About a month ago, we finished our last round of audits and I wanted to share a little bit with you about how to talk to auditors, or better yet, how not to talk to them.
Here’s a fine example of how you should not talk to an auditor.
One of our guys, I’m sorry to say a DBA, walked into a room where the bosses were holding a meeting and announced that none of our backups across the board were working, and had been failing for a couple days. We’re completely unprotected!!
Of course, you guessed it, they were meeting with the auditor from D&T.; In his defense, he said he had no idea that was an auditor and he never would have said that if he did. OK guys, let’s put this rule on the table right now. Don’t go announcing things like that at all. If there’s someone in the room you don’t recognize, keep your mouth shut, send an email, pull them out of the room, whatever, but don’t just announce that you’re shop is falling apart.
Most companies will tell you when the auditors are going to be there, and will tell you to refrain from discussing sensitive business outside of your immediate area. This is an excellent tactic, and we do that too, so why this incident happened, I’ll never know.
So how should you talk to an auditor then? There are 2 areas you need to worry about.
The first is before and after the interview. Auditors like to come up to your desk or pin you in the hall and ask you questions about your environment. That’s fine for them, but you need to get with your managers and decide how you’re going to handle this situation… remember, anything you say can and will be used against you in a court of audit. What we do is we refer all questions back to our boss. If an auditor asks me a question outside of the interview, I say, send your question to my boss. He then asks me the question, and I in turn send it back to him. This way, the auditor can’t trip you up on the spot, and you won’t accidentally say something you’ll regret. And it gets to go through the filter of someone else. Even if you know the answer, Don’t say anything. Make them go through channels. Now you may not choose to do it this way in your shop, but it’s worked very well for quite a few places I’ve been in.
Second is during the actual interview. Auditors will quite often call you in to ask specific questions. Quite often, you have someone else in your dept sitting in with you to make sure everything goes well… just kind of a witness. When the auditor asks you questions here, you may answer them, but use as few words as possible. Never say 20 words when a yes will do. Treat this just like testifying in court. Answer the question asked, no more, no less. It’s tempting sometimes to want to explain yourself or your reasoning for why something’s done, but it’s not relevant here. In the case from above, I would only hope the the DBA wouldn’t answer like this:
Q: Do you backup the DBs every night?
A: Yes… but we quite often go several without our backups working, and we never test restores, and it doesn’t matter anyway, because the drive we keep them on is old and slow and will probably die any day now, and since they’re not pushed to tape we’d be in real trouble if that happened.
The clear answer is simply yes. Then SHUT UP!!!
Also, don’t let them rope you into answering questions that are outside your area. Anything not having to do strictly with DBs is none of your concern. Some sample questions are…
Q: How many users inside Solomon have elevated rights to create accounts?
A: I’m not responsible for Solomon. The Solomon admin would have to field that question.
Q: What method do users use to authenticate to your intranet?
A: You’ll have to ask that question to the intranet admin.
Q: How many users have db_owner in the ADP database?
A: At this point I could only guess, but send me that question in email and I’ll get you an anwser.
Notice that last question was in your range and it still didn’t get answered? Auditors will write down whatever you tell them on the spot, and move on. Don’t guess at anything. If you’re not sure of an answer, say so, and ask them to submit it in email and you’ll verify the answer and send it to them. This is crucial because you won’t get a 2nd chance to answer that once they’ve written something down. You’ve got a few dozen servers to look after, and nobody expects you to have all the answers off the top of your head.
Ok, that’s all I’ve got… happy auditing!!