question
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 1/52
11
The Auditors Have Arrived, Now What?
Truth exists, only falsehood has to be invented.
Georges Braque, 1882–1963
Auditors perform an essential role in protecting the information assets of
the organization, which should be embraced versus feared. Many times
when an audit is scheduled, whether internally or externally initiated,
the response is one of fear of what the auditors will find as gaps in the in-
formation security program. Analogous to how many people feel when
they are scheduled for their annual performance review, anxiety is al-
most certain to be a normal response. Why is it that way? The answer is
simple: No one likes to criticized for what they have put their best efforts
into, and just like the potentially stressful performance reviews, audits
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 2/52
have the potential to be taken very personally and viewed as a negative
experience. A recent comment by an information security colleague
summed this up very well, in reference to the auditors judging his work
by saying, “Whose baby are you calling ugly?”
The truth is that audits typically do cause anxiety and cause people’s
stress levels and outward emotions to reflect the pressure of being
“judged.” The truth is also that these can be extremely valuable learning
experiences by which those leading information security programs can
learn greatly from the auditors. Auditors are typically very detail ori-
ented and as a result may see items that may be overlooked by big-picture
people. Auditors also typically follow a methodical, systematic approach
to analyzing what that organization asserts are the controls that are in
place. The systematic approach allows them to uncover what may be as-
sumed is actually occurring by the company. For example, a manager
may assume a policy in place that requires that all access be terminated
for an exiting employee within 72 hours is being followed. When the au-
ditor reviews the policy, he or she may find that there was no docu-
mented standard operating procedure, thus raising doubts that a consis-
tent procedure was actually being followed. The auditor may also find
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 3/52
that while logical access was promptly removed, there was no equivalent
procedure within physical security, creating a gap. Many times the audi-
tor will request a full population of employees and request a random
sample based upon the frequency of the process, say 25 or 45 for a daily
process, and test to determine if the requirement was consistently met.
How often do the operational departments within an organization per-
form an independent test of the product or service they are creating?
Companies are doing their utmost best to just get the product of service
out the door. This creates a situation where compliance with the com-
pany policies, procedures, standards, and guidelines is assumed and not
regularly tested. In this respect, we should be welcoming the auditors
with open arms.
A byproduct of performing audits on a regular basis is that managers
are more apt to pay attention to ensure that the standard operating pro-
cedures are actually accurate and reviewed on a periodic basis (mini-
mally on an annual basis). Knowing that they will be judged on the basis
of what process is written versus the current process, if different, even if
the current process is better, will encourage managers to take the docu-
mentation more seriously. Documentation should be regarded as manage-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 4/52
ment directives to ensure that the appropriate activities are being per-
formed at the right time.
Through experience gained through dozens of audits involving the Big
Four accounting firms, audit firms occupying the middle-market tier, and
boutique technical auditing firms, it is safe to say that no two audits are
conducted the same or necessarily have the same goals in mind.
However, there are some basic commonalities as to the flow of an audit
and how the information security department should interact with the
auditors. The next few sections walk through the anatomy of an IT audit
and how the security professional should best prepare for the audit.
Anatomy of an Audit
From a security officer’s point of view, the audit can be separated into
five phases: (1) audit planning, (2) on-site arrival, (3) audit execution, (4)
entrance/status/exit conferences, and (5) report issuance and finding re-
mediation. It is useful to look at the audit as a project, with a discrete set
of steps, a beginning, and an end. Viewing the audit as an activity in this
manner permits the prioritizing, scheduling, and resourcing of the audit
similar to other projects within the company. The success of an audit de-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 5/52
pends upon having knowledgeable individuals available to answer the
questions for which they are most qualified at the appropriate time.
External audits involve an up-front period of negotiations for the scope
and pricing of the audit. This process is normally administered through
the company’s internal audit department in response to a contractual re-
quirement for awarded business (e.g., government contract with Federal
Information Security Management Act [FISMA] provisions or Health
Insurance Portability and Accountability Act [HIPAA] compliance require-
ments). Since the internal audit department may have many internal and
external audits scheduled during a given year, the audit may not occur at
the best time for the information technology (IT) department to have the
resources available. Partnership with internal audit, information security,
information technology, and compliance areas can help mitigate the
scheduling disruptions that can occur. Once the external audit dates are
set, there is typically limited flexibility to move the schedule, as the exter-
nal audit firms also must balance their resources with the needs of other
clients. Teams are typically only put together a few weeks in advance at
the most for the audit firm, but once they are, they tend to be locked in.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 6/52
The phases shown in Figure 11.1 assume that the contract and sched-
ule are now in place, and information security and the other departments
need to prepare for the audit.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 7/52
Figure 11.1 Security audit phases and activities.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 8/52
Audit Planning Phase
The audit planning phase ensures that the auditors have most, if not all,
of the requested information delivered to them when they arrive for the
audit. With sufficient resources dedicated to the up-front planning phase,
the audit runs more smoothly as more time can be dedicated toward ac-
curately answering the auditor’s questions and responding to follow-up
requests versus scrambling for documentation or having less-than-opti-
mal facilities for the auditors to conduct the audit.
