I wrote Only as Good as Your Auditor for SQLServerCentral because its something I’ve explained to people over and over again. For most of us in IT audits are something we tolerate and try to get done as quickly as we can, a test to pass, and because of that we don’t get to see the bigger picture of how and if the audit is finding and fixing things that make things better.
Does that bigger picture matter? I’ll argue it does. Part of it understanding why the process is sometimes clunky and repetitive, but it’s also the chance to see the auditor as an expert instead of inquisitor. All too often we deal with auditors much as if we were testifying in court – answer the question directly and don’t volunteer information. That’s fine for passing the test, but what if instead we were asking questions like “we do it this way now, but do you think doing X instead would be considered compliant?” or “are there things we’re doing that seem better or worse than what you see at other clients?”.
You can even go one step further and train the auditor. Notice that they don’t ask about linked server permissions or backing up certs or something else related to the audit? Mention it. Maybe they know, maybe its a learning opportunity that will help them help another client avoid a breach.