Building Relationships - Internal Audit Team

This series of blogs is intended to give Information Security professionals some ideas on building quality relationships within their enterprise. If you are following these steps – good for you! You’re well on your way to building a good professional working relationship. If not, take this as an opportunity to think about what small steps you can take – today or this week – to build those relationships. Only you can make your job more rewarding and improve your chances to positively impact the organization.

It should come as a surprise to no one that being a successful Information Security professional is entirely dependent upon the ability to build relationships and influence behavior. Shifting the profession from a tactical to a strategic position is an essential component to success in raising the profile of security professionals in the enterprise.

I’m not foolish enough to think that we’ll ever stop being tactical professionals – far from it. I actually love the crisis management aspects. But I am cognizant that as I assist the business to make informed decisions before a project goes live, I will see a reduction in the number of incidents I manage. I also know that I will be brought to the table more frequently if my business partners think I need to be there – and if they actually want me there!

Information Security and Internal Audit have a strong allegiance in many organizations. For Information Security, the Internal Audit team is often the last line of defense with a management team that can’t understand or fails to appreciate the impact of risks they are taking by allowing vulnerabilities to exist without proper mitigation. Internal Audit turns to Information Security first for significant portions of their IT audit work. Getting quality samples in a timely fashion helps ensure that audits are accurate and completed in a timely fashion. Identifying opportunities to work together can bring significant value for both groups of stakeholders.

1. Track open items – Auditors are measured not just on the audit items they identify, but their ability to work with the business to close them. Work with your audit team to understand audit items that are outstanding, the owner that has been assigned to address them, and the date by which a written response and remediation plan are due.
2. Ensure assigned roles make sense – Auditors don’t want items to be assigned to the wrong person any more than you do. Help them save time and avoid pushback by participating in post-audit review sessions not only to validate the validity of audit findings, but to ensure that they are assigned to the group that has the ability and the authority to make changes or implement compensating controls.
3. Validate mitigation plans – In some cases, the Info Sec team may have key insights into whether the business or systems team’s mitigation plan is achievable. Provide clear feedback to audit and
   business/systems team’s if you have reason to believe that the mitigation plan won’t work. I worked on an instance where the business told audit they’d remove access to a high risk function for 90% of the staff that had it; however,
   neither audit nor the business realized that the function was required to allow an essential process step. The proper response should have been to fund a systems change to separate the sensitive function from the one required for most staff. Instead, the business made a request to remove the function – the business team was brought to a halt so the function was added back. When audit returned to examine the results of the remediation, they saw that nothing was
   done and they opened a high priority audit item. It also meant that more than 6 months went by with the vulnerability, when it could have been closed more quickly if the proper mitigation action was identified and planned for.
4. Provide input to audit strategy – Most Internal Audit teams welcome input into their audit planning to reduce redundancy and overlap. Providing audit teams with opportunities to separate audits of systems shared by multiple groups with the audits of the groups themselves reduces redundancy and re-work. No one wants to re-audit the general ledger system when the accounting group, accounts payable, accounts receivable and order entry teams are audited.
5. Review major changes – Sit down with the audit team and inform them of major projects you’ve worked on in the past year. New systems, new functionality modules, business processes, external connections and strategic partnerships could all be in scope. Ideally, the business team has briefed them – but in the event they haven’t, you are providing good focus on areas of change. This is an opportunity to review all the steps the business and systems teams certified they’d done were done and done correctly.

It helps to notify your management team when your relationship with Internal Audit yields benefits for your team. Part of your job is building and investing in these relationships. It’s important to give credit when credit is due, when your partnerships make you a more effective security professional.