Preparation of Document Request List
The first step is to establish an audit coordinator for the information
security/IT portion of the audit. This individual is usually someone within
the IT organization that understands the interoperability of the technical
infrastructure, operations, and management of IT. Internal audit depart-
ments traditionally have focused upon the financial and operational au-
dit areas and may or may not have the IT auditing skills. Even if they do
have individuals with these skills, their role is to audit the organization.
The role of the audit coordinator is to respond to the requests of the audi-
tors, which may be internal or external. To mitigate any conflict of inter-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 9/52
est questions (auditors preparing responses to their own managed au-
dits), an audit coordinator position is established. The function of this in-
dividual is to coordinate all audit requests, ensure timely receipt and de-
livery of the artifacts, schedule meetings, communicate issues, and gener-
ally ensure that a smooth process is followed.
Anywhere from 3 to 5 weeks ahead of the audit, the auditors will pre-
pare and deliver a request for documentation. The request goes by such
names as prepared by client (PBC) listing, client assistance list (CAL), and
agreed upon procedures (AUP). Regardless of the name, the intent of the
request is the same: a document typically in the form of a Word docu-
ment or spreadsheet that contains the auditors’ request for documenta-
tion that they would like to have available when they start the audit. It is
in everyone’s best interest to comply with the request and have 100% of
the items requested available when the auditors start the audit. This per-
mits the auditors to start right away reviewing and understanding the
materials provided. By supplying all of the information at the beginning,
it can also reduce the stress level by avoiding hurry-up requests that must
be immediately supplied to the auditors. There will also be additional re-
quests by the auditors that will consume valuable time during the audit,
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 10/52
so it makes sense to solicit the materials in advance and give the depart-
ments as much of the 3 to 5 weeks time as necessary to collect the arti-
facts. Failure to adequately allow ample preparation time causes the or-
ganization to respond on the fly and not necessarily provide the best re-
sponses due to the short time frame allowed during the audit to provide
the responses.
If any of the audit requests are not clear, the audit coordinator may
need to schedule a meeting to discuss the deliverables requested. The
scope may not be clearly understood by the auditors or the client. As new
auditors are brought into an engagement, they must quickly come up to
speed with the organization, processes, and the business operations.
Since the request list is typically based upon a generic template, assump-
tions may be made about the processing that is performed by the com-
pany being audited. For example, it may be assumed that the company is
following a system development life cycle (SDLC) process to develop soft-
ware, when in fact the organization may have outsourced the develop-
ment and maintenance activities to a system integrator and is running
these processes at the data center. If the audit of the data center is also in
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 11/52
scope, the SDLC processes can be obtained through a separate audit of the
data center.
The requests are usually organized into sections deemed as important
by the auditor and may or may not be numbered. The number of items
requested varies, but typically 50 to 200 requests for different security el-
ements are normal. There is little consistency between audit firms as to
what is requested, as each audit firm has constructed its audit program
based upon what it considers to be important, modified by the focus de-
sired by the organization or branch of government requesting the audit.
The number of auditors and scope may dictate how much testing is per-
formed within the audit. An audit that has 2 to 3 auditors on site for 1 to 3
weeks will involve substantially less testing than a 4-week audit with 10
auditors on site.
An example of an audit request for documentation can be seen in
Figure 11.2. A description of the contents of the request, an associated
control ID, dates requested and dates received, and a field for comments
are typical. One item that is not stated is how this document will be used
within the audit! The auditors do not necessarily tie the request to the
control item being tested, nor do they necessarily want to make this clear.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 12/52
After all, this is an audit to test the operations, and if they are testing to
determine if the controls are adequate to protect the information assets,
then it should be irrelevant if the company knows what control is being
tested when the documentation request is made—the organization should
have the document in question. On the other hand, it helps to know the
context of the request in order to supply the correct documentation.
Figure 11.2 Document request list example.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 13/52
Once the request list is received, the items should be assigned an inter-
nal control number for tracking. This helps tremendously during the au-
dit to track and determine what has and what has not been provided. The
next step is to determine which (1) director, (2) manager, and (3) subject
matter expert, or primary point of contact is in the best position, knowl-
edge-wise, to respond to the request. The documentation request list can
be modified to place these accountable and responsible positions in col-
umns for each request so that it is clear who will own this deliverable.
Although it may seem obvious, it is vitally important to establish who the
correct owners are up front or time ends up being wasted when a man-
ager indicates the day before the deliverable is due that they are not the
correct owner. This action is unfair to the manager who now needs to
scramble to complete the request and does not promote the generation of
a quality product.
The updated spreadsheet with the internal tracking numbers, account-
able management, and subject matter experts is then distributed to the
organization by the audit coordinator, typically within 1 week after re-
ceiving the initial request list. Managers should be given a couple of days
to receive the listing and confirm that the items are theirs, and if not, rec-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 14/52
ommend who should own the requested item. At this point they are not
fulfilling the request but rather merely indicating whether it is theirs to
supply. It is best to place the responsibility with the assigned manager to
reach agreement with the department manager that should own the re-
quest and inform the audit coordinator. This avoids multiple conversa-
tions between the audit coordinator and each party that can potentially
increase the time to gain agreement due to unavailability of all parties to
the conversation.
