Voted Best Answer
Nov 07, 2016 - 08:10 PM
When creating an audit defence policy/process, you need to identify the roles and responsibilities for key stakeholders when it comes to responding to an audit. For example, as part of the 'Audit board' you identify the following people;
1. Senior Manager (single communicator between organisation and auditor)
2. SAM (responsible for compliance & optimisation)
3. Service Desk Manager (removal of any unlicensed/unapproved software once identified during the audit)
4. Head of Legal (Understanding the contracts & negotiating new audit clauses)
5. Head of Finance (responsible for structuring payments etc)
You then identify who is going to do what in the event of an audit.This, of course, needs to be documented to ensure that everyone knows what their roles and responsibilities are in the event of an audit. Having something like an audit defence policy helps the organisation to be proactive in the event of an audit, rather than having a mad dash and a scramble to find information and resources to help the SAM team manage the audit. Remember, the COMPANY is being audited, not the SAM TEAM!
Also, as part of the audit defence policy, I suggest putting in hours or timeframes for each stakeholder to complete their responsibilities. This will vary from organisation depending on the technologies in place & the structure of the teams.
You need to create a flow that highlights the process from when you get the audit letter, gathering the Audit Board and what your process is moving from there. The first thing to do is acknowledge the letter, don't ignore it. Gather the troops, identify what data you need to gather for the vendor and where your biggest risks are.
- Existing entitlement (yours and the vendor's interpretation. Vendors information may be wrong, challenge if necessary!)
- Deployment information
- Usage information (how, where, when)
- Any notes or information from previous audits by this vendor (might have suggestions on how the previous team managed said audit)
During the audit I suggest making sure that the senior manager is the sole point of contact - this has worked well in the past and helps ensure that only relevant information goes to the auditor.
Regular reviews and catch-ups between teams is required to review progress and understand what the likely outcome of the audit will be. This involves the Audit Board and separately with the auditor.
Remember, you can challenge the outcome of the audit. If the numbers do not look right to you post audit (either non-compliance issues or financial) then you do have the right to question how the auditor came to that conclusion.
This is very brief as it is a post on a forum. I could go into pages and pages worth of stuff here!