with these skills, their role is to audit the organization.

The role of the audit coordinator is to respond to the requests of the audi-

tors, which may be internal or external. To mitigate any conflict of inter-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 9/52

est questions (auditors preparing responses to their own managed au-

dits), an audit coordinator position is established. The function of this in-

dividual is to coordinate all audit requests, ensure timely receipt and de-

livery of the artifacts, schedule meetings, communicate issues, and gener-

ally ensure that a smooth process is followed.

Anywhere from 3 to 5 weeks ahead of the audit, the auditors will pre-

pare and deliver a request for documentation. The request goes by such

names as prepared by client (PBC) listing, client assistance list (CAL), and

agreed upon procedures (AUP). Regardless of the name, the intent of the

request is the same: a document typically in the form of a Word docu-

ment or spreadsheet that contains the auditors’ request for documenta-

tion that they would like to have available when they start the audit. It is

in everyone’s best interest to comply with the request and have 100% of

the items requested available when the auditors start the audit. This per-

mits the auditors to start right away reviewing and understanding the

materials provided. By supplying all of the information at the beginning,

it can also reduce the stress level by avoiding hurry-up requests that must

be immediately supplied to the auditors. There will also be additional re-

quests by the auditors that will consume valuable time during the audit,

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 10/52

so it makes sense to solicit the materials in advance and give the depart-

ments as much of the 3 to 5 weeks time as necessary to collect the arti-

facts. Failure to adequately allow ample preparation time causes the or-

ganization to respond on the fly and not necessarily provide the best re-

sponses due to the short time frame allowed during the audit to provide

the responses.

If any of the audit requests are not clear, the audit coordinator may

need to schedule a meeting to discuss the deliverables requested. The

scope may not be clearly understood by the auditors or the client. As new

auditors are brought into an engagement, they must quickly come up to

speed with the organization, processes, and the business operations.

Since the request list is typically based upon a generic template, assump-

tions may be made about the processing that is performed by the com-

pany being audited. For example, it may be assumed that the company is

following a system development life cycle (SDLC) process to develop soft-

ware, when in fact the organization may have outsourced the develop-

ment and maintenance activities to a system integrator and is running

these processes at the data center. If the audit of the data center is also in

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 11/52

scope, the SDLC processes can be obtained through a separate audit of the

data center.

The requests are usually organized into sections deemed as important

by the auditor and may or may not be numbered. The number of items

requested varies, but typically 50 to 200 requests for different security el-

ements are normal. There is little consistency between audit firms as to

what is requested, as each audit firm has constructed its audit program

based upon what it considers to be important, modified by the focus de-

sired by the organization or branch of government requesting the audit.

The number of auditors and scope may dictate how much testing is per-

formed within the audit. An audit that has 2 to 3 auditors on site for 1 to 3

weeks will involve substantially less testing than a 4-week audit with 10

auditors on site.

An example of an audit request for documentation can be seen in

Figure 11.2. A description of the contents of the request, an associated

control ID, dates requested and dates received, and a field for comments

are typical. One item that is not stated is how this document will be used

within the audit! The auditors do not necessarily tie the request to the

control item being tested, nor do they necessarily want to make this clear.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 12/52

After all, this is an audit to test the operations, and if they are testing to

determine if the controls are adequate to protect the information assets,

then it should be irrelevant if the company knows what control is being

tested when the documentation request is made—the organization should

have the document in question. On the other hand, it helps to know the

context of the request in order to supply the correct documentation.

Figure 11.2 Document request list example.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 13/52

Once the request list is received, the items should be assigned an inter-

nal control number for tracking. This helps tremendously during the au-

dit to track and determine what has and what has not been provided. The

next step is to determine which (1) director, (2) manager, and (3) subject

matter expert, or primary point of contact is in the best position, knowl-

edge-wise, to respond to the request. The documentation request list can

be modified to place these accountable and responsible positions in col-

umns for each request so that it is clear who will own this deliverable.

Although it may seem obvious, it is vitally important to establish who the

correct owners are up front or time ends up being wasted when a man-

ager indicates the day before the deliverable is due that they are not the

correct owner. This action is unfair to the manager who now needs to

scramble to complete the request and does not promote the generation of

a quality product.

The updated spreadsheet with the internal tracking numbers, account-

able management, and subject matter experts is then distributed to the

organization by the audit coordinator, typically within 1 week after re-

ceiving the initial request list. Managers should be given a couple of days

to receive the listing and confirm that the items are theirs, and if not, rec-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 14/52

ommend who should own the requested item. At this point they are not

fulfilling the request but rather merely indicating whether it is theirs to

supply. It is best to place the responsibility with the assigned manager to

reach agreement with the department manager that should own the re-

quest and inform the audit coordinator. This avoids multiple conversa-

tions between the audit coordinator and each party that can potentially

increase the time to gain agreement due to unavailability of all parties to

the conversation.