Now that the documentation requests each have an owner associated
with them, each owner can now begin the process of collecting the arti-
facts for submission. The audit coordinator should create an audit artifact
repository of some sort to capture and organize the artifacts. This may be
a simple directory structure, containing one folder for each item on the
request list (the folder will most likely contain multiple documents to sat-
isfy the request) or may be a more elaborate homegrown database or
vendor-created database. Either of these methods are preferred to subject
matter experts sending the requests via e-mail, as the file sizes can typi-
cally exceed internal 5 to 10 megabyte limitations of the e-mail service or
the storage of the audit participants. Additionally, when others need to
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 15/52
look up the audit artifacts that have been supplied, without a central net-
work storage area, they may have been the recipient of the initial e-mail
and will have to request the information be forwarded again. This in
turn, increases the company’s storage requirements and is very
inefficient.
Gather Audit Artifacts
Once each manager has accumulated all of the artifacts assigned to him
or her for the audit, the manager needs to confirm with the audit coordi-
nator that the collection is complete. At this point, the audit coordinator
can review the contents and determine whether all of the information
has been provided. This quality assurance process increases the likeli-
hood that the information will not have to be re-requested. The auditor
coordinator looks for such discrepancies as:
Accuracy spot check—Check to determine if information supplied
matches the information requested.
Empty folders—Contents may have been placed in a different audit di-
rectory, accidently deleted, moved to another folder, or misplaced. It all
happens.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 16/52
An insufficient artifact—The audit coordinator has typically seen a sim-
ilar request across audits over time and is usually in the best position
to determine whether this artifact is complete.
Time period not valid—If the audit is from October 1, 2012, to March
31, 2013, and a standard operating procedure updated April 8, 2013, is
supplied, the new procedure would not have been effective during the
period.
Sizes too large—If the file sizes are too large, say >10 MB, then it may
be difficult if the files need to be subsequently e-mailed to the auditor.
It is best to break these directories into subdirectories prior to the
audit.
Outdated policies/procedures—A quick review of the last update date
would indicate whether this might be an old artifact.
Whereas the management and subject matter experts are responsible
to ensure that the audit artifacts are accurate and comply with the infor-
mation request, the spot checking by the audit coordinator is a value-
added step that can find problems with the information prior to presenta-
tion to the auditors. Figure 11.3 shows a data model representation of the
audit artifacts.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 17/52
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 18/52
Figure 11.3 Audit artifact data model.
Provide Information to Auditors
Once all of the information has been collected by the audit coordinator
for all of the items requested on the document request list, the audit coor-
dinator can burn an initial CD, DVD, or USB drive containing all of the in-
formation. Since much of the information will be highly confidential (net-
work diagrams, access control lists, employee listings, background checks,
logs, etc.), the information must be encrypted. Encryption programs have
substantially fallen in price in the past few years, so there is little justifi-
able reason to not protect this information. Programs such as WinZip,
SecureZip, PKZip, or programs based upon the zip format are used by
most audit firms and can be opened by their auditors. This should be ver-
ified with the auditors prior to starting the engagement, as not all encryp-
tion programs are compatible. For example, Winzip or SecureZip cannot
open a file encrypted using Pointsec software because it used as a propri-
etary nonzip internal format. However, a file encrypted by Winzip (ver-
sion 9.0 or greater) or SecureZip can be opened by either program since
the internal format used in both products is based on the zip format.
Providing multiple copies to the auditors is typically appreciated to en-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 19/52
able them to ramp up quickly while on site without having to spend time
copying sizable files across a network or wait for others to complete copy-
ing the files to their disks. Although most auditors in the profession utilize
encrypted hard disks on their PCs to store the client files, it is advisable to
confirm this with the auditors before providing them with the
information.
On-Site Arrival Phase
Auditors may schedule a pre-on-site meeting ahead of the audit to ensure
that the appropriate logistics have been taken care of. A listing of the
items typically requested by the auditors in advance is shown in Figure
11.4. The next sections discuss considerations for some of the key items
requested by the auditors that are needed during the on-site arrival. In
reality, these items are planned for in the audit planning phase, and uti-
lized within the on-site arrival phase.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 20/52
Figure 11.4 Preaudit visit logistical items.
Internet Access
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 21/52
Even though the auditors are engaged at the client site, they still have re-
sponsibilities to the home office and need to communicate with other se-
nior-level auditors and partners. They may need to share files, access e-
mail, conduct conference calls, access home office software, and so forth.
One method of providing this access is to provide internal network access
and subsequent access to the Internet. This involves setting up the audi-
tors similar to how contractors may be connected to the system—with a
user account on the network and access to the Internet. The problem with
this configuration is that the auditors are now resident on the network
and may have access to more network files than desired. Auditors should
be treated with the same security need-to-know and least-privilege princi-
ples that are applied to other users of the organization’s information
assets.
An alternative solution that serves to provide the access the auditors
need while simultaneously limiting the exposure of internal information
outside the scope of the audit is to provide network access via a wireless
broadband router. This relatively inexpensive solution provides the audi-
tors with the access required and keeps the auditors from having to be set
up on the organization’s computer network. Not only does this save time
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 22/52
in set up, but it provides a fast solution to deploy to the auditors. In other
words, the day they arrive on site, the wireless broadband router can be
plugged in and they are ready to begin work. The router also permits
sharing of the broadband connection between the auditors. It is advisable
to have one broadband router per every four auditors to ensure adequate
bandwidth when downloading and uploading large files.
