Fieldwork, Findings and Compensating Controls
Audit fieldwork is the process of identifying the people, process, and technology within a given systems environment that correspond to expected control activities. Management accountable for audit results should do their best to ensure that an auditor is always speaking with the expert in the area under review. They should caution personnel not to make guesses in responses to audit questions, but instead to refer the auditor to the appropriate subject matter expert, or back to the accountable management contact.
As every security professional knows, it is extremely difficult to keep abreast of all the new management tools and techniques required to control IT, much less to determine which is the best fit to meet a given control objective. In recognition of this difficulty, audit programs are usually quite well established and uncontroversial. They are stated in general terms and can be supported with a wide variety of technology tools and techniques.
Where auditors cannot find evidence that a control objective is met, they will circle back to the accountable manager to see if there is some activity with the organization that qualifies as meeting the objective which was not anticipated by the auditor, due to inexperience or unfamiliarity with the control environment. If they find it, they may refer to it as a "compensating control." This allows them to conclude that the control objective is met even though the control activity they expected does not exist, because the newly found activity compensates for the lack of the expected one.
In the event that an auditor can find no evidence corresponding to a given control objective, this issue will be labeled as a finding. A documented audit finding should have four or five parts. These are:
Condition: a factual description of audit evidence Criteria: some standard that indicates why the condition impairs management ability to achieve control objectives Cause: the root cause of the situation that introduced the control weakness Effect: the risk that the condition presents to the audited organization, stated in terms of potential business impact Recommendation: an appropriate management response (optional)
At any given point during the fieldwork, an auditor will have a list of potential findings. They may not yet be fully documented, but the condition may be known. The IT management contact for the audit should frequently touch base with the auditor during the fieldwork, and ask whether there are any potential findings. It is the role of the IT contact to assist both management and the auditor in the quest for evidence that would provide assurance that the control objective is met, and thus eliminate the finding.