Now that the documentation requests each have an owner associated

with them, each owner can now begin the process of collecting the arti-

facts for submission. The audit coordinator should create an audit artifact

repository of some sort to capture and organize the artifacts. This may be

a simple directory structure, containing one folder for each item on the

request list (the folder will most likely contain multiple documents to sat-

isfy the request) or may be a more elaborate homegrown database or

vendor-created database. Either of these methods are preferred to subject

matter experts sending the requests via e-mail, as the file sizes can typi-

cally exceed internal 5 to 10 megabyte limitations of the e-mail service or

the storage of the audit participants. Additionally, when others need to

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 15/52

look up the audit artifacts that have been supplied, without a central net-

work storage area, they may have been the recipient of the initial e-mail

and will have to request the information be forwarded again. This in

turn, increases the company’s storage requirements and is very

inefficient.

Gather Audit Artifacts

Once each manager has accumulated all of the artifacts assigned to him

or her for the audit, the manager needs to confirm with the audit coordi-

nator that the collection is complete. At this point, the audit coordinator

can review the contents and determine whether all of the information

has been provided. This quality assurance process increases the likeli-

hood that the information will not have to be re-requested. The auditor

coordinator looks for such discrepancies as:

Accuracy spot check—Check to determine if information supplied

matches the information requested.

Empty folders—Contents may have been placed in a different audit di-

rectory, accidently deleted, moved to another folder, or misplaced. It all

happens.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 16/52

An insufficient artifact—The audit coordinator has typically seen a sim-

ilar request across audits over time and is usually in the best position

to determine whether this artifact is complete.

Time period not valid—If the audit is from October 1, 2012, to March

31, 2013, and a standard operating procedure updated April 8, 2013, is

supplied, the new procedure would not have been effective during the

period.

Sizes too large—If the file sizes are too large, say >10 MB, then it may

be difficult if the files need to be subsequently e-mailed to the auditor.

It is best to break these directories into subdirectories prior to the

audit.

Outdated policies/procedures—A quick review of the last update date

would indicate whether this might be an old artifact.

Whereas the management and subject matter experts are responsible

to ensure that the audit artifacts are accurate and comply with the infor-

mation request, the spot checking by the audit coordinator is a value-

added step that can find problems with the information prior to presenta-

tion to the auditors. Figure 11.3 shows a data model representation of the

audit artifacts.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 17/52

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 18/52

Figure 11.3 Audit artifact data model.

Provide Information to Auditors

Once all of the information has been collected by the audit coordinator

for all of the items requested on the document request list, the audit coor-

dinator can burn an initial CD, DVD, or USB drive containing all of the in-

formation. Since much of the information will be highly confidential (net-

work diagrams, access control lists, employee listings, background checks,

logs, etc.), the information must be encrypted. Encryption programs have

substantially fallen in price in the past few years, so there is little justifi-

able reason to not protect this information. Programs such as WinZip,

SecureZip, PKZip, or programs based upon the zip format are used by

most audit firms and can be opened by their auditors. This should be ver-

ified with the auditors prior to starting the engagement, as not all encryp-

tion programs are compatible. For example, Winzip or SecureZip cannot

open a file encrypted using Pointsec software because it used as a propri-

etary nonzip internal format. However, a file encrypted by Winzip (ver-

sion 9.0 or greater) or SecureZip can be opened by either program since

the internal format used in both products is based on the zip format.

Providing multiple copies to the auditors is typically appreciated to en-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 19/52

able them to ramp up quickly while on site without having to spend time

copying sizable files across a network or wait for others to complete copy-

ing the files to their disks. Although most auditors in the profession utilize

encrypted hard disks on their PCs to store the client files, it is advisable to

confirm this with the auditors before providing them with the

information.

On-Site Arrival Phase

Auditors may schedule a pre-on-site meeting ahead of the audit to ensure

that the appropriate logistics have been taken care of. A listing of the

items typically requested by the auditors in advance is shown in Figure

11.4. The next sections discuss considerations for some of the key items

requested by the auditors that are needed during the on-site arrival. In

reality, these items are planned for in the audit planning phase, and uti-

lized within the on-site arrival phase.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 20/52

Figure 11.4 Preaudit visit logistical items.

