ESN 85681-071118-773949-56
Document Name:
The Monkey Says: Play It Cool During An Audit
Document Description:
"I UNDERSTAND" OR "I SEE". 2. MAINTAIN GOOD EYE CONTACT AND A CONFIDENT BUSINESS POSTURE DURING THE INTERVIEW. STARING OFF INTO SPACE, AVOIDING AN AUDITORS GAZE OR UNPROFESSIONAL BEHAVIOR MAY BE INTERPRETED AS DISINTEREST OR DISHONESTY. 3. AFTER YOU ARE ASKED A QUESTION, RESTATE THE AUDITOR'S POINTS AND/OR QUESTIONS BRIEFLY, BUT ACCURATELY. ACT LIKE A MIRROR. ENCOURAGE THE AUDITOR TO EXPAND UPON THEIR POINTS/QUESTIONS. OCCASIONALLY MAKE SUMMARY RESPONSES TO DISPLAY UNDERSTANDING OF THE DISCUSSION. FOR EXAMPLE:
"THE AUDIT WILL ENCOMPASS ONLY SQL SERVERS"
, OR
"THE KEY CONTROL IN THIS AUDIT IS USER PERMISSIONS."
WHILE MAKING THESE SUMMARY STATEMENTS, KEEP YOUR TONE NEUTRAL AND TRY NOT TO LEAD THE AUDITOR TO INCORRECT ASSUMPTIONS OR CONCLUSIONS ABOUT THE INFORMATION SHARED. 4. ALLOW UNINTERRUPTED TIME FOR THE DISCUSSION AND TRY TO SEPARATE THE CONVERSATION FROM MORE OFFICIAL/STRATEGIC COMMUNICATION OF COMPANY PLANS. DO NOT MAKE THE CONVERSATION ANY MORE "AUTHORITATIVE" THAN IT ALREADY IS BY VIRTUE OF YOUR POSITION IN THE ORGANIZATION. FOR EXAMPLE, THE FIRST ANSWER BELOW WOULD BE ADEQUATE. THE SECOND ANSWER IS MUCH TOO VERBOSE:
CORRECT, OUR HUMAN RESOURCES SYSTEM DOES NOT REQUIRE THE USER TO CHANGE THEIR PASSWORD AT A SPECIFIED INTERVAL BECAUSE WE HAVE OTHER MITIGATING CONTROLS IN PLACE.
VS
CORRECT, OUR HUMAN RESOURCES SYSTEM IS JUST LIKE ANY OTHER FINANCIAL SYSTEM HERE; THEY DO NOT REQUIRE THE USER TO CHANGE THEIR PASSWORD AT A SPECIFIED INTERVAL, NOR DOES THE COMPANY HAVE PLANS TO REQUIRE THEM TO.
5. ANSWERS TO AUDITORS SHOULD BE CLEAR, COMPLETE AND BASED ON FACTS NOT SPECULATION OR YOUR OPINION. DO NOT BE AFRAID TO TAKE A FIRM STANCE IF THE AUDITOR DRAWS AN INACCURATE CONCLUSION FROM THE MATERIAL PROVIDED. DO NOT BE AFRAID TO SELL THE AUDITOR ON YOUR RESPONSE BY INDICATING THE VALUE OF THE ACTION/CONTROL YOU ARE DESCRIBING. HERE ARE SOME EXAMPLES:
THAT IS NOT CORRECT. ALL OF OUR PRODUCTION CISCO ROUTERS HAVE ENCRYPTED ENABLE PASSWORDS TO PROTECT THEIR INTEGRITY. THE ROUTERS IN OUR TESTING LABORATORY ARE OUT-OF-BAND AND ARE NOT REQUIRED TO HAVE ENCRYPTED ENABLE PASSWORDS AND SHOULD NOT BE CONSIDERED IN SCOPE FOR THIS AUDIT.
OR
WE HAVE HAD AN ACTIVE CHANGE MANAGEMENT SYSTEM IN USE FOR TWO YEARS THAT RECORDS THE DATE, THE NATURE OF THE CHANGE, THE ENVIRONMENT AND OTHER KEY FIELDS. DURING THE AUDIT PERIOD WE EXPANDED THE FEATURE SET OF THE SYSTEM AND ADDED AUTHORIZATION AND APPROVAL FIELDS WHICH WE BELIEVE INCREASES THE EFFECTIVENESS OF THIS CONTROL.
6. WHEN THE AUDITOR TOUCHES ON A DATA POINT THAT YOU DONT CLEARLY UNDERSTAND, ASK FOR IMMEDIATE CLARIFICATION BY REPEATING HIS DATA POINT AS A QUESTION. FOR EXAMPLE:
THE CORPORATION REQUIRES THAT WE MEET ALL OF THESE CONTROL OBJECTIVES DURING THE SPECIFIED AUDIT PERIOD?
WITH THIS FEEDBACK THE AUDITOR WILL WANT TO EXPAND ON HIS PREVIOUS STATEMENT, WHICH WILL INCREASE JOINT UNDERSTANDING OF THE DATA POINT AND SHOW THE AUDITOR THAT YOU PAYING CLOSE ATTENTION. 7. COME PREPARED. THE EXTERNAL AUDITOR, INTERNAL AUDITOR OR DATA SECURITY OFFICIAL WILL SEND YOU A MEETING REQUEST WITH A LIST OF QUESTIONS OR BULLET POINTS TO BE COVERED. COME TO THE MEETING PREPARED WITH DOCUMENTATION THAT SUPPORTS YOUR COMPLIANCE OF THE CONTROL OBJECTIVES OR SHOWS PROGRESS IN MITIGATING ALREADY IDENTIFIED ISSUES. DOCUMENTATION COULD INCLUDE POLICIES & PROCEDURES, CHANGE MANAGEM
Author:
SecurityMonkey -
Contact Author
Publisher:
ITT
Licensee Name:
ITT
Reference URL:
http://blogs.ittoolbox.com/security/investigator/archives/the-monkey-says-play-it-cool-during-an-audit-20609
Copyright:
All Rights Reserved
Registration Date:
11/19/2007 12:38:38 AM UTC
Views:
3130
NUMLY.COM
Document Name: The Monkey Says: Play It Cool During An Audit