A Guide to Passing an Audit
This is the first in a two-part series.
While many organizations are affected by Sarbanes-Oxley (SOX) audits, some of you have the "luxury" of only dealing with internal auditors. But regardless which type of auditor you may be dealing with, one thing that seems to be consistent is the requirement to have processes documented. This article offers some tips for documenting processes and will hopefully provide some help in passing your next audit.
Why document processes?
Auditors want to see processes documented to:
- Make sure the process is consistent and everyone follows the same steps including requiring the appropriate approvals/sign-offs
- Provide a "test case" to verify that processes are being followed
- Make sure you understand processes important to your business
- All of the above
"All of the above" is the correct response. Documented processes are an indication to an auditor that you have analyzed and understand important business processes. Auditors will literally take a process document, sit down with one or more employees affected by the process and watch them to ensure the process is being followed.
Because documenting processes is so important, what do auditors want to see documented? The following is a list which, depending on the type of business youre in or the auditor assigned to you, may not or may not be complete, but should provide a starting point:
- How users get access to corporate systems
- How users are removed from corporate systems distinguishing between users who voluntarily leave the company and those who are terminated.
- The development process including testing and review procedures, how parts get promoted into production and whos allowed to promote parts
- Developers emergency access to production systems
- Audit and monitoring process including the specific issues monitored and process followed should suspicious activity be detected.