IT Audit Rule #1: An Audit Is An Arms-Length Process (e.g. a system cannot audit itself)
IT Audit Rule #2: IT Audits Don’t Prevent Loss
IT Audit Rule #3: Compliance Is Not a By-Product Of An Audit
This statement should be pretty obvious from the discussion of Rule #2. But just as a refresher. And audit is a measurement and verification tool. In the compliance case, about whether an activity and a state complies with whatever standard you’ve chosen to be compliant with. But an audit doesn’t make compliance happen.
A while back there was an interesting debate between Mark Macauley and Ian Glazer about Compliance and whether it could be delivered as a service (CaaS). At the end of Mark’s final response on the topic he uses these words – rather intentionally I suspect: “Compliance is 100% cost at the end of the day, and companies who have figured out that it is in their best interest to automate every process to be compliant, and automate the measuring of that process……….”
Let me take the liberty of making a taxonomy out of that:
- “automate every process to be compliant” = automation which channels behavior in acceptable ways (e.g. user provisioning).
- “automate the measuring of that process” = automation of an audit
Audits can measure compliance, but not make it happen…..except in the limit, where audit findings prompt better mechanisms to channel behavior in compliant ways. Again, this point is probably an obvious one but I continue to be surprised every time I have a discussion with someone about how to get an audit tool so they can “be compliant”.