Once the availability of this device is known within the company, it is
not unusual for the IT department to have more requests than there are
routers. Given the inexpensive nature of an inexpensive piece of hard-
ware (under $200 as of this writing) and the aircard monthly fees (gener-
ally $60/month or less depending upon pricing discounts and usage), it
makes sense to ensure that there are extra routers that can be shipped to
alternate audit locations to support the audit. The hidden costs of request-
ing accounts, setting up audit access, terminating accounts, requesting au-
ditor names, and so forth are greater than the one time cost of the routers
and monthly charges.
Reserve Conference Rooms
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 23/52
Depending upon the size and duration of the audit, a small or large con-
ference room may be needed. Failure to provide a room with enough
space for both the auditors and the auditees can create an environment
that increases the stress levels of both parties. The proper size conference
room for the interviews may not be known until the interview schedule
has been created. Most organizations do not have extra conference rooms
so these should be scheduled at the start of the audit. The auditors may
request that a room also be reserved for their private conversations that
are separate from the room reserved for the interviews and the other au-
ditors. This permits sidebar discussions without disturbing the rest of the
team. However, it is not unusual to see auditors with headphones on in
large conference rooms to block out the distractions of the other auditors.
If possible, locate a conference room that is away from the individuals
performing a bulk of the work that is being audited. This avoids embar-
rassing situations where someone may make a comment related to an as-
pect that is currently being audited and being overheard by the auditor.
Although the comment may be accurate, it may be taken out of context by
the auditor or substantiate an issue that the auditor was investigating.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 24/52
Staff should also be courteous to the auditors and respect the noise levels
and conversations outside the conference room.
Temperature control is always a consideration. Although it may be
tempting to smoke out or freeze up the auditors, this strategy is ill ad-
vised. While this may be obvious, keep in mind that there will be more in-
dividuals in the room at one time with the auditors and auditees and
body heat will tend to raise the temperature.
Physical Access
The degree of physical access needs to be defined in advance: What build-
ing? What times? Must the access be escorted? How long can they keep
their badges? Some auditors will be using their own experiences with the
badging process to evaluate the physical visitor, consultant, employee
and contractor security controls. If the visitor log policy indicates that an
individual is supposed to obtain a badge and sign out at the end of each
day and this function is not required of the auditors, then this may result
in an audit finding based upon the lack of control enforcement. Or, if the
policy is that the auditor must be escorted and the auditor finds that dur-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 25/52
ing the course of the audit he was free to roam the building, this could
also result in a finding.
Special auditor badges with predefined access and required to conform
to a separate auditor visitor policy is recommended. Auditors generally
work until the early evening hours or start early, so a 7 a.m. to 7 p.m. ac-
cess policy would satisfy most auditor needs. As far as escorting, auditors
are being entrusted with vast amounts of confidential information to per-
form an audit, so the risk of damage by allowing the auditors in the build-
ing without an escort is low. Auditors could be granted access badges that
permit entry the week during their audit and be required to return the
badges at the end of the fieldwork. Agreements with the auditors should
be made that they will confine their activities to the conference rooms,
restrooms, and break rooms without needing an escort, but if they need
to visit other operational areas that they must have an escort. The escort
would preferably be the audit coordinator or his or her designate.
Conference Phones
Ever been on a phone conference and someone is shuffling papers, hav-
ing a conversation on a cell phone, or hear dogs barking in the back-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 26/52
ground? We all have, and it does not help the subject matter being dis-
cussed. A good quality conference phone, such as a Polycom, should be
placed in each conference room where interviews will be held. Since in-
terviews generally involve geographically dispersed individuals or will
involve someone calling in while traveling, there will need to be a phone
for the conference. The speakerphones on office phones are not designed
to handle a room of people between 4 and 8 feet away from the phone. A
better setup is to have a conference phone with two microphones at-
tached by 3- to 4-foot cords. The acoustics of the room should also be
tested to ensure that outside, heating or air conditioning, or fan noise is
not interfering with the sound quality level.
Schedule Entrance, Exit, Status Meetings
Entrance, exit, and status meetings should be scheduled at least a week in
advance of the start of the audit, preferably 2 weeks or more, so that the
appropriate management and technical staff can make themselves avail-
able to attend. Consideration should be given to those individuals who re-
side in different time zones, with the avoidance of a pre-8 a.m. meeting in
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 27/52
any time zone if possible. Individuals should be at their best for the audit
calls and for most staff this would be during their normal workday hours.
Set Up Interviews
As with the entrance, exit, and status meetings, as many interviews as
possible should be scheduled prior to the start of the audit. The document
request list provides the procedures, reports, samples, and other evi-
dence, but does not have the element of human interaction and explana-
tion of what is written in the documents. The interview provides the audi-
tor with the opportunity to ask clarifying questions of the information
provided. This also represents an opportunity to provide an overall big
picture description of a control or management area. For example, the in-
formation security manager could provide an overview of access man-
agement or security administration and how user IDs and logins are ob-
tained; the business continuity/disaster recovery manager could explain
all of the activities involved in ensuring continuity of operations; or the
human resources manager could explain how a new hire is on boarded
into the organization with reference checks, background checks, confi-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 28/52
dentiality statements, and PeopleSoft human resource/payroll transac-
tions. Potential overview areas to be scheduled are listed in Figure 11.5.
Figure 11.5 Potential security audit interview areas.
