Survival in the Land of Compliance Audits

by Aug 20, 2019

As you innocently go about your daily work activities on a Friday afternoon you notice a new email and crack it open. The message is from management and it alerts you to the fact that several of your SQL Server instances are on the list to be included in a compliance audit. A team of third-party auditors will be conducting interviews with the staff members responsible for securing the systems and you’re scheduled to go early next week. The prospect of answering their questions poses the risk of ruining your weekend.

Don’t lose sleep worrying about how you will respond to the auditors’ queries. In a previous incarnation, I was a security focal for a data management department. This role required me to be involved in many compliance audits. Some of these were aimed at systems that were my direct responsibility while at other times I assisted coworkers in navigating the process. My organization also conducted internal compliance audits that were designed to identify issues before they were found by the external audit team.

Based on those experiences, I have some tips for DBAs or other IT professionals who will be called up to participate in an audit. The first nugget I offer is to try to relax. With less than a week before the audit occurs there is no time to make changes to your system configurations. The auditors will notice system updates and any deficiencies addressed by your modifications are likely to still appear as findings on their report.

Taking action after the audit is announced may be seen as attempting to subvert the intentions of the process. Your systems will be judged on their current state of compliance and any issues will need to be rectified when the audit concludes.

How is the Compliance Audit Performed?

Most compliance audits follow a standard workflow consisting of several distinct steps. They are:

Notification – In this phase, the organization to be audited is notified of the date and time the audit will commence. The specific systems or information of interest to the auditors is communicated as part of the notification process. At this point, a change freeze may be instituted regarding the systems in scope to be audited. This ensures that a true measure of compliance can be tested without any emergency measures being taken to address long-standing issues.

Planning and initial meeting – After the auditors have created their plan of attack, they will meet with management and communicate the areas on which their inquiry will concentrate. They will define the systems or components of your environment that will be reviewed.

Fieldwork – This part of the audit involves interviews with key personnel to investigate the business procedures in place. In addition to verbal communication with the auditors, stakeholders may be called up to provide evidence that demonstrates a system's level of compliance. Reports will need to be generated to supply this information to the auditors. DBAs and system administrators will be called upon to participate in this portion of the audit.

Draft audit – The draft audit is composed when the auditors have completed their fieldwork. It details the purpose and procedures followed during the audit. Audit findings and a list of potential unresolved issues are part of this draft.

Management response – A final audit report is given to management at which time they can agree with or dispute the audit findings. A plan to address compliance deficiencies is created along with an expected timetable for remediation.

After these steps, the audit report will be distributed to stakeholders directly impacted by the findings as well as those who can benefit from studying the deficiencies that have been identified. Management should hold those responsible for addressing any compliance failures to a schedule designed to resolve the issues. An internal audit that covers the same ground may be called for to verify that the proper corrective action has been taken.

Responding to Auditors Questions

You need to stick to the facts when answering auditors questions even if you are aware that some of your responses or documents may indicate a compliance deficiency. Attempting to confuse or mislead the auditors to obscure problems will lead to further complications and may cost you your job. Remember, the purpose of an audit is to identify areas of concern and implement actions to correct them. It is not designed to punish the individuals responsible for those systems.

One of the key points to remember when communicating with auditors is to limit your responses to the specific information that has been requested. You want to fully answer their question as clearly as possible while providing the minimum amount of information to satisfy their request. Offering additional details related to their query may suggest new avenues for an investigation that were not previously considered. Provide the auditors with the specific data they request and nothing more. If they need further information, you can be sure it will be requested at some point in the proceedings.

Providing Evidence to Compliance Auditors

Gathering the evidence that auditors demand can be time-consuming without the proper tools. While all of the information can be obtained with manually developed scripts and screenshots of system activity, using a platform designed to furnish compliance details makes life a lot easier. IDERA’s SQL Compliance Manager gives you the power to satisfy auditors as well as the means to better prepare for their inevitable arrival.

SQL Compliance Manager has all the tools to help you maintain compliance with many regulatory standards including HIPPA, GDPR, and PCI DSS. Easily create custom reports or take advantage of the pre-defined compliance reports built into the application. Templates are provided so you can proactively test your systems against regulatory requirements to ensure they are compliant before having to address audit findings. SQL Compliance Manager offers a comprehensive application that will help keep you compliant and provide evidence of that compliance. It makes surviving an audit a trivial matter.