Friday, March 21

Audits don’t prevent loss?

Dave Rowe, who has a fairly extensive background in both audit and IT, reminds us:
Audit’s intent is to verify the accuracy of something; typically by checking a sample of outcomes but also by making sure that critical controls are functioning.
He's making the important point that Audit should not be confused with the security controls that are designed to enforce policy. Audit is there to prove policy effectiveness. Good point Dave. Sometimes we forget the basics amidst all the marketing collateral and news articles about security, risk, compliance, and audit. Sometimes it all just feels a bit jumbled.

He then makes a simple but powerful point about the strength of automating IT audit:
Instead of sampling a few transactions and seeing if the outcome was right, you can audit every transaction to see if the outcome was right.
Yes. And that's exactly the type of technology that saved Obama's passport information. Truly effective IT audit doesn't just check that policy and controls are in place. It monitors the effectiveness of policy and controls on an on-going basis.

No comments: