Tackling audits through automation

No one wants to deal with the headache that is an audit. Whether the auditor is internal or from a third party, being audited requires a high investment of time and energy; it can impact an organisation’s reputation and ultimately its bottom line. Today, with automation software, organisations are mitigating audit risk, ensuring compliance and meeting the requirements of audits.

In the early to mid 2000s, system administrators were building and maintaining a lot of custom automation software like Shell, Perl and AWK, to meet compliance, security and audit demands. This early use of the software was often inefficient, requiring extensive resources to implement and maintain. Over time, the industry recognised that a better way was needed. 

Since then, a new wave of automation software tools has enabled enterprises to reduce error rates, increase efficiency and help teams become more transparent. With these results in mind, the adoption of automation isn’t a question of whether organisations should or shouldn't automate–it’s more a question of how. As someone who has worked for more than a decade with software and addressed audit and compliance requirements, here are my top five recommendations to tackle audits through automation:

1. Determine what auditors are asking for and what they care about. Then ask, why do they care? 

By establishing what questions an auditor is really trying to answer and why they care about specific information, it’s easier to determine what they actually need.

2. Share ideas and examples ahead of time for the auditing team to approve. 

Once you’ve determined what the auditors are looking for, and before going down the rabbit hole of producing reports that may be relevant, consult the auditing team to determine exactly what they want to see. Share examples and give them the opportunity to provide feedback. It will save time and frustration in the long-term and your teams may find they already have a lot of information readily available.

Here you can apply the practices of agile development with auditors, as they are now your customer. Is a report that is flat text easier to work with than a spreadsheet? Do they want all relevant data or just random samples? If no exceptions are found, do they want a blank report, or no report? 

3. Roll out automation company-wide. 

If an enterprise is automating one system, then there is an opportunity to automate them all, which will help a potential audit run smoothly. For example, if a system wasn’t previously in the scope of an audit (but needs to be added at a later date), an automated system can easily support these changes, reducing the time and effort required to make future adjustments. Automating company-wide also has the added benefits of:

● Making a business as a whole more compliant
● Allowing the security and DevOps teams to work more closely together to create a system that is both secure and flexible to address security threats over time
● Creating a higher ROI as systems begin running more efficiently.

Since auditing is often focused on security baselines and requirements, it’s simply good practice to have everything at or above your baseline. After all, attackers don’t often take into account the auditing scope of systems when pilfering your information. 

From an operational standpoint, less variance means higher uptime and a greater ability to deploy change. If a new requirement to update your encryption libraries across all systems comes out, it’s much easier if all of those systems are already on the same version so upgrade testing done once is a decent sample for the entire upgrade set. If you have several versions of those cryptographic libraries, you have several upgrade paths and scenarios to validate prior to being in compliance, and ultimately more protected. 

4. Implement automated reporting on what actions teams and departments are taking to stay compliant and where all parts of the stack are located. 

By making automated reports easily accessible and readily available, they can then be shared as needed with anyone who has a stake in them. While this may seem like an easy step, it’s one often left to the last minute, which is when mistakes happen. Once all this report data is collected regularly, it can then be used for other needs across the business such as technical system administration.

When I was working as Unix/Linux systems administrator, I would load in all accounts and groups for every machine into a database to process and look for anomalies, such as 12 members of this team have access to these 20 systems, but two have access to only 18 and a single person has access to 55 systems. This type of reporting showed not only control over the systems in scope for the audit, but also demonstrated control over account management procedures, and caught human errors. Since these reports were looked at all the time, they were understood by the auditing team. 

Another example for knowing your audience is by labelling your automation points with specific names of baseline controls. For example, if you have a control that says “Control 001:Root shall not have direct access to machine via the network,” you could make a resource called Control-001 and that way in every report generated, it’s very clear what the resource is. 

5. Train others to use the software to ensure it’s maintained and continues to be relevant as the business grows. 

Like in DevOps culture, where developers learn how operations works, using automation across a business is a process of cross-department cooperation, which is most impactful with buy-in from all parties, regular and open communication, and ongoing training.

Finally, when working towards an audit it’s also important to keep in mind: 

● Always have a backup plan if and when automated scripts fail
● Filing for an exception during or prior to an audit isn’t a sustainable solution. Not only is it unnecessary in a functioning automated environment but it opens systems up to additional risk because there are gaps where processes and controls should be watertight.

Automation software addresses the risk of audit and compliance requirements by enabling both systems and processes to be completely transparent and traceable. In fact, many enterprises and government bodies implementing automation are now seeing an increase of up to 68 per cent compliance within just a few months. This impact shows not only the success of the technology, but the long term effect it can have on the smooth running of both a department and across an enterprise facing regularisation and standardisation.

Michael Stahnke, director of engineering, Puppet
Image source: Shutterstock/Vasin Lee