Internet Access

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 21/52

Even though the auditors are engaged at the client site, they still have re-

sponsibilities to the home office and need to communicate with other se-

nior-level auditors and partners. They may need to share files, access e-

mail, conduct conference calls, access home office software, and so forth.

One method of providing this access is to provide internal network access

and subsequent access to the Internet. This involves setting up the audi-

tors similar to how contractors may be connected to the system—with a

user account on the network and access to the Internet. The problem with

this configuration is that the auditors are now resident on the network

and may have access to more network files than desired. Auditors should

be treated with the same security need-to-know and least-privilege princi-

ples that are applied to other users of the organization’s information

assets.

An alternative solution that serves to provide the access the auditors

need while simultaneously limiting the exposure of internal information

outside the scope of the audit is to provide network access via a wireless

broadband router. This relatively inexpensive solution provides the audi-

tors with the access required and keeps the auditors from having to be set

up on the organization’s computer network. Not only does this save time

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 22/52

in set up, but it provides a fast solution to deploy to the auditors. In other

words, the day they arrive on site, the wireless broadband router can be

plugged in and they are ready to begin work. The router also permits

sharing of the broadband connection between the auditors. It is advisable

to have one broadband router per every four auditors to ensure adequate

bandwidth when downloading and uploading large files.

Once the availability of this device is known within the company, it is

not unusual for the IT department to have more requests than there are

routers. Given the inexpensive nature of an inexpensive piece of hard-

ware (under $200 as of this writing) and the aircard monthly fees (gener-

ally $60/month or less depending upon pricing discounts and usage), it

makes sense to ensure that there are extra routers that can be shipped to

alternate audit locations to support the audit. The hidden costs of request-

ing accounts, setting up audit access, terminating accounts, requesting au-

ditor names, and so forth are greater than the one time cost of the routers

and monthly charges.

Reserve Conference Rooms

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 23/52

Depending upon the size and duration of the audit, a small or large con-

ference room may be needed. Failure to provide a room with enough

space for both the auditors and the auditees can create an environment

that increases the stress levels of both parties. The proper size conference

room for the interviews may not be known until the interview schedule

has been created. Most organizations do not have extra conference rooms

so these should be scheduled at the start of the audit. The auditors may

request that a room also be reserved for their private conversations that

are separate from the room reserved for the interviews and the other au-

ditors. This permits sidebar discussions without disturbing the rest of the

team. However, it is not unusual to see auditors with headphones on in

large conference rooms to block out the distractions of the other auditors.

If possible, locate a conference room that is away from the individuals

performing a bulk of the work that is being audited. This avoids embar-

rassing situations where someone may make a comment related to an as-

pect that is currently being audited and being overheard by the auditor.

Although the comment may be accurate, it may be taken out of context by

the auditor or substantiate an issue that the auditor was investigating.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 24/52

Staff should also be courteous to the auditors and respect the noise levels

and conversations outside the conference room.

Temperature control is always a consideration. Although it may be

tempting to smoke out or freeze up the auditors, this strategy is ill ad-

vised. While this may be obvious, keep in mind that there will be more in-

dividuals in the room at one time with the auditors and auditees and

body heat will tend to raise the temperature.

Physical Access

The degree of physical access needs to be defined in advance: What build-

ing? What times? Must the access be escorted? How long can they keep

their badges? Some auditors will be using their own experiences with the

badging process to evaluate the physical visitor, consultant, employee

and contractor security controls. If the visitor log policy indicates that an

individual is supposed to obtain a badge and sign out at the end of each

day and this function is not required of the auditors, then this may result

in an audit finding based upon the lack of control enforcement. Or, if the

policy is that the auditor must be escorted and the auditor finds that dur-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 25/52

ing the course of the audit he was free to roam the building, this could

also result in a finding.

Special auditor badges with predefined access and required to conform

to a separate auditor visitor policy is recommended. Auditors generally

work until the early evening hours or start early, so a 7 a.m. to 7 p.m. ac-

cess policy would satisfy most auditor needs. As far as escorting, auditors

are being entrusted with vast amounts of confidential information to per-

form an audit, so the risk of damage by allowing the auditors in the build-

ing without an escort is low. Auditors could be granted access badges that

permit entry the week during their audit and be required to return the

badges at the end of the fieldwork. Agreements with the auditors should

be made that they will confine their activities to the conference rooms,

restrooms, and break rooms without needing an escort, but if they need

to visit other operational areas that they must have an escort. The escort

would preferably be the audit coordinator or his or her designate.

