Auditors, regulations & the mainframe
Many moons ago, in a time when my hair still had its original color, I was asked to present at a university for a group of students. It was a group of upcoming auditors and a good part of their study was called EDP Auditing. The professor asked people from the field to share their experience with them so they would be prepared for the real world once they graduated.
Later in my career, I met a few of them and almost all remembered the three hours I spent with them. Because it helped them to understand “the way IT people work and think”. Apparently, we do think different than most auditors….
These days, I am told, students are no longer taught real EDP Auditing anymore. Let alone that they ever meet anybody with experience in IT during their student life. And especially in a time where every business that is confronted with all the laws & regulations around compliancy also happens to rely heavily on IT, this is a real shame. Basel II (with III coming up), HIPAA, PCI, SOX and many others have a major impact on anything IT. All of them have components that need to be translated in IT policies and all of them have a Risk management component that also impacts the way we run our IT.
Who translates the different requirements in IT policies, and who explains to us what the impact of some of the Risk management components are? What type of reporting are we expected to produce and what type of checks do we have to build into our systems? Especially on the mainframe, we are asked to work efficient, and with a minimized staff, we have somehow managed to do so. We simply cannot afford an auditor walking in with 50 questions that we are not prepared for. I lately spoke to an internal auditor who told me that simply translating the requirements from SOX into IT policies would take the auditors 6 months. He never told me how many auditors were working on it, but it was more than 1.
The next project would be to enter those policies into their IT systems. And he had no idea how long that would take. After this, they would have to implement the controls, alerts and reporting to make sure all the settings worked, if there were violations and all the reporting that was required by external auditors to check if everything was really implemented.
There is no way this can be done by existing staff alone without the use of proper tools. Easy to use, integrated tools that allow you to set policies, check them automatically and offer the reporting you need to reduce the burden of an audit. Check out how we do it, but also do yourself a favor; have a business lunch with one of the auditors and ask him/her how you can help. It will not only open up a whole new world for you (they may actually have budget for solutions that will help you) , the next audit may actually be a lot less stressful.
Share this post: