How to Provide Compliance Evidence to Auditors

by Sep 4, 2019

There’s no getting around it. The only way to satisfy the demands of auditors and demonstrate your organization’s compliance with the regulatory demands under which they are operating is to provide the evidence. Auditors are not inclined to believe your best intentions and if you cannot come up with the goods you will fail the audit. As Paul Simon sang, “Proof is the bottom line for everyone.” This applies to the audit team sitting in the conference room down the hall.

As a DBA you should be aware of the steps required to keep your databases and systems compliant with the regulatory standards to which your company is held. This might encompass a wide range of items related to the security and operation of your systems. You need to create ids following specific guidelines to control access to sensitive data. Backups may need to be performed on a set schedule to ensure the protection of the information contained in your database. There may be parameter settings that need to be enabled to adhere to regularity requirements. Making sure your systems are compliant should be part of your regular responsibilities.

Audits, however, are not an everyday occurrence. For most IT professionals, this is a good thing. While audits can shed light on business practices that need to be improved, they can become nightmares for those responsible for responding to the auditor’s requests.

What Are the Goals of a Compliance Audit?

The auditors who are requesting information have a well-defined purpose behind their queries. There are four basic goals of a compliance audit.

  • Assessing organizational effectiveness – This is the primary goal of the audit. Your organization will be judged on how effectively their policies and procedures fulfill the requirements that achieve compliance. Individual processes will be examined to test their compliance with regulatory standards. A predominance of failed processes may result in an overall failing audit score.

  • Identifying deficiencies – Deficient procedures will be uncovered while the auditors are investigating their effectiveness. These are meant to be addressed by the enterprise to close any compliance gaps before the next round of audits.

  • Ongoing verification – Auditors may assign corrective actions to resolve deficiencies they have identified. A second special audit within 90 days may be required to show that severe problems with your company’s procedures have been rectified. The correction of less serious issues can often be demonstrated and verified at the next scheduled audit.

  • Improvement recommendations – The final report from the audit team will usually contain specific recommendations which point out improvements that the business can implement to ensure future compliance. These suggestions should not be ignored.

Why Audits Fail

Audits can fail for a variety of reasons. Being aware of the causes of an audit failure can help you be better prepared to make sure your organization receives passing grades.

  • Absence of management prioritization – A culture of compliance starts at the top. Without adequate management emphasis on maintaining compliance, there is little chance that the rest of the organization will take the necessary actions to satisfy the audit team.

  • Lack of proper documentation – Even if you are taking all the required actions to be compliant with regulatory standards, failure to provide documentation that verifies these actions will lead to an audit failure.

  • Manual processes and human error – Manual process can leave a company exposed to security and compliance vulnerabilities. A manual procedure implies that there is human interaction which introduces the possibility of a simple oversight leading to an audit failure. Automating processes wherever possible can help a company maintain compliance.

  • Missing internal risk assessments – Conducting internal assessments are useful for identifying potential compliance issues before they are found by the audit team. Many organizations do not engage in this type of activity, which sets them up to fail an audit.

Producing the Evidence

So now it’s time to face the music. You’ve been called upon to produce compliance reports to satisfy the auditor’s demands. Some DBAs might be overwhelmed at this prospect, but with the right tools, they can easily handle any queries sent their way.

IDERA’s SQL Compliance Manager can be indispensable for assisting your DBAs in generating the evidence to verify your organization’s regulatory compliance. The application addresses compliance in a variety of ways. It enables you to identify where sensitive data exists in your databases so it can be properly protected. SQL Compliance Manager provides compliance templates that can be checked against your system configuration to identify areas that need to be modified.

Improved compliance report generation has been seen as one of the tool’s more important benefits by its users. Over 25 pre-defined compliance reports are available and you can create custom reports that allow for more detailed auditing. It offers a great way for your database team to give the auditors the proof they demand which hopefully results in a passing score on your next audit.