Interviews should be scheduled for 1 to 1.5 hours each with at least 30
minutes in between each interview to permit the auditors a chance to di-
gest what they have heard and subsequently review their notes. They will
also need time to prepare for the next interview. Generally, the interviews
should be scheduled during the first week of a multi-week audit so that
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 29/52
the appropriate understanding of the environment controls and pro-
cesses are understood by the audit early on in the process. This can avoid
sample pulls of the wrong information or invalid assumptions when eval-
uating the documents provided, leading to rework for both parties. Given
these constraints, it is generally advisable to spread the interviews out
during the first week, with no more than two scheduled for a morning or
an afternoon. Afternoon or morning status meetings will also be sched-
uled during these days as well. Given that the first day is a travel day,
many auditors will request that no more than one interview be scheduled
the afternoon of the first day in addition to the entrance meeting. The sta-
tus meeting is typically not scheduled on the first day, as there is nothing
to report. The auditors also prefer this time to begin reviewing the docu-
ment request list items.
Finally, it is also useful to create a spreadsheet to map the individuals to
the date and time of the interview to ensure that there are no availability
issues. It should also be noted whether that person is required to be phys-
ically present for the interview. There is usually more interaction with a
face-to-face interview and more rapport is established with the auditor.
At a minimum the primary point of contact should be present in the in-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 30/52
terview, with the secondary individuals available by phone. The audit co-
ordinator should also be present in the interviews to monitor how the au-
dit is performing as well as to initiate the conference calls, record the at-
tendees, and continuously look for ways to improve the audit process.
Audit Execution Phase
The audit execution phase begins after the on-site arrival phase and con-
tinues until the end of the audit. Although the on-site arrival phase may
last 1 to 4 weeks, the audit execution phase may extend several weeks or
months past the on-site portion depending upon the scope of the audit.
The extended time is necessary for off-site quality reviews by the audit
firm. Even if the testing is completed during the on-site period, it may be
several months before the draft, final draft, or final report is issued.
Additional Audit Meetings
With appropriate planning in scheduling the meetings, the meetings
should flow from the entrance to the exit conference according to the
schedule. Additional meetings will have to be scheduled as the auditor re-
views the documents requested and performs tests of the audit plan. The
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 31/52
security manager is best served by letting the auditor request these addi-
tional meetings, as they are only necessary if the auditor is having diffi-
culty interpreting the information provided. In other words, volunteering
to set up meetings to walk through every document requested when the
auditor has not specifically requested the meeting only takes away from
valuable audit time the auditor has to complete the audit. The auditor
may have reviewed the information provided and decided that the evi-
dence was sufficient and therefore needed no further explanation.
Establish Auditor Communication Protocol
Messages on the Internet get from person A to person B through a stan-
dard communications protocol. Teenage text messages are sent by under-
standing an agreed upon set of communications, some that make us LOL.
To be really effective in working with the auditors to ensure that they
have the right information, at the right place, at the right time, we need to
establish an effective way of communicating. Failure to do so ends up
with the auditor saying things like “I requested that information 5 days
ago and haven’t seen it,” possibly evoking the response, “But we sent it to
your team three times already.” Who is right? At this point, it does not re-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 32/52
ally matter, what matters is that the process of communication failed. At
the end of the day, if the auditor does not receive the information re-
quested during the audit time period, he cannot validate that the docu-
mented control is in place and working.
To increase the likelihood that the aforementioned scenario does not
occur, the following activities should be agreed upon with the auditor no
later than the first day of the audit. A good time to discuss this protocol is
after the entrance meeting, between the audit coordinator and the lead
auditor and the audit team.
Track every information request from the auditor during the audit in a
spreadsheet separate from the auditor document request list.
Assign a unique number to each information request to enable
tracking.
Ensure during the audit that it is clear which information request re-
ferred to is being analyzed by referring to the tracking number.
Implement a scheme (e.g., a, b, c, 01, 02, 03) to track follow-up requests
for information already provided. This helps to keep the information
organized together.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 33/52
Require the auditors to put all requests in writing and assign a number
to ensure that it is clear what the auditor is requesting.
Determine the number of times a day the auditor would like to receive
outstanding requests. Limiting to once or twice a day unless there are
many requests increases both auditor and auditee efficiency.
Require that all incoming and outgoing requests go through the audit
coordinator so that they can be tracked.
The net effect of these items is that all information is tracked and the
status is immediately known. When the status meetings are held and the
auditor and the audit coordinator have tracked the requests, they can be
compared to see where the gaps are and reconciled. Accurate tracking by
a central person avoids the he-said-she-said discussion, as well as creating
the impression that the company is working diligently to ensure that the
auditor has the information on a timely basis. From an economic perspec-
tive, it is just better business to have to request and furnish the informa-
tion one time.
Establish Internal Company Protocol
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 34/52
Just as it is important to have a protocol established with the auditors, it
is equally important that the following protocol is followed internally:
All audit requests for additional information are sent only from the au-
dit coordinator.
All responses to requests for additional information are sent to the au-
ditor from the audit coordinator.
E-mail subject lines contain the year, audit name, tracking number,
brief description of item to permit searching for requests.
Information is placed in a directory related to the tracking number and
a reply to the request from the audit coordinator from the person pro-
viding the information indicates that the information is complete and
ready to be provided to the auditor.
