Enterprise security managers and others who work with
auditors would do well by taking a page out of the National
Football League's playbook, a CISO advised attendees at the Burton
Group Catalyst Conference.
The NFL season ends in February, but when April hits, there's
the draft and then minicamps that prepares everyone for the next
season, David Drossman, CISO at Investment Technology Group (ITG),
a brokerage and technology firm, said in a presentation. In
contrast, enterprise managers often kick back when the audit season
ends and take the next four months off from audit work, he said.
Then when auditors come in, they're scrambling.
 | | | | | What if we changed a bit and
followed the NFL example? Let's say it's March 15 and the audits
are fresh in your mind. It's at this time you should be looking
forward.
David Drossman
CISOInvestment Technology Group
(ITG) |
| | | | | |
| |
|
"What if we changed a bit and follow the NFL example?" asked
Drossman, who oversees
Sarbanes-Oxley, security and other audits at New York-based
ITG. "Let's say it's March 15 and the audits are fresh in your
mind…It's at this time you should be looking forward."
Organizations should use the time to address auditors' findings,
and perhaps in April sit down with the auditors themselves to talk
about process changes, Drossman said. Work closely with auditors,
make sure they understand the objective behind a control and
document everything.
"Remember, there's nothing wrong with findings," he said, noting
that junior auditors often seem to delight in finding audit
problems. "Just make sure you get on top of them and fix them."
He also advised attendees to understand the law and any new
regulations that affect their organizations, create a central point
of contact for all audit-related issues, and remember that audits,
like security, are an ongoing process and not a project.
Doing this work shouldn't take more than a few hours a week but
will pay big dividends, Drossman said: "The more time you spend in
the off season…you'll set yourself up for a more successful and
clean audit."
His message resonated well with Christian Catalano, an
operational risk consultant at Wells Fargo, who said his team is
very proactive on the audit front.
"We're doing a lot of the same things …This was kind of
reassurance for me," he said.