Only as Good as Your Auditor

I wrote Only as Good as Your Auditor for SQLServerCentral because its something I’ve explained to people over and over again. For most of us in IT audits are something we tolerate and try to get done as quickly as we can, a test to pass, and because of that we don’t get to see the bigger picture of how and if the audit is finding and fixing things that make things better.

Does that bigger picture matter? I’ll argue it does. Part of it understanding why the process is sometimes clunky and repetitive, but it’s also the chance to see the auditor as an expert instead of inquisitor. All too often we deal with auditors much as if we were testifying in court – answer the question directly and don’t volunteer information. That’s fine for passing the test, but what if instead we were asking questions like “we do it this way now, but do you think doing X instead would be considered compliant?” or “are there things we’re doing that seem better or worse than what you see at other clients?”.

You can even go one step further and train the auditor. Notice that they don’t ask about linked server permissions or backing up certs or something else related to the audit? Mention it. Maybe they know, maybe its a learning opportunity that will help them help another client avoid a breach.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s