A protocol is established for moving the request from “completed sta-
tus” to “sent to the auditor” by the audit coordinator.
Audit requests are expected to be fulfilled within 24 hours (exceptions
may be acceptable for items that must be retrieved from off site or
other contractors/outsourced operations).
Figure 11.6 shows the flow of information from the initial request
through fulfillment. By tracking each request in a spreadsheet and subse-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 35/52
quently maintaining a tracking number throughout the process, informa-
tion is less likely to be lost. As shown in the diagram, when the audit coor-
dinator assigns the request, it is logged in a spreadsheet with a tracking
number. The same number, in this case AC33, is used as the folder name
under the directory REQ\041313 where 041313 is date the item was re-
quested (April 13, 2013). Once the audit coordinator receives the e-mail
response from the point of contact assigned to fulfill the request in the
folder that the information is complete, he proceeds to move the folder to
the SENT\[today’s date] folder. He then provides this information to the
auditor along with other items that are complete.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 36/52
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 37/52
Figure 11.6 Information request flow.
Using this method of SENT and REQfolders (1) provides a mechanism (a
place) for the point of contact to place the items requested, and (2) pro-
vides knowledge that the information was subsequently provided to the
auditor. The folder structure also serves as an additional validation of the
tracking spreadsheet (e.g., no contents in the REQ_folder indicate the re-
quest was completed).
Media Handling
The documents provided for the auditors’ review during the course of an
audit contain confidential information that could cause harm if disclosed
outside the organization or beyond the audit firm. For this reason, all in-
formation provided to the auditors should be encrypted, preferably with
a product that is FIPS 140-2 compliant. This greatly reduces the risk that
this information will be disclosed during the useful life. Documents such
as security plans, baseline configurations, script output, and firewall
rules contain highly confidential information.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 38/52
Media may be passed to the auditors on site by burning the information
onto a CD or USB drive. In either case, it is not necessary to encrypt each
file individually, but rather each submission to the auditor could be en-
crypted by encrypting the high level folder and all subdirectories. For ex-
ample, the contents were copied to the
\SecurityAudits\2013\SENT\041910a folder, where a equals the first sub-
mission of the day to the auditors, then this folder could be encrypted and
the contents copied to a CD or USB drive.
Establishing a common password for the entire project makes the en-
cryption process much easier and also increases the probability that after
the audit files will be readable because one-time passwords may not be
well documented. The password should be communicated to the team in
a separate e-mail. The password should also be constructed as a strong
password due to the nature of the audit artifacts that are being collected.
A password comprised of at least eight characters (preferably ten), at
least one uppercase, one lowercase, one numeric, and one special charac-
ter should be sufficient. A password constructed in this way also tends to
void the use of pet names, dictionary names, birthdays, and so forth.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 39/52
It is not advisable to send the audit artifacts by e-mail, as the average
user has a plethora of e-mails on a daily basis and tracking who sent what
when and to whom becomes a challenge. As previously mentioned, the
better approach is to use the e-mail system for the audit coordinator to
distribute the requests to the points of contact, requesting that the audit
artifacts be placed in the appropriate REQ\Date\ItemTrackingNo on the
server for subsequent handling. These can be placed on the server in an
unencrypted format, as the audit coordinator will encrypt the entire con-
tents of the SENT\Date+suffix folder when the items are sent. It is also not
uncommon for the size of many of these files or file collections to exceed
the 10 MB range, which is typically a constraint imposed on the e-mails
today.
It is to the company’s advantage to provide as much information to the
auditors while on site due to these files easily fitting on 16, 32, or 64 GB
USB drives. Once the auditor has left the site, the files may have to be bro-
ken into 10 MB file sizes or less, the files encrypted, and multiple e-mails
sent to the off-site auditors. This situation can be avoided by adequate
preparation and confirmation that the auditors have received all of the
required documents during the status meetings and the site exit meeting.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 40/52
The file size may be so large (>100 MB) that it only makes sense to burn
this information to a CD or copy to a USB and send it via overnight mail.
This is not desirable, as there are still delays for the auditor in receiving
the information, plus this adds unnecessary expense in having to provide
rework. Some audit firms have secure FTP servers, and to avoid the ne-
cessity of validating the security of that environment, the audit coordina-
tor could view the FTP transmission as that of being over an open net-
work (even if it is encrypted), and subsequently still encrypt the file
folder containing the audit evidence before FTPing the file. In this man-
ner, the information is sure to meet the security requirements of the au-
dited organization.
Audit Coordinator Quality Review
The point of contacts or subject matter experts that are supplying the in-
formation are in the best position to ascertain whether they are meeting
the audit request, as they are the ones that are closest to the business
process. The audit coordinator still needs to briefly review the informa-
tion provided to the auditors as a second look to catch errors such as
those similar to those previously noted in reviewing the initial document
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 41/52
request list. Given that it may take an overnight process to extract re-
quested information, and the auditors may not review the information
provided immediately, it behooves the organization to provide the infor-
mation requested correctly the first time. The QA process works to ensure
completeness of the response.
The Interview Itself
Auditees are expected to answer questions truthfully and failure to do so
may constitute obstruction of a federal audit with U.S.-government-initi-
ated audits, or constitute a company or industry ethics violation. Audits
are intended to improve the organization’s control environment, and ly-
ing or misrepresenting the facts would serve little purpose and not lead
to making needed improvements in processes that would be identified by
the audits.
With truthfulness as the foundation for the audit, the auditee respon-
dent should only answer the questions that are asked. Providing details
outside of the request not only wastes the auditors time with fluff that
may be irrelevant to the testing the auditor is performing, but it may also
expose other areas of vulnerability that are beyond the scope of the audit.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 42/52
Some auditors are known for going on fishing expeditions, whereby they
may ask, “I have just one more question,” a line made famous by the TV
show Columbo, which originally aired in the 1970s. This line of question-
ing is primarily intended to reveal a flaw within the system by poking
around. So why would we not want to know all the areas where we have
issues? The answer is not so much that we do not want to know, but
rather we want to be on a fair playing field with our competitors. Say, for
example, that our firm is being audited for Payment Card Industry Data
Security Standard (PCIDSS) compliance by a qualified auditor or our con-
tractual requirements mandates that a Statement on Auditing Standards,
No. 70 (SAS 70, PCAOB, n.d.) be performed to get the business, we would
want to be evaluated based upon an audit program that our competitors
are being evaluated against. Therefore, it is important that individuals
that are selected for interview are able to answer the questions posed by
the auditors, but not so verbose that they start talking about unrelated
items or bring up other vulnerabilities outside of the scope of the audit.
Most people are proud of their work and want to talk about it with who-
ever will listen. An audit interview, outside of the interview sections
where overviews of the processes are provided, is not the time to explain
all the details of a process unless requested by the auditor.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 43/52
Mock interview sessions are advantageous for those individuals that
have not been involved in an audit before, as well as a refresher for those
who engaged in them infrequently. In a mock interview, an individual
can portray the auditor, asking a series of questions requesting evidence
that a control activity was performed. This can help put the interviewee
more at ease during the audit. The mock interview may also trigger addi-
tional information request ideas that were previously missed to support
the organization’s control position.
Entrance, Exit, and Status Conferences
The entrance, exit, and status conferences are scheduled throughout the
audit and provide the essential information to the various stakeholders to
keep the audit on track. The worst-case scenario is to get to the end of an
audit and have a list of findings that were not previously discussed. At
this point the opportunity is lost to provide more information that may
have cleared the issue, leading the more expensive process to tracking the
issue, reporting evidence demonstrating that the proper controls were in
place, and subsequently obtaining agreement on closure of the issue.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 44/52
Entrance Meeting
The audit entrance meeting provides the opportunity to ensure that the
organization knows the audit scope, expectations, and key dates. The en-
trance meeting is often scheduled late Monday morning to early after-
noon to allow for traveling. Auditors generally travel Sunday night to
Thursday evening or Monday morning to Friday evening to provide for
some balance since on-site auditors for Big Four accounting firms are
traveling 80% to 100% of the time depending upon the contracts.
Hopefully the audit coordinator has communicated as much as possible
to the organization prior to the arrival of the entrance meeting, because
the preparation activities as previously mentioned needed to ensure that
the documentation would be available for the entrance meeting. Some
auditors will request that the documentation request list be provided as
soon as possible, sometimes ahead of the entrance meeting, however, as
is more often the case, the auditors tend to start looking at the materials
after the entrance meeting has begun. Why? Because their time is usually
fully committed to a prior client the weeks preceding this engagement. As
a result, there is limited time to look at the files that are provided to them,
and most auditors will agree that receiving the files the day they are on
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 45/52
site will give them plenty to keep busy. In addition, this also provides
more time to ensure that the document request list has been adequately
prepared, reviewed, and QAed prior to providing to the auditors. The ex-
ception to this may be when scripts are requested to be run against infra-
structure devices, such as Unix/Windows servers, firewalls, routers, and
the output is needed for them to begin their analysis.
Senior management should be invited to the entrance meeting so that
they are aware of the scope and timeline of the audit. All managers who
have a role in providing information, attending interviews, or providing
staff should also be included. Depending upon the organization, it gener-
ally does not hurt to encourage everyone that has a key role in providing
information to the auditors to attend as well. The entrance call is sched-
uled for 30 minutes to 1 hour, however, in practice the call is normally 10
to 15 minutes as there is not much to discuss at this point. The scope has
been agreed to per prior audit engagement contracts or conversations
and should not be a surprise at this juncture. The meeting is more of a
formality to kickoff the audit project and answer any questions that need
to be clarified.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 46/52
From an organization’s point of view, the audit entrance meeting
should not be considered complete if there are still lingering questions re-
garding (1) audit scope, (2) timing of fieldwork, (3) delivery dates of the
draft and final reports (may be approximate), (4) documentation re-
quested, (5) samples that will be requested, and (6) departments that
must be involved. Failure to have an understanding of any of these items
by this point can lead to unnecessary confusion.
Exit Meeting
An audit may have multiple exit meetings depending upon the duration
of the audit. If the audit involves on-site fieldwork of several weeks, but
the audit itself takes several months to complete, the auditors may hold a
site exit meeting to reaffirm the results of their fieldwork, while schedul-
ing a formal exit conference at the end of their analysis and prior to is-
suance of the audit report. The purpose of the exit meeting is to signal ei-
ther the end of the audit activities and ensure that both the auditor and
auditee come away with the same understanding. These are usually
scheduled in late morning or midday on the final day of the audit, again
permitting auditor cleanup and travel time in the afternoon.
