There are a lot of myths floating around out there. Things that we believe to be true because people tell us they are. But are they actually true in reality?
Let’s take the example of the famous snack cake, the Twinkie. The durability and longevity of the delicious cream-filled cake has led to the myth that Twinkies have a shelf life of up to 100 years. Yes, it might be true that a science teacher from Maine kept one on top of his chalkboard for 30 years and it still looked like those on the grocery store shelves. Yet the reality is that the shelf-life of the Twinkie is more like 45 days for it to taste as great as the day it was made.
When it comes to a compliance audit – whether it is internal or external – we all hear myths about how streamlined and easy they can be. Most IT organizations would agree that audits are almost always tedious and stressful for everyone involved. Many technology vendors and consultants claim to make all that pressure go away with their solution.
But, can it be a reality?
Well, I believe that it can be a reality if you make the necessary changes to your governance, risk and compliance strategy – and build compliance into IT operations. IT has historically tried to resolve all challenges and delivering services by adjusting their operational process, but they have forgotten to plan for an audit situation.
Building compliance into IT operations can be difficult, but it is possible. Here are three key things to keep in mind as you take on this challenge:
1. People centric strategy – In the past, IT has been centered around infrastrucre and applications. But, times have changed and IT finds themselves responsible for much more. You must prove that the workforce is compliant, not just the devices they work on. Workers are now mobile, unpredictable and pose a big compliance risk. Make sure IT is people centric because most audits are around people. Implement dynamic and context-aware controls to manage compliance – no matter when, where, or how people are working.
2. Centralized policies – For IT, a policy is really just a rule that helps them achieve compliance. To pass an audit, IT knows that they must have policies in place to meet the expected mandates. But, remember that even before you start making policies, be sure to address the real challenge of having a way to show auditors evidence that you have those policies in place. Plan to maintain your policies in a centralized, well managed repository as part of your compliance strategy to ease the audit process.
3. Automation – You can have all the best policies and have them in a centralized location, but still fail and audit because those policies aren’t being enforced. Relying on manual processes for policy enforcement just doesn’t work because it is prone to human error and easily forgotten based on other priorities that arise. The best way to ensure enforcement is through automated controls. Automation brings confidence that your rules are being applied and provides you with credible documentation for auditors. Just be sure that your automation solution is dynamic and flexible enough to adjust as policies and context of people change.
You may be saying to yourself, “There will never be anything awesome about an audit.” Well, I can’t argue with you there. However, I believe that you can absolutely take measures today to set yourself up for a future filled with audits that have an awesome outcome.
Best of luck with your next audit – I hope the dream of an awesome audit becomes a reality!