Conference Phones

Ever been on a phone conference and someone is shuffling papers, hav-

ing a conversation on a cell phone, or hear dogs barking in the back-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 26/52

ground? We all have, and it does not help the subject matter being dis-

cussed. A good quality conference phone, such as a Polycom, should be

placed in each conference room where interviews will be held. Since in-

terviews generally involve geographically dispersed individuals or will

involve someone calling in while traveling, there will need to be a phone

for the conference. The speakerphones on office phones are not designed

to handle a room of people between 4 and 8 feet away from the phone. A

better setup is to have a conference phone with two microphones at-

tached by 3- to 4-foot cords. The acoustics of the room should also be

tested to ensure that outside, heating or air conditioning, or fan noise is

not interfering with the sound quality level.

Schedule Entrance, Exit, Status Meetings

Entrance, exit, and status meetings should be scheduled at least a week in

advance of the start of the audit, preferably 2 weeks or more, so that the

appropriate management and technical staff can make themselves avail-

able to attend. Consideration should be given to those individuals who re-

side in different time zones, with the avoidance of a pre-8 a.m. meeting in

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 27/52

any time zone if possible. Individuals should be at their best for the audit

calls and for most staff this would be during their normal workday hours.

Set Up Interviews

As with the entrance, exit, and status meetings, as many interviews as

possible should be scheduled prior to the start of the audit. The document

request list provides the procedures, reports, samples, and other evi-

dence, but does not have the element of human interaction and explana-

tion of what is written in the documents. The interview provides the audi-

tor with the opportunity to ask clarifying questions of the information

provided. This also represents an opportunity to provide an overall big

picture description of a control or management area. For example, the in-

formation security manager could provide an overview of access man-

agement or security administration and how user IDs and logins are ob-

tained; the business continuity/disaster recovery manager could explain

all of the activities involved in ensuring continuity of operations; or the

human resources manager could explain how a new hire is on boarded

into the organization with reference checks, background checks, confi-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 28/52

dentiality statements, and PeopleSoft human resource/payroll transac-

tions. Potential overview areas to be scheduled are listed in Figure 11.5.

Figure 11.5 Potential security audit interview areas.

Interviews should be scheduled for 1 to 1.5 hours each with at least 30

minutes in between each interview to permit the auditors a chance to di-

gest what they have heard and subsequently review their notes. They will

also need time to prepare for the next interview. Generally, the interviews

should be scheduled during the first week of a multi-week audit so that

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 29/52

the appropriate understanding of the environment controls and pro-

cesses are understood by the audit early on in the process. This can avoid

sample pulls of the wrong information or invalid assumptions when eval-

uating the documents provided, leading to rework for both parties. Given

these constraints, it is generally advisable to spread the interviews out

during the first week, with no more than two scheduled for a morning or

an afternoon. Afternoon or morning status meetings will also be sched-

uled during these days as well. Given that the first day is a travel day,

many auditors will request that no more than one interview be scheduled

the afternoon of the first day in addition to the entrance meeting. The sta-

tus meeting is typically not scheduled on the first day, as there is nothing

to report. The auditors also prefer this time to begin reviewing the docu-

ment request list items.

Finally, it is also useful to create a spreadsheet to map the individuals to

the date and time of the interview to ensure that there are no availability

issues. It should also be noted whether that person is required to be phys-

ically present for the interview. There is usually more interaction with a

face-to-face interview and more rapport is established with the auditor.

At a minimum the primary point of contact should be present in the in-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 30/52

terview, with the secondary individuals available by phone. The audit co-

ordinator should also be present in the interviews to monitor how the au-

dit is performing as well as to initiate the conference calls, record the at-

tendees, and continuously look for ways to improve the audit process.

Audit Execution Phase

The audit execution phase begins after the on-site arrival phase and con-

tinues until the end of the audit. Although the on-site arrival phase may

last 1 to 4 weeks, the audit execution phase may extend several weeks or

months past the on-site portion depending upon the scope of the audit.

The extended time is necessary for off-site quality reviews by the audit

firm. Even if the testing is completed during the on-site period, it may be

several months before the draft, final draft, or final report is issued.

Additional Audit Meetings

With appropriate planning in scheduling the meetings, the meetings

should flow from the entrance to the exit conference according to the

schedule. Additional meetings will have to be scheduled as the auditor re-

views the documents requested and performs tests of the audit plan. The

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 31/52

security manager is best served by letting the auditor request these addi-

tional meetings, as they are only necessary if the auditor is having diffi-

culty interpreting the information provided. In other words, volunteering

to set up meetings to walk through every document requested when the

auditor has not specifically requested the meeting only takes away from

valuable audit time the auditor has to complete the audit. The auditor

may have reviewed the information provided and decided that the evi-

dence was sufficient and therefore needed no further explanation.

Establish Auditor Communication Protocol

Messages on the Internet get from person A to person B through a stan-

dard communications protocol. Teenage text messages are sent by under-

standing an agreed upon set of communications, some that make us LOL.

To be really effective in working with the auditors to ensure that they

have the right information, at the right place, at the right time, we need to

establish an effective way of communicating. Failure to do so ends up

with the auditor saying things like “I requested that information 5 days

ago and haven’t seen it,” possibly evoking the response, “But we sent it to

your team three times already.” Who is right? At this point, it does not re-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 32/52

ally matter, what matters is that the process of communication failed. At

the end of the day, if the auditor does not receive the information re-

quested during the audit time period, he cannot validate that the docu-

mented control is in place and working.

To increase the likelihood that the aforementioned scenario does not

occur, the following activities should be agreed upon with the auditor no

later than the first day of the audit. A good time to discuss this protocol is

after the entrance meeting, between the audit coordinator and the lead

auditor and the audit team.

Track every information request from the auditor during the audit in a

spreadsheet separate from the auditor document request list.

Assign a unique number to each information request to enable

tracking.

Ensure during the audit that it is clear which information request re-

ferred to is being analyzed by referring to the tracking number.

Implement a scheme (e.g., a, b, c, 01, 02, 03) to track follow-up requests

for information already provided. This helps to keep the information

organized together.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 33/52

Require the auditors to put all requests in writing and assign a number

to ensure that it is clear what the auditor is requesting.

Determine the number of times a day the auditor would like to receive

outstanding requests. Limiting to once or twice a day unless there are

many requests increases both auditor and auditee efficiency.

Require that all incoming and outgoing requests go through the audit

coordinator so that they can be tracked.

The net effect of these items is that all information is tracked and the

status is immediately known. When the status meetings are held and the

auditor and the audit coordinator have tracked the requests, they can be

compared to see where the gaps are and reconciled. Accurate tracking by

a central person avoids the he-said-she-said discussion, as well as creating

the impression that the company is working diligently to ensure that the

auditor has the information on a timely basis. From an economic perspec-

tive, it is just better business to have to request and furnish the informa-

tion one time.

Establish Internal Company Protocol

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 34/52

Just as it is important to have a protocol established with the auditors, it

is equally important that the following protocol is followed internally:

All audit requests for additional information are sent only from the au-

dit coordinator.

All responses to requests for additional information are sent to the au-

ditor from the audit coordinator.

E-mail subject lines contain the year, audit name, tracking number,

brief description of item to permit searching for requests.

Information is placed in a directory related to the tracking number and

a reply to the request from the audit coordinator from the person pro-

viding the information indicates that the information is complete and

ready to be provided to the auditor.

A protocol is established for moving the request from “completed sta-

tus” to “sent to the auditor” by the audit coordinator.

Audit requests are expected to be fulfilled within 24 hours (exceptions

may be acceptable for items that must be retrieved from off site or

other contractors/outsourced operations).

Figure 11.6 shows the flow of information from the initial request

through fulfillment. By tracking each request in a spreadsheet and subse-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 35/52

quently maintaining a tracking number throughout the process, informa-

tion is less likely to be lost. As shown in the diagram, when the audit coor-

dinator assigns the request, it is logged in a spreadsheet with a tracking

number. The same number, in this case AC33, is used as the folder name

under the directory REQ\041313 where 041313 is date the item was re-

quested (April 13, 2013). Once the audit coordinator receives the e-mail

response from the point of contact assigned to fulfill the request in the

folder that the information is complete, he proceeds to move the folder to

the SENT\[today’s date] folder. He then provides this information to the

auditor along with other items that are complete.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 36/52

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 37/52

Figure 11.6 Information request flow.

Using this method of SENT and REQfolders (1) provides a mechanism (a

place) for the point of contact to place the items requested, and (2) pro-

vides knowledge that the information was subsequently provided to the

auditor. The folder structure also serves as an additional validation of the

tracking spreadsheet (e.g., no contents in the REQ_folder indicate the re-

quest was completed).

Media Handling

The documents provided for the auditors’ review during the course of an

audit contain confidential information that could cause harm if disclosed

outside the organization or beyond the audit firm. For this reason, all in-

formation provided to the auditors should be encrypted, preferably with

a product that is FIPS 140-2 compliant. This greatly reduces the risk that

this information will be disclosed during the useful life. Documents such

as security plans, baseline configurations, script output, and firewall

rules contain highly confidential information.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 38/52

Media may be passed to the auditors on site by burning the information

onto a CD or USB drive. In either case, it is not necessary to encrypt each

file individually, but rather each submission to the auditor could be en-

crypted by encrypting the high level folder and all subdirectories. For ex-

ample, the contents were copied to the

\SecurityAudits\2013\SENT\041910a folder, where a equals the first sub-

mission of the day to the auditors, then this folder could be encrypted and

the contents copied to a CD or USB drive.

