Year-round secuity audits get best results, experts say

Compliance officers can save themselves a lot of grief by following a schedule that mirrors the US National Football League

Enterprise security managers and others who work with auditors would do well by taking a page out of the National Football League's playbook, a CISO advised attendees at the Burton Group Catalyst Conference.

The NFL season ends in February, but when April hits, there's the draft and then minicamps that prepares everyone for the next season, David Drossman, CISO at Investment Technology Group (ITG), a brokerage and technology firm, said in a presentation. In contrast, enterprise managers often kick back when the audit season ends and take the next four months off from audit work, he said. Then when auditors come in, they're scrambling.

What if we changed a bit and followed the NFL example? Let's say it's March 15 and the audits are fresh in your mind. It's at this time you should be looking forward.
David Drossman
CISOInvestment Technology Group (ITG)

"What if we changed a bit and follow the NFL example?" asked Drossman, who oversees Sarbanes-Oxley, security and other audits at New York-based ITG. "Let's say it's March 15 and the audits are fresh in your mind…It's at this time you should be looking forward."

Organizations should use the time to address auditors' findings, and perhaps in April sit down with the auditors themselves to talk about process changes, Drossman said. Work closely with auditors, make sure they understand the objective behind a control and document everything.

"Remember, there's nothing wrong with findings," he said, noting that junior auditors often seem to delight in finding audit problems. "Just make sure you get on top of them and fix them."

He also advised attendees to understand the law and any new regulations that affect their organizations, create a central point of contact for all audit-related issues, and remember that audits, like security, are an ongoing process and not a project.

Doing this work shouldn't take more than a few hours a week but will pay big dividends, Drossman said: "The more time you spend in the off season…you'll set yourself up for a more successful and clean audit."

His message resonated well with Christian Catalano, an operational risk consultant at Wells Fargo, who said his team is very proactive on the audit front.

"We're doing a lot of the same things …This was kind of reassurance for me," he said.

Read more on IT risk management