Technology Audit Processes Are Broken, but Attention and Automation Can Fix Them

By on
Read more about author Arthur Lozinski.

Technology audit processes have become increasingly important, as they tie directly to adherence to an ever-growing list of compliance frameworks and mandates such as NIST, CIS, SOC 2 ISO 27001, and others. A component of all these regulations pertains to the integrity of enterprise technology management and requires an up-to-date and accurate inventory of all technology assets (hardware, software, and cloud), who’s using them, where they are, what vulnerabilities they have, and the state of their security controls.

Challenges with Technology Audits

To better understand the process challenges companies face when it comes to technology audits, we partnered with YouGov and surveyed IT leaders regarding their technology audit challenges. The resulting report, Snapshot Survey: IT Compliance and Technology Audits, illustrates how much enterprises struggle with maintaining accurate data regarding the location, integrity, and security of enterprise technology assets.

We found that inaccurate data is a significant issue, causing 46% of respondents to experience a material increase (10% or higher) in audit delays and costs. Enterprises with greater than 1,000 employees were 27% more likely to experience an increase in audit delays and costs (10% or higher). Furthermore, 47% of companies spent at least 10% more resources and money than their planned audit budget due to poor technology inventory data.

Several trends such as the increase in hybrid and remote work, the use of mobile technologies, and the surge in SaaS and cloud adoption, have added complexity to compliance initiatives and technology audits. However, these same trends increase the importance of governance and require enterprises to embrace improvements in processes, tools, and automation to enhance the accuracy and efficiency of compliance audits. Our research revealed that most businesses acknowledge the need for improving data hygiene, establishing better processes and using more automation.

In fact, 56% of companies reported the data accuracy of their CMDB was at a B-minus or lower with insufficient levels of process automation. This number rises to 67% in enterprises with 1,000-5,000 employees. Sixty-two percent of organizations need to further automate their compliance assessment and technology audit preparation workflows to better adhere to security and compliance controls.

Process Automation Acts as a Force Multiplier for Improving Technology Audits

As companies execute on automating technology audit processes, they need to make sure they are automating the right processes, which means they need to do a thorough review of their current processes and how they can be improved. This is no easy task – there’s a lot of up-front work that needs to happen, but as a general rule, here are the steps involved:

Scope: Identify the breadth of requirements needed to satisfy internal and external audit specifications. Determine the roles, asset technologies, and technical controls in scope. Leverage solutions such as enterprise technology management platforms to integrate with an organization’s existing IAM, IT, and security management tools allowing operators to easily define rules to track adherence to a wide array of configuration, access, ownership, management, and security requirements.

Assess: Set up controls to define, monitor and respond  to policy violations that IT professionals can leverage to create simple to complex workflows to identify security and management policy issues and gaps across endpoints, applications, network infrastructure, and cloud infrastructure.

Mitigate: Monitor and report on policy adherence and issues while allowing  IT staff to automatically initiate remediation or proactively invoke compensating controls. Create workflows that can trigger notifications, approval requests, control installation or reactivation, owner reassignment, isolation and deprovisioning actions, and more – ideally while leveraging an organization’s existing IT tools and ticketing systems.

Evidence: Automate evidence gathering and report generation tasks to enable GRC managers and auditors to substantiate adherence. Audit, compliance, and corrective action details should be available at the operator’s fingertips to produce reports or export data to other IT systems and stakeholders.

Calibration: Empower ITOps, security, and GRC teams to collaborate to refine workflows, policies, and reports based on new requirements, exceptions, gaps, controls, and IT management tools. Using a centralized process automation platform, these teams can periodically extend workflows and data sharing, update rules and reports, and invoke more stringent remediation actions to support a wider array of operational audit and compliance conditions.

As companies continue to digitally transform, continue to experiment with hybrid work models and embrace new technologies, technology audit processes will only become more important to maintaining effective operations. As boring as they might seem, they impact a wide array of business functions ranging from procurement and license management to compliance management and cybersecurity.

The more business-critical technology audits become, the more important it is to fix process failures that expose the business to negative consequences. So, why not invest in their success?