Navigating Audits in the Absence of Documented Risks and Controls
Embarking on the Audit of an IT process without clearly documented risks or controls might seem like a daunting task. I recently encountered this very challenge when planning to Audit Shadow IT within our department. This issue has surfaced previously, highlighting potential gaps in control. To address this, I proposed leveraging ISACA’s Shadow IT Audit program as a foundational guide. My plan included discussions with key stakeholders to determine if the generic controls listed were applicable or needed refinement. In instances where specific controls were absent, I aimed to explore how these gaps align with our overarching control objectives.
The Information Security team expressed apprehension about proceeding under these circumstances. Their concern was rooted in the perception that an audit would be unjust, given the lack of defined policies or a recognized framework, such as NIST or CIS, to anchor the assessment. Although our organization maintains a risk register acknowledging “Shadow IT,” detailed risks linked to particular controls are not readily available.
This scenario is not uncommon across many IT process areas. Controls might exist informally, yet remain undocumented. The dilemma I face is how to conduct an audit on processes that are still evolving. Holding IT accountable to a standard or set of controls that they have not professed adherence to feels inequitable. Without documented controls or a declared alignment with industry standards, pinpointing precise control objectives to audit becomes challenging.
While I’m open to offering advisory support to help establish documented controls, this approach blurs the lines of audit independence. Such an advisory role does not align with the traditional expectation of delivering audit reports, which are highly valued by management and the audit committee.
In navigating this complex landscape, one potential solution is to engage in constructive dialogue with both the InfoSec team and upper management. By fostering a collaborative environment focused on improvement rather than fault-finding, we can collectively establish a more defined framework that supports future audits. Creating a foundation of documented controls, even rudimentary ones, may serve as an initial step toward developing a robust auditing process that respects the current maturity level of IT processes while guiding incremental improvements.
One response
Auditing in the absence of documented risks and controls can indeed be challenging, but it also presents a strategic opportunity to enhance organizational governance and security posture. Here are some steps and insights that could help you navigate this scenario:
Understand the Environment: Start by gathering comprehensive information about the organization’s IT landscape, focusing on the business processes, associated IT systems, and any known instances of shadow IT. Conduct interviews, workshops, or surveys with key stakeholders and IT personnel to uncover undocumented practices and understand their perspectives on the potential risks and controls.
Educate and Align: Communicate the importance of auditing and the potential benefits it brings, such as identifying security gaps and improving efficiency. Align with the InfoSec department by clarifying that the goal is not to penalize but to protect the organization by enhancing oversight and risk management.
Leverage Industry Standards Flexibly: Even without a specific framework, you can refer to general best practices from established guidelines (such as NIST, CIS, or the ISACA’s Shadow IT Audit program) as a flexible blueprint. Use these standards to form a reasoned basis for what generally constitutes sound controls, engaging with department heads on how they can tailor these recommendations to fit their context.
Assess through Interviews and Observations: When specific documented controls are absent, focus on processes and practitioner insights. Conduct interviews and direct observations to understand how employees are currently managing operations and potential risks. This can reveal implicit controls and help you assess their effectiveness.
Gap Analysis: Perform a gap analysis to compare current practices against potential risks and industry benchmarks. This process can help identify areas of improvement, even in the absence of formally documented controls, and guide future policy development.
Collaborative Development: While maintaining your Audit independence, you can facilitate workshops where business units develop and document controls, treating this as a preparatory step rather than active advisory work. By catalyzing this documentation process, you set the stage for more structured audits in the future.
Advisory with Boundaries: Should you play an advisory role, ensure clear communication about your boundaries to safeguard auditor independence. Offering strategic recommendations based on your findings, without directly drafting or implementing controls, aligns with an advisory capacity.
Document and Communicate Findings: Prepare a report summarizing your assessments, highlighting areas where controls are lacking and suggesting applicable frameworks for consideration. Include any noted risks and stress the importance of