How to Pass your Audit using Models


I’ve never encountered someone who creates architectural models as a hobby. Such a person might exist, but it’s safe to say that in general models are created from necessity. We create models in order to provide insight into complex situations and enable communication about these complex situations to stakeholders. Usually these stakeholders are internal, but not always – for example, a process map might be shared with a supplier to enable communication.

Now, sharing a process map with a supplier is one of the most common 'use cases' given for how to use models externally to the organization, but recently I've run into another, very insightful way to use models – to improve your chances of passing audits.

Ah, yes, audits – not a word that many people like to hear. It's the bargain inherent in many standards – the organization gets to describe itself as 'ISO 9001 certified’ or 'ITIL certified' or 'COBIT certified', and this gives potential customers or other stakeholders, such as investors or regulatory bodies, a level of assurance that this is a disciplined organization that is managed according to expectations. There's a host of organizational certifications out there, some are generic while other certifications are specific to a particular industry. And at the same time, there are regulations that organizations operating in certain industries have to follow, such