Are you Audit-Ready?
Authors: Ki James and John Boyer
When you first read the title of this article, you probably shuddered and immediately thought of your financial audit. Those may be scary, but what about compliance audits?
Are you prepared for a review of your organization’s adherence to contract and regulatory requirements?
A compliance audit reviews your internal controls, security policies, user access controls, and risk management. The chances are high that you have some kind of policies in place, but a compliance audit related to (for instance) the Health Insurance Portability and Accountability Act (HIPAA) will validate that your organization has consistently enforced policies and controls, not just that they’re on the books.
The exact nature of a compliance audit will depend on the type, but often consists of demonstrating that access to records is secure, and that data in your analytics and reporting environment is restricted to necessary personnel.
The Problem
Providing good and valid proof of adherence can be a huge pain. For demonstrative purposes, let’s focus on one specific example.
Every production environment ought to have a digital paper trail. It should start with ideation, continue down through testing and bug fixing, find its way past resolution, and end at the approval of the final, completed product.
That last step – the final approval – is a favorite of auditors to pick on. They might ask, “can you show me how you confirm that all reports in the production environment have adhered to your documented process?”
You’d then have to provide a list of every migrated report.
Why this is important
Providing auditors necessary and sufficient information can be daunting, particularly when it’s a manual process – even more so if you haven’t planned for the occasion.
It is important to not only establish and follow your policies, but also keep mechanisms in place to validate and prove the adherence to your own standards.
Minimally, you need to be prepared to provide an auditable record of who accessed what, what changes were made to the environment, all reports people made, who made the reports, and how every asset in the production environment passed through developer and QA hands appropriately.
The Strategies
Being “ready” for an audit can come in multiple different forms, some of which are higher effort and more likely to keep you out of trouble than others. Here’s a ranking of some but not all in order of increasingly better options.
Chaos and Mayhem
It’s possible that you, dear, unfortunate reader, through this article have come to the realization that you are woefully unprepared to prove you don’t commit dire HIPAA violations to the satisfaction of an auditor.
If this is the case, it may be too late depending on how long your haphazard status quo has reigned. You may find yourself in the unfortunate position of scrambling to find any scraps of information you can.
This is a tried and true method that’s been proven throughout the annals of time to have disastrous results.
If you plan to take your chances and shoot for this strategy, simply do not. Your future self will thank you.
Blood, Sweat, and Tears
Traditionally, businesses have kept meticulous records of everything that happens through grit and labor. In some folder in their system, there are handwritten (or hand typed) spreadsheets and documents detailing everything that an auditor might need to know.
If you’re trying to dig yourself out of the Chaos and Mayhem strategy, this may be your best bet getting started. Rather than waiting to scramble and find all the key information under the terrible gaze of an auditor, digging up everything you have and compiling it in an at least semi acceptable record can be done manually while you have time.
Whether or not this strategy is your day to day norm or the way you plan on breaking out of bad habits, we recommend the following plan for you to start as soon as you possibly can.
Version Control Software
Having holistic version control across all parts of your business, not just repos where it comes prepackaged, makes this entire process essentially handle itself. As users make changes to anything, it will automatically silently record who’s making the change, at what time, what procedures were followed, the whole nine yards.
When the auditors come knocking on your door and want to know what happened, you can just refer to your internal version history. You won’t need to scramble to find proof, you won’t need to waste hours in a spreadsheet recording information – the software does the job for you. You can just focus where it matters most.
Version control software has some other big benefits too; namely, the ability to roll back to previous versions. This can be a huge quality of life feature, particularly for programs that otherwise didn’t have this functionality.
Having the ability to comprehensively and accurately roll back to precise versions also gives you a security blanket from things like ransomware, where wiping your machines might be a necessity to start running the business again. Rather than losing all your records or even the project itself, you can simply consult the version control, pick the most recent option, and bada boom, you’re back in business.
Conclusion
Audits don’t have to be terrifying specters looming over your business, waiting to crush whatever momentum you have. If you take proper precautions and acquire good version control software, then the stress of an audit and the slog of record keeping can both disappear, like tears in rain.