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 47/52
Status Meetings
Status meetings provide a more frequent opportunity for the auditor and
the auditee to ensure that there are no surprises or misunderstandings at
the exit conference. Knowing what issues the auditors are facing early in
the process provides an opportunity to provide other documentation that
may better answer the auditors’ request or permit further dialogue to
clarify the control in question. It also provides the opportunity for the au-
dit coordinator to validate that the auditor has received the information
requested and the information provided was satisfactory.
Some organizations prefer a daily status meeting; however, in practice,
if the audit coordinator is communicating on a frequent basis with the
auditor, a formal meeting every other day should be sufficient. These are
scheduled near the end of the normal workday (4 p.m. or 4:30 p.m.) for 30
minutes so that other management staff can call in. This is true even if
the auditors may be working until 6 or 7 p.m. to ensure the most atten-
dance possible. The meetings should be focused on what observations,
gaps, or findings have been noted or what documentation has been re-
quested and is still outstanding. An agenda and updated document re-
quest list should be provided by the auditor in advance of each status up-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 48/52
date meeting to ensure that the conversation is focused on the important
issues.
Report Issuance and Finding Remediation Phase
All control deficiencies should be known and communicated by the exit
conference. If for some reason testing could not be completed, there
could be additional deficiencies noted after the auditors have left the site.
If this is the case, for reasons mentioned in the media handling section,
this complicates the audit and should be avoided. Proactive inquiry of the
auditors to ensure they have all the necessary information, especially by
the start of the last week of the audit, should be done. The auditors should
be focused on completing their work papers the last week of the audit
versus performing additional testing. This usually occurs because of dis-
agreement in earlier testing or the selection of a new sample that was
deemed insufficient (e.g., population was assumed to be employees and
contractors, but only employees were provided).
At the exit conference, the auditor should provide a listing of control
deficiencies (also referred to as gaps, observations, exceptions, or find-
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 49/52
ings, depending upon the nomenclature used by the auditor). These might
end up as findings on the final report. Auditors might have to evaluate
the findings with other organizations that have been included in the
scope of the audit. For example, for a chief financial officer’s audit con-
tracted by the federal government, the audit firm may wait until it has
been to all the sites to ensure that it has been consistent in its approach
and fair to each contractor. Another reason for not receiving the findings
at the exit conference is that further peer reviews may need to be per-
formed, or the senior partners may need to review the work papers con-
taining the audit testing and evidence collected.
A draft report is subsequently issued with the findings. There should be
no surprises if the audit team and the organization have worked together.
Usually when surprises end up on the report, it is the result of (1) lack of
clear communicating in the beginning as to what conditions would create
a finding, (2) a prior issue was surfaced but not communicated that it was
a finding, (3) documentation requested were not provided, (4) misunder-
standing that an earlier agreement was or was not reached when dis-
cussing a gap, or (5) the auditor held the issue to the end to avoid con-
frontation. In my experience through many audits, number 5 does occur,
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 50/52
but usually one of the other items is the primary reason for surprises.
Surprises should be left for birthdays and holidays and not audit findings.
Once the draft report is received by the organization from the auditor,
the auditee has 5 to 10 business days to provide a response. The response
provides the auditee an opportunity to agree or disagree to the audit find-
ing and explain why. These comments are included in the reissued draft
report, which should be issued 5 to 10 days after receipt of the auditee’s
comments. If the organization agrees with the finding, it is best to also
note a corrective action plan (CAP) at this time. The corrective action plan
explains at a high level what will be done to mitigate the deficiency and
when this will be completed. The CAP will need to be submitted within 30
days after the final report is reissued with the auditee comments, so if
there is agreement, this may as well be included in the draft report. This
provides the reader who is not so familiar with the audit an early under-
standing as to what steps will be taken.
The final report issuance varies by audit firm and the contractual re-
quirements. Internal review of the draft report and work papers adds off-
site time after the fieldwork to ensure the audit report is accurate.
Sometimes this process can take months between the issuance of the
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 51/52
1.
2.
draft and the final report. Firms that are security conscious will not wait
for the final report to begin action on the issues. CAPs are typically due
within 30 days after final report issuance, and it is preferable to mitigate
the vulnerability within 90 days from the cap due date. Obviously, long
security implementations will be the exception but should not be the rule.
Ninety days should be sufficient for mitigating most vulnerabilities given
the appropriate priority. Each of the CAPs should be tracked to ensure
that the person responsible is completing the milestones and the target
date is still on track. As the CAPS are completed, the audit artifacts includ-
ing changed processes, reports, project plans, and evidence of implemen-
tation should be retained to provide to the auditor for next year’s review.
The auditor will then take these items and use them as partial evidence to
close the finding.
Suggested Reading
U.S. Government Accountability Office. February 2009. GAO Federal Information
Systems Controls Audit Manual (FISCAM).
http://www.gao.gov/special.pubs/fiscam.html
Public Company Accounting Oversight Board. Auditing standards,
http://pcaobus.org/Standards/Auditing/Pages/default.aspx
5/4/23, 4:03 PM Chapter 11 The Auditors Have Arrived, Now What? | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/022-9781466551282-011.xhtml 52/52