Posted by: Arian Eigen Heald
Admins and Auditors, Tearing My Hair Out
It often seems as if IT Security and auditors will never meet in the middle. As a person with one foot in either side of the fence, I’m often amazed how two groups with fundamentally the same goals can’t seem to agree.
Usually, when this happens, I’m an auditor sitting with IT Security people, or I’m an IT Security person sitting with a bunch of auditors. (Yes, we’re all a little – a little? – nuts, but who wouldn’t be with everything going on right now?)
I am a member of a public accounting firm; today I was sitting with a group of IT auditors listening to the latest requirements in performing “An Understanding of IT Controls” for a financial audit. (Good thing they didn’t use any numbers; I’d have been doomed.) Fundamentally, financial auditors, (not IT auditors) are not concerned about any IT systems except the IT financial systems. Those must have reasonable controls.
“Reasonable” meaning that the auditor can obtain reasonable assurance that the systems have effective controls in place. This applies to financial audits, SOX 404 audits and banking audits. No money in ‘em? Not interested.
So the “tree” in the “forest” has to be a money tree. The rest of the forest doesn’t really matter. Needless to say, I can’t agree with this stance, even though it makes perfect sense to the financial auditor. I can see where they are coming from; they can’t (nor do they know how) examine every system to find inoperative controls, etc. The things IT Security people find.
But if all the other trees around it are infected, will the money tree (I’m losing control of the metaphor here) still be OK?
Now, in the auditor’s mind, they are also testing the financial documentation, so there are a lot of “compensating controls” in the paperwork. But if the CFO is editing the database, the paperwork can look pretty good.
Of course, this all sounds rather black and white because there are times when IT Controls can report a ‘material weakness” if a number of IT controls are not in place, not effective, etc. But it is a financial auditor that makes that decision, and if it is outside the money tree, they tend to think that it is unimportant.
So how do we reconcile just looking at a few trees? Stay tuned.