As a user entity, vendor, or hosting provider of a software application you want or need to be able to present an assurance report to stakeholders. Reaching Compliance with the criteria can be a long and difficult journey and it may be somewhat overwhelming for information security staff. This can result in exceptions being found on the day of the final audit. A pre-audit or interim audit can prevent this from happening.
Benefits of a pre-audit
Below we summarize 6 benefits of a pre-audit.
Increase knowledge of the criteria
The risk and objective of some criteria can sometimes be unclear and can therefore be considered complicated. Some criteria are very broad and contain, for instance, all elements of access security or change management, while other criteria are split up into a larger number of (sub)criteria and are therefore very specific. An experienced It-auditor knows the criteria well and can explain the criteria during the pre-audit and specify what is expected for each criterium.
Confidenceand commitment among
The criteria affect not only security personnel, but also various departments such as HRM, management, and development. In these departments, controls have been implemented that are carried out and managed by the employees, so logically an It-auditor would want to interview them. Possibly, the employees are not familiar with the criteria and have never been interviewed for the purpose of an audit. These employees benefit greatly from a pre-audit because it will clarify what is expected of them during the final audit. This is how you instill confidence and commitment.
Create and improve documentation
Especially in less mature organizations, we often notice that controls have been implemented (sometimes even unknowingly) that are not documented. Sometimes procedures, policies, or work instructions are not specific enough or too informal. Often controls have grown organically and therefore the how, who, what and, why elements are not documented in procedures that are in place. During a pre-audit you will find this out in time, so you still have time to adjust or create documentation.
How does an auditor know that documentation presented to him is valid and commonly known in an organization? A procedure in a word file with no formal appearance that is presented as evidence during an audit raises these kinds of questions. During a pre-audit, you can find out which documents are not yet formal enough. You can formalize your documents by, for example, converting the document to a PDF/a format, having the data owner and process owner approve the documentation, and publishing the documentation on an intranet or DMS.
Actions can still be performed
Some controls require that a certain action is performed on a regular basis, such as a check on hard disk encryption or a semi-annual check and review of authorizations in the systems. When an It-auditor tests the design and implementation of controls against the description of the controls and the previously performed controls, this sometimes results in points of advice. This allows the next action to be carried out in an improved way and still fall within the audit period because the action takes place just before the final audit.
Evidence can be completed and cleaned up
The preparation for the pre-audit should be done in the same way as the final audit. This means that the auditee must prepare an audit file and present it to the It-auditor. If evidence is missing, incorrect, or incomplete, the files can still be completed or corrected before the final audit. Irrelevant documents can be cleaned up. This way you do not have to search for documents under time pressure after the final audit.
Want to know more about our approach to It-audits? Ask one of our It-auditors.