I was a vice president in IT when there was an internal audit of information security, one of my responsibilities. It came while we were in the midst of implementing the ACF2 security system.
The draft “findings” that were presented to me were like this:
We found that security over xxxxx has not yet been implemented. This represents a significant risk that should be addressed promptly.
The auditor acknowledged in our meeting (just the two of us) that:
1. We had told him about the security gap. It was not something he had “found”.
2. Our project plan already included the necessary action.
3. We didn’t have the resources to complete the action earlier than in the plan. Internal audit refused to recommend that we hire additional staff or consultants to accelerate the project.
4. The plan correctly prioritized all the actions we should take to complete the ACF2 implementation. In other words, the actions scheduled before this one were of a higher priority.
5. Our reports to top management already communicated where we were and what remained to be done.
However, the audit manager decided that the report should go out with the language in the draft. None of the five points would be mentioned. I was told that we could include them in our management response.
So I drafted a response that said all…
