A recent survey of auditors and examiners asked:
During the past year, in which category would you say MOST of your IT audit/exam findings occurred?
The choices were:
- Lacking or Insufficient Polices
- Inadequate Procedures, or
- Insufficient documentation of actual practices
2/3 of the respondents said that insufficient documentation of practices was the most common finding. In other words, policies and procedures were fine, but the institution could not adequately demonstrate that they were actually following them. This brings me to the second compliance trend for 2011 (and a carry-over from last year):
The regulatory compliance process involves the coordination of 3 intersecting spheres:
- Procedures, and
All 3 must be not only be in alignment with one another, but also in alignment with the current interpretation of regulatory guidance. (Made especially challenging since the latter is a moving target.) Policy defines what you will do to address regulatory mandates, procedures dictate how you’ll implement policy, but practices document what you actually do. If polices are off target, but you can still demonstrate good practices, you’ll have a minor audit/exam finding. But if you say you’re doing something and you either didn’t, or can’t prove you did, that is generally a more severe finding.
So what recent audit and examination experience last year has demonstrated, and what I believe we’ll continue to see in 2011, is increased scrutiny in the sphere of documented practices. Simply put…if you didn’t document it, you didn’t do it.
There are many ways to document your actual practices, but perhaps the best way is to take your procedures and convert them into a checklist. The checklist is then discussed in committee (Tech or IT) as a regular agenda item. For example, if your written procedures state that you will implement a patch management process to keep all devices fully patched, be able to produce a report showing device patch status, and present it to a committee assigned responsibility for validating the effectiveness of your procedures.
Remember, if you can’t document it, then for regulatory purposes, you aren’t doing it.