Continual IT Audits

Information audits are inconvenient, unpleasant and rarely fun. They are a headache because of the fact that when audit season comes around, they take resources away from several departments for extended periods of time while staff managing and leading them also must continue their other daily roles. Unfortunately, there is no getting around an audit, whether internal or external.

Several major compliance regulations in the United States including the Health Insurance Portability and Accountability Act (HIPAA), the Control Objectives for Information and Related Technology (COBIT) and Sarbanes Oxley Act (SOX) require businesses to ensure certain standards within their organizations, including protection of data and full disclosure. Organizations that do not comply face significant fines and potential punishment.

Since audits are mandatory, organizations need to instead find ways that make dealing with them simpler. This is why organizational leaders should instead focus on conducting continual audits or implementing solutions that can help them stay in line with their audit needs throughout the year. This allows them to perform the work for audits along the way instead of having to do it all at once.

Instead of an annual audit check followed by an extensive clean-up operation, several leading organizations are implementing solutions that allow them to exercise constant control over the identities in their networks, their lifecycles and their authorizations.

Continual Audits

To achieve continual audits, some organizations have utilized identity and access management solutions. An automated account management solution with role-based access control (RBAC) allows a manager to oversee and document exactly who has access to what, and any changes they are making. With RBAC in place, managers can easily see an overview of access and correct any issues that arise. This also makes it extremely easy to provide a list of employees who have access to critical data when it comes to audit time.

These same automated account management solutions allow for other tasks to be continually documented for audits in an organized manner. The system automatically logs which employee performs a particular management activity, as well as the time it occurred. Management reporting can be generated in a wide variety of formats meaning the organization always has an insight into the processes involved and whether they are in compliance with regulations.

Case In Point

The Salvation Army had relied on an inefficient paper system prior to its automated solution. The paper system was almost impossible to audit. The automated account management solution has completely resolved this issue and the organization can now easily meet requirements.

According to the Salvation Army’s Christian Cundall, head of messaging services, the organization needed to introduce a solution for user management and auditing for simple reasons. “We were experiencing 1,000 calls a month to our helpdesk for user account-related changes. Any change requests needed to be confirmed via fax, resulting in a large paper trail, which was impossible to audit. The faxes often contained errors and omissions, adding to the workload placed on our helpdesk; 90 percent of the work needed to be duplicated.”

“We were impressed by the ability to force users to comply with our naming conventions, and provide a full log on all actions for auditing purposes,” said Cundall.


For more information, please visit our website.