30 Days of Compliance Q&As #21: How Much Access Should I Give My Auditors?

The auditor’s perception of your readiness – or lack thereof – can heavily influence whether you pass or fail your audit. Prior to the onsite visit, request a list of exactly what information and reports the auditor needs, as well as who they want to speak to. This will allow you to represent you and your company as efficient and organized.

So once you’ve lined up your people and identified the systems, how much access should you give to your auditor once they’re on site? If you give too little access, they get suspicious … if you give too much, they start snooping into things beyond the scope of the audit. You need to walk a fine line by providing just enough access to satisfy the requirement. This is probably a case where you don’t want to overdo it.

If you have implemented a SIEM/Log Management solution, your audit should be pretty easy. A mature solution should have a suite of compliance reports, the ability to group assets subject to compliance regulations and full role-based access control.

Below is AccelOps’ role management screen. You need to simply create a user account for the auditor and add it to the auditor group. You can fine-tune what the auditor group can see, edit or execute.

Tips for a successful audit:

1. Identify what reports, dashboards and assets you would like the auditor to have access to.
2. Create a user account for the auditor in your SIEM/log management solution and place it in the auditor group with appropriate permissions to access the aforementioned items.
3. Provide the portal access and login information to the auditor.
4. Extra bonus: Show them around the interface (it will save you valuable time, money and energy)