Audit your organization year-round for best results, experts say

By Marcia Savage, Features Editor, Information Security magazine 27 Jun 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Enterprise security managers and others who work with auditors would do well by taking a page out of the National Football League's playbook, a CISO advised attendees at the Burton Group Catalyst Conference.

The NFL season ends in February, but when April hits, there's the draft and then minicamps that prepares everyone for the next season, David Drossman, CISO at Investment Technology Group (ITG), a brokerage and technology firm, said in a presentation Wednesday. In contrast, enterprise managers often kick back when the audit season ends and take the next four months off from audit work, he said. Then when auditors come in, they're scrambling.

What if we changed a bit and followed the NFL example? Let's say it's March 15 and the audits are fresh in your mind. It's at this time you should be looking forward. David Drossman CISO, Investment Technology Group (ITG)

"What if we changed a bit and follow the NFL example?" asked Drossman, who oversees Sarbanes-Oxley, security and other audits at New York-based ITG. "Let's say it's March 15 and the audits are fresh in your mind…It's at this time you should be looking forward."

Organizations should use the time to address auditors' findings, and perhaps in April sit down with the auditors themselves to talk about process changes, Drossman said. Work closely with auditors, make sure they understand the objective behind a control and document everything.

"Remember, there's nothing wrong with findings," he said, noting that junior auditors often seem to delight in finding audit problems. "Just make sure you get on top of them and fix them."

He also advised attendees to understand the law and any new regulations that affect their organizations, create a central point of contact for all audit-related issues, and remember that audits, like security, are an ongoing process and not a project.

Doing this work shouldn't take more than a few hours a week but will pay big dividends, Drossman said: "The more time you spend in the off season…you'll set yourself up for a more successful and clean audit."

His message resonated well with Christian Catalano, an operational risk consultant at Wells Fargo, who said his team is very proactive on the audit front.

"We're doing a lot of the same things …This was kind of reassurance for me," he said.

Tags: Auditing, testing and assessment for financial services compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Auditing, testing and assessment for financial services compliance Vendor audit and monitoring contractual rights Audit requirements drive demand for privileged account management Regulatory reform will require much work ahead Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Federal examiners need to pay more attention to IT risks PCI certification isn't always the right answer Forensic accounting success depends on information security support The truth about vendor management Opinion: Why you should document your security policies

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Big 4  (SearchFinancialSecurity.com) Common Vulnerabilities and Exposures  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary