Before your IT audit commences, it might be helpful to meet with the auditors and request a list of all the controls they'll be testing. Not only will this give you an indication of their hot spots, it lets them know you're interested in ensuring a successful audit.
Ultimately, auditors are trying to identify controls implemented by management to limit risk. After a control is identified, its efficacy is tested. The auditor's job is to provide an independent opinion on the state of controls, and, more importantly, any risks.
In my experience, though, IT and management don't think in terms of controls. This is a problem because if you can't articulate your IT controls to an auditor, you're leaving yourself open to the auditor more or less deciding for you what your controls should be. However, if you can point to a written information security policy and then demonstrate the procedures and configuration steps by which you comply with that policy, you inspire confidence and retain more influence during the audit because the auditor must first assess controls that are in place. . . .
Register
