The myth du jour: When the auditors are heading your way, Darth Vader’s march music should accompany them as they make their way down the halls.
Audits are scary. If you're not prepared, there are obvious reasons to be afraid. (Or is it that there are many and none are obvious?) If you are prepared, it probably means that you are the type to worry anyway and someone coming to check off a list where you may have missed something is scary. So don't take this to be some Zen notion of “just go with it.” A bit of anxiety about audits only means you are sane are you are paying attention. But much like getting shots make some kids (and adults) afraid of the doctor, don't confuse a healthy fear of an audit with a fear of the auditor. Neither the doctor nor the auditor wants to hurt you – Steve Martin’s portrayal of dentists notwithstanding. In fact, the auditor can be your best friend if you play your cards right.
Think about it a moment. What does the auditor want and what do you want? They want tight, effective controls over privileges. YOU want that, too. They want clean, complete, accurate, tamper proof records of activity. Again, you want that, too. They want to be sure all regulations, external and internal, are both woven into the rules of play at your organization and clearly related to the controls and records you keep. I'm guessing that you want that, too. When you have that much in common with someone, why is that you would run away when they approach? Oh yes. I forgot. You run away because you don't have all that and they are expecting you to have it. But are they? Do you think they really expect to find you in some state of perfection? Even if they are – why are you less than perfect? Is it because you didn't try hard enough, or because of some limit that’s been put into your abilities to comply? My guess is that if you're taking the time to read this, you're not in perfect compliance because of limits outside of your control. That means you don't have a problem with the auditor. It means you and the auditor have a common enemy. And who is the enemy of my enemy? Your friend the auditor doesn't need to be the stick that beats you for non-compliance. The auditor can be the stick you use to beat the folks keeping you from the compliance nirvana you know you could lead your organization towards if they only gave you the right tools for the job.
So maybe the auditor does deserve to have Darth’s music playing as they walk down the hall. But don't be some scared little Ewok. You can be a young Jedi who has faith that there is some good in the scary dude in the big, black cape. Use the force of compliance to lead your little IT fleet to victory.