By Olivia Munro, Eze Castle Integration – All too often we hear from firms before a IT and cybersecurity audit asking what they can do to make the audit process go as smoothly as possible. Fortunately, there are steps you can take to ensure a stress-free audit. In this two-part blog series, we will help you create a checklist to prepare for your audit and also remediate the findings post-audit.
1 Notify internal and external partners that an audit is happening.
Your team and partners should be prepared to act quickly to remediate the findings or provide any documentation the auditors request. Ask for any updated documentation or information that would be included within audit.
2 Understand what you have: perform a technology and asset inventory
Understanding what your firm has in terms of assets in the form of both hardware and software can help your firm prepare for an audit.
3 Prepare to ask your auditor for a document checklist to make sure you have everything located and prepared
Having documents in one central location can save both your auditors and your team time and stress.
4 Ensure that your firm has a log of relevant written policies or procedures
Having proper documentation of all administrative policies ahead of time and in a central location can save your team from scrambling during the audit.
5 Have a written Information Security Plan
Any firm registered with the Security Exchange Commission (SEC) is required to have a Written Information Security Plan. This plan can help prepare the firm for cybersecurity related risks and regulatory requirements to the business.
6 Create a list of technical controls and safeguards currently in place
Have a good understanding of apps and services and where controls are available to better secure them.
7 Assess where gaps may be based off of a framework or better practices and make your team aware of them
Being aware of what your IT gaps can make the audit go more smoothly.
8 Complete dry run or a self-assessment
Run an assessment on your own firm and remediate your own findings.
9 Make sure mitigations or remediation’s steps were on previous findings
Having a risk strategy on previous findings that were never remedied shows your auditors that you were thorough with the findings from your previous audit.
10 Schedule some tests or deliverables before the audit
Going into the audit with all your tests or deliverables scheduled for after the audit can put your firm in a negative light. Be prepared to complete some of the tests and have deliverables for action items before the audit.
11 Be prepared to receive information that is too mature for you and your firm
You are likely to have findings that are not applicable to your firm or are considered overkill. Going into the audit with that mindset can help prepare you to hear these findings.
12 A second opinion isn’t a bad thing on some findings
Having a relationship with a partner or an IT vendor before your audit can give you a head start when your audit findings come back. You can use this partner or vendor to prioritise the findings and begin the remediation process.
In summary, do anything and everything you can to prepare for the technology and cybersecurity audit. There are always steps your firm can take to improve, so be prepared to receive findings and to get a second opinion from a trusted vendor, as all of the findings may not be necessary.
For more information or guidance before an audit, contact Eze Castle Integration for a consultation.