Establishing a common password for the entire project makes the en-

cryption process much easier and also increases the probability that after

the audit files will be readable because one-time passwords may not be

well documented. The password should be communicated to the team in

a separate e-mail. The password should also be constructed as a strong

password due to the nature of the audit artifacts that are being collected.

A password comprised of at least eight characters (preferably ten), at

least one uppercase, one lowercase, one numeric, and one special charac-

ter should be sufficient. A password constructed in this way also tends to

void the use of pet names, dictionary names, birthdays, and so forth.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 39/52

It is not advisable to send the audit artifacts by e-mail, as the average

user has a plethora of e-mails on a daily basis and tracking who sent what

when and to whom becomes a challenge. As previously mentioned, the

better approach is to use the e-mail system for the audit coordinator to

distribute the requests to the points of contact, requesting that the audit

artifacts be placed in the appropriate REQ\Date\ItemTrackingNo on the

server for subsequent handling. These can be placed on the server in an

unencrypted format, as the audit coordinator will encrypt the entire con-

tents of the SENT\Date+suffix folder when the items are sent. It is also not

uncommon for the size of many of these files or file collections to exceed

the 10 MB range, which is typically a constraint imposed on the e-mails

today.

It is to the company’s advantage to provide as much information to the

auditors while on site due to these files easily fitting on 16, 32, or 64 GB

USB drives. Once the auditor has left the site, the files may have to be bro-

ken into 10 MB file sizes or less, the files encrypted, and multiple e-mails

sent to the off-site auditors. This situation can be avoided by adequate

preparation and confirmation that the auditors have received all of the

required documents during the status meetings and the site exit meeting.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 40/52

The file size may be so large (>100 MB) that it only makes sense to burn

this information to a CD or copy to a USB and send it via overnight mail.

This is not desirable, as there are still delays for the auditor in receiving

the information, plus this adds unnecessary expense in having to provide

rework. Some audit firms have secure FTP servers, and to avoid the ne-

cessity of validating the security of that environment, the audit coordina-

tor could view the FTP transmission as that of being over an open net-

work (even if it is encrypted), and subsequently still encrypt the file

folder containing the audit evidence before FTPing the file. In this man-

ner, the information is sure to meet the security requirements of the au-

dited organization.

Audit Coordinator Quality Review

The point of contacts or subject matter experts that are supplying the in-

formation are in the best position to ascertain whether they are meeting

the audit request, as they are the ones that are closest to the business

process. The audit coordinator still needs to briefly review the informa-

tion provided to the auditors as a second look to catch errors such as

those similar to those previously noted in reviewing the initial document

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 41/52

request list. Given that it may take an overnight process to extract re-

quested information, and the auditors may not review the information

provided immediately, it behooves the organization to provide the infor-

mation requested correctly the first time. The QA process works to ensure

completeness of the response.

The Interview Itself

Auditees are expected to answer questions truthfully and failure to do so

may constitute obstruction of a federal audit with U.S.-government-initi-

ated audits, or constitute a company or industry ethics violation. Audits

are intended to improve the organization’s control environment, and ly-

ing or misrepresenting the facts would serve little purpose and not lead

to making needed improvements in processes that would be identified by

the audits.

With truthfulness as the foundation for the audit, the auditee respon-

dent should only answer the questions that are asked. Providing details

outside of the request not only wastes the auditors time with fluff that

may be irrelevant to the testing the auditor is performing, but it may also

expose other areas of vulnerability that are beyond the scope of the audit.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 42/52

Some auditors are known for going on fishing expeditions, whereby they

may ask, “I have just one more question,” a line made famous by the TV

show Columbo, which originally aired in the 1970s. This line of question-

ing is primarily intended to reveal a flaw within the system by poking

around. So why would we not want to know all the areas where we have

issues? The answer is not so much that we do not want to know, but

rather we want to be on a fair playing field with our competitors. Say, for

example, that our firm is being audited for Payment Card Industry Data

Security Standard (PCIDSS) compliance by a qualified auditor or our con-

tractual requirements mandates that a Statement on Auditing Standards,

No. 70 (SAS 70, PCAOB, n.d.) be performed to get the business, we would

want to be evaluated based upon an audit program that our competitors

are being evaluated against. Therefore, it is important that individuals

that are selected for interview are able to answer the questions posed by

the auditors, but not so verbose that they start talking about unrelated

items or bring up other vulnerabilities outside of the scope of the audit.

Most people are proud of their work and want to talk about it with who-

ever will listen. An audit interview, outside of the interview sections

where overviews of the processes are provided, is not the time to explain

all the details of a process unless requested by the auditor.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 43/52

Mock interview sessions are advantageous for those individuals that

have not been involved in an audit before, as well as a refresher for those

who engaged in them infrequently. In a mock interview, an individual

can portray the auditor, asking a series of questions requesting evidence

that a control activity was performed. This can help put the interviewee

more at ease during the audit. The mock interview may also trigger addi-

tional information request ideas that were previously missed to support

the organization’s control position.

Entrance, Exit, and Status Conferences

The entrance, exit, and status conferences are scheduled throughout the

audit and provide the essential information to the various stakeholders to

keep the audit on track. The worst-case scenario is to get to the end of an

audit and have a list of findings that were not previously discussed. At

this point the opportunity is lost to provide more information that may

have cleared the issue, leading the more expensive process to tracking the

issue, reporting evidence demonstrating that the proper controls were in

place, and subsequently obtaining agreement on closure of the issue.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 44/52

Entrance Meeting

The audit entrance meeting provides the opportunity to ensure that the

organization knows the audit scope, expectations, and key dates. The en-

trance meeting is often scheduled late Monday morning to early after-

noon to allow for traveling. Auditors generally travel Sunday night to

Thursday evening or Monday morning to Friday evening to provide for

some balance since on-site auditors for Big Four accounting firms are

traveling 80% to 100% of the time depending upon the contracts.

Hopefully the audit coordinator has communicated as much as possible

to the organization prior to the arrival of the entrance meeting, because

the preparation activities as previously mentioned needed to ensure that

the documentation would be available for the entrance meeting. Some

auditors will request that the documentation request list be provided as

soon as possible, sometimes ahead of the entrance meeting, however, as

is more often the case, the auditors tend to start looking at the materials

after the entrance meeting has begun. Why? Because their time is usually

fully committed to a prior client the weeks preceding this engagement. As

a result, there is limited time to look at the files that are provided to them,

and most auditors will agree that receiving the files the day they are on

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 45/52

site will give them plenty to keep busy. In addition, this also provides

more time to ensure that the document request list has been adequately

prepared, reviewed, and QAed prior to providing to the auditors. The ex-

ception to this may be when scripts are requested to be run against infra-

structure devices, such as Unix/Windows servers, firewalls, routers, and

the output is needed for them to begin their analysis.

Senior management should be invited to the entrance meeting so that

they are aware of the scope and timeline of the audit. All managers who

have a role in providing information, attending interviews, or providing

staff should also be included. Depending upon the organization, it gener-

ally does not hurt to encourage everyone that has a key role in providing

information to the auditors to attend as well. The entrance call is sched-

uled for 30 minutes to 1 hour, however, in practice the call is normally 10

to 15 minutes as there is not much to discuss at this point. The scope has

been agreed to per prior audit engagement contracts or conversations

and should not be a surprise at this juncture. The meeting is more of a

formality to kickoff the audit project and answer any questions that need

to be clarified.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 46/52

From an organization’s point of view, the audit entrance meeting

should not be considered complete if there are still lingering questions re-

garding (1) audit scope, (2) timing of fieldwork, (3) delivery dates of the

draft and final reports (may be approximate), (4) documentation re-

quested, (5) samples that will be requested, and (6) departments that

must be involved. Failure to have an understanding of any of these items

by this point can lead to unnecessary confusion.

Exit Meeting

An audit may have multiple exit meetings depending upon the duration

of the audit. If the audit involves on-site fieldwork of several weeks, but

the audit itself takes several months to complete, the auditors may hold a

site exit meeting to reaffirm the results of their fieldwork, while schedul-

ing a formal exit conference at the end of their analysis and prior to is-

suance of the audit report. The purpose of the exit meeting is to signal ei-

ther the end of the audit activities and ensure that both the auditor and

auditee come away with the same understanding. These are usually

scheduled in late morning or midday on the final day of the audit, again

permitting auditor cleanup and travel time in the afternoon.

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 47/52

Status Meetings

Status meetings provide a more frequent opportunity for the auditor and

the auditee to ensure that there are no surprises or misunderstandings at

the exit conference. Knowing what issues the auditors are facing early in

the process provides an opportunity to provide other documentation that

may better answer the auditors’ request or permit further dialogue to

clarify the control in question. It also provides the opportunity for the au-

dit coordinator to validate that the auditor has received the information

requested and the information provided was satisfactory.

Some organizations prefer a daily status meeting; however, in practice,

if the audit coordinator is communicating on a frequent basis with the

auditor, a formal meeting every other day should be sufficient. These are

scheduled near the end of the normal workday (4 p.m. or 4:30 p.m.) for 30

minutes so that other management staff can call in. This is true even if

the auditors may be working until 6 or 7 p.m. to ensure the most atten-

dance possible. The meetings should be focused on what observations,

gaps, or findings have been noted or what documentation has been re-

quested and is still outstanding. An agenda and updated document re-

quest list should be provided by the auditor in advance of each status up-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 48/52

date meeting to ensure that the conversation is focused on the important

issues.

Report Issuance and Finding Remediation Phase

All control deficiencies should be known and communicated by the exit

conference. If for some reason testing could not be completed, there

could be additional deficiencies noted after the auditors have left the site.

If this is the case, for reasons mentioned in the media handling section,

this complicates the audit and should be avoided. Proactive inquiry of the

auditors to ensure they have all the necessary information, especially by

the start of the last week of the audit, should be done. The auditors should

be focused on completing their work papers the last week of the audit

versus performing additional testing. This usually occurs because of dis-

agreement in earlier testing or the selection of a new sample that was

deemed insufficient (e.g., population was assumed to be employees and

contractors, but only employees were provided).

At the exit conference, the auditor should provide a listing of control

deficiencies (also referred to as gaps, observations, exceptions, or find-

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 49/52

ings, depending upon the nomenclature used by the auditor). These might

end up as findings on the final report. Auditors might have to evaluate

the findings with other organizations that have been included in the

scope of the audit. For example, for a chief financial officer’s audit con-

tracted by the federal government, the audit firm may wait until it has

been to all the sites to ensure that it has been consistent in its approach

and fair to each contractor. Another reason for not receiving the findings

at the exit conference is that further peer reviews may need to be per-

formed, or the senior partners may need to review the work papers con-

taining the audit testing and evidence collected.

A draft report is subsequently issued with the findings. There should be

no surprises if the audit team and the organization have worked together.

Usually when surprises end up on the report, it is the result of (1) lack of

clear communicating in the beginning as to what conditions would create

a finding, (2) a prior issue was surfaced but not communicated that it was

a finding, (3) documentation requested were not provided, (4) misunder-

standing that an earlier agreement was or was not reached when dis-

cussing a gap, or (5) the auditor held the issue to the end to avoid con-

frontation. In my experience through many audits, number 5 does occur,

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 50/52

but usually one of the other items is the primary reason for surprises.

Surprises should be left for birthdays and holidays and not audit findings.

Once the draft report is received by the organization from the auditor,

the auditee has 5 to 10 business days to provide a response. The response

provides the auditee an opportunity to agree or disagree to the audit find-

ing and explain why. These comments are included in the reissued draft

report, which should be issued 5 to 10 days after receipt of the auditee’s

comments. If the organization agrees with the finding, it is best to also

note a corrective action plan (CAP) at this time. The corrective action plan

explains at a high level what will be done to mitigate the deficiency and

when this will be completed. The CAP will need to be submitted within 30

days after the final report is reissued with the auditee comments, so if

there is agreement, this may as well be included in the draft report. This

provides the reader who is not so familiar with the audit an early under-

standing as to what steps will be taken.

The final report issuance varies by audit firm and the contractual re-

quirements. Internal review of the draft report and work papers adds off-

site time after the fieldwork to ensure the audit report is accurate.

Sometimes this process can take months between the issuance of the

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 51/52

1.

2.

draft and the final report. Firms that are security conscious will not wait

for the final report to begin action on the issues. CAPs are typically due

within 30 days after final report issuance, and it is preferable to mitigate

the vulnerability within 90 days from the cap due date. Obviously, long

security implementations will be the exception but should not be the rule.

Ninety days should be sufficient for mitigating most vulnerabilities given

the appropriate priority. Each of the CAPs should be tracked to ensure

that the person responsible is completing the milestones and the target

date is still on track. As the CAPS are completed, the audit artifacts includ-

ing changed processes, reports, project plans, and evidence of implemen-

tation should be retained to provide to the auditor for next year’s review.

The auditor will then take these items and use them as partial evidence to

close the finding.

Suggested Reading

U.S. Government Accountability Office. February 2009. GAO Federal Information

Systems Controls Audit Manual (FISCAM).

http://www.gao.gov/special.pubs/fiscam.html

Public Company Accounting Oversight Board. Auditing standards,

http://pcaobus.org/Standards/Auditing/Pages/default.aspx

5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 52/52