IT Audit Data Requests

[SBH]

My company's IT org has mandated that all requests for data (user listings, config screenshots, what have you) for our SOX audits must flow through our Compliance group only. Of course, they have made the process of requesting the data as difficult as possible...for instance, there is a form we have to fill out and a ticket we have to submit which needs approval first, etc, etc.

Basically, we can no longer ask for any data from anyone in IT without going through the "proper" channel. In the past the Compliance group has been less than forthcoming with sharing information and they have been designated control owners for the majority of our ITGCs and therefore stand the most to gain by hindering the flow of information. I do not really feel comfortable with this approach as I feel the only purpose is to filter the data and make our job as difficult as possible.

Does anyone have any advice for me, as I am very certain this flies in the face of our Audit Charter, but I am unsure of how to approach this? Please help!

[klinktastic]

At my company, we run into similar problems. IT is understaff and has too many projects, so they are forced to prioritize by using these request forms.

The simple answer is, work your connections. I'm not sure how long you've been at your current company and what type of internal networking you've done, but find some allies and go through them to what you need. This should help you in the short term.

On the side, I'd recommend a sit down with the lead of the Compliance group and see if your team and his team are duplicating efforts and if so, could information be set up on a shared drive so that both teams can have access to the raw data, and then it can be used by either team and saved to their respective drives upon use. Also, see if there are some ways to reduce or eliminate excessive duplicative efforts. Maybe by bringing someone from IT in could help you prove that one request for both would save a lot of time and hassle for for his team which could lead to faster turnaround time for both your and the Compliance team.

As an aside, if you already know all the of the request you will need for the next 3 months worth of projects, perhaps a massive request list could speed things up. Since it will only have to flow through the "proper channels" one time as opposed to 50 different times for the 50 different requests.

Hope that helped.

[NC]

To channelize communication and information is indeed a good practice. I do admit it causes considerable delays for us to get data/information internally. However, it also takes care of one of the infosec requirement triad of Confidentiality.