Audit Management Fundamentals

GRC Professionals typically have two responsibilities related to audits. They need to both facilitate and control it. It’s a fine line. On one hand, GRC professionals bear the responsibility of ethically providing relevant and factual information to assessors so that they may fairly assess the organization’s security posture. On the other hand, they need to control the level of information and access that assessors gain so as to keep the audit focused and on track. Otherwise, assessors may continue to follow up on areas where they have the most expertise.

In facilitating or controlling an audit, we describe this as providing the assessor with the “best accurate answer.” Provide the best answer the GRC professional can to keep the audit moving and paint the organization in a good light while being fully truthful and addressing the question asked.

Facilitating an audit and controlling it are separate skills. To facilitate the audit, you must be able to perform a number of project-management tasks, including:

• Fully understanding the scope of the assessment
• Stay engaged throughout the assessment and ask questions if you’re unsure of what the assessor is looking for
• Assist the assessor in gaining access to the right stakeholders
• Provide evidence that effectively answers assessment questions

Perhaps the best way to approach both facilitating and controlling an audit is to make a checklist so that you can establish a repeatable process within the organization and with assessors. This way, you can learn from each assessment and adjust your checklist as necessary to capture new tasks that you want to include in every audit.