Uncategorized

Talking to Auditors

7 Comments

About a month ago, we finished our last round of audits and I wanted to share a little bit with you about how to talk to auditors, or better yet, how not to talk to them.

Here’s a fine example of how you should not talk to an auditor.
One of our guys, I’m sorry to say a DBA, walked into a room where the bosses were holding a meeting and announced that none of our backups across the board were working, and had been failing for a couple days. We’re completely unprotected!!

Of course, you guessed it, they were meeting with the auditor from D&T.; In his defense, he said he had no idea that was an auditor and he never would have said that if he did. OK guys, let’s put this rule on the table right now. Don’t go announcing things like that at all. If there’s someone in the room you don’t recognize, keep your mouth shut, send an email, pull them out of the room, whatever, but don’t just announce that you’re shop is falling apart.

Most companies will tell you when the auditors are going to be there, and will tell you to refrain from discussing sensitive business outside of your immediate area. This is an excellent tactic, and we do that too, so why this incident happened, I’ll never know.

So how should you talk to an auditor then? There are 2 areas you need to worry about.
The first is before and after the interview. Auditors like to come up to your desk or pin you in the hall and ask you questions about your environment. That’s fine for them, but you need to get with your managers and decide how you’re going to handle this situation… remember, anything you say can and will be used against you in a court of audit. What we do is we refer all questions back to our boss. If an auditor asks me a question outside of the interview, I say, send your question to my boss. He then asks me the question, and I in turn send it back to him. This way, the auditor can’t trip you up on the spot, and you won’t accidentally say something you’ll regret. And it gets to go through the filter of someone else. Even if you know the answer, Don’t say anything. Make them go through channels. Now you may not choose to do it this way in your shop, but it’s worked very well for quite a few places I’ve been in.

Second is during the actual interview. Auditors will quite often call you in to ask specific questions. Quite often, you have someone else in your dept sitting in with you to make sure everything goes well… just kind of a witness. When the auditor asks you questions here, you may answer them, but use as few words as possible. Never say 20 words when a yes will do. Treat this just like testifying in court. Answer the question asked, no more, no less. It’s tempting sometimes to want to explain yourself or your reasoning for why something’s done, but it’s not relevant here. In the case from above, I would only hope the the DBA wouldn’t answer like this:
Q: Do you backup the DBs every night?
A: Yes… but we quite often go several without our backups working, and we never test restores, and it doesn’t matter anyway, because the drive we keep them on is old and slow and will probably die any day now, and since they’re not pushed to tape we’d be in real trouble if that happened.

The clear answer is simply yes. Then SHUT UP!!!

Also, don’t let them rope you into answering questions that are outside your area. Anything not having to do strictly with DBs is none of your concern. Some sample questions are…

Q: How many users inside Solomon have elevated rights to create accounts?
A: I’m not responsible for Solomon. The Solomon admin would have to field that question.

Q: What method do users use to authenticate to your intranet?
A: You’ll have to ask that question to the intranet admin.

Q: How many users have db_owner in the ADP database?
A: At this point I could only guess, but send me that question in email and I’ll get you an anwser.

Notice that last question was in your range and it still didn’t get answered? Auditors will write down whatever you tell them on the spot, and move on. Don’t guess at anything. If you’re not sure of an answer, say so, and ask them to submit it in email and you’ll verify the answer and send it to them. This is crucial because you won’t get a 2nd chance to answer that once they’ve written something down. You’ve got a few dozen servers to look after, and nobody expects you to have all the answers off the top of your head.

Ok, that’s all I’ve got… happy auditing!!

7 thoughts on “Talking to Auditors”

  2. Hi

    I completely disagree. I see the auditor as my primary ally in ensuring that systems are run to a high standard. Managers tend to look at the bottom line whereas I tend to look to my professional responisiblity; auditors ensure adherance to standards.

    I have used auditors to mediate where I have felt that a managers cost cutting / this is how we do it here attitude / lack of knowledge / etc is putting a system at risk.

    Karl
    DBA

  3. Answer but don’t offer. Auditors, like HR are not your friends, allies, or partners. I like feeding my family and that tends to not get done if I get fired for being stupid around auditors.

    If the company is doing something stupid with the systems it is the responsibility of management to address that with the auditors.

  4. Having personally delt with district, and federal court situations, I agree with the person whom said the auditors are NOT your friends, allies or partners. They, like anyone else, have a specific job to do, and they do it. Auditors, I’ve worked with, are quick to inform me that they have a responsibility to the parties they report to. So, I keep uptodate records, files and backups, to validate and prove my information is correct. This has proven that I am “clean” of any wrong doing, as well as always reporting to manangment, in advance, any situation where there is a conflict. For, nearly, 20 years now….every audit has gone smooth, and flawless.

  5. you will talk in way what your boss will command you to talk

    But in court you will tell all true nothing but true

  6. I treat external auditors like I do any other external entity: before I answer a question about my infrastructure, you’ve got to show me you have a valid reason to have the information. “I’m an auditor” isn’t enough. For instance, if you’re in doing a SOX audit, I want to know how the information you’re asking for is relevant to SOX. If I’m not clear on the whys, you need to send me an email (and CC my boss) explaining why you need that information.

    Then, when you do justify it, I’m going to give you the information you need and nothing more. Why? Again because you are an external entity. I don’t know fully the extent to which you’ll use the information I give you, so I’ll err on the side of caution and give you exactly what you ask for (which you’ve proven you need) and no more.

  7. External vs Internal is a key concern. External auditors are there for strictly compliance reasons. You will typically find more of an audit cop mentality. Internal audit (if its a good group of people) will be highly consultative and have a goal of helping you improve your processes rather than enjoy playing Columbo.

    To be honest, the original poster would make any good auditor wonder what he was hiding based on his evasive and uptight nature. If you have nothing to hide, you will be realaxed and cooperative. Auditors are trained to pick up on body language cues.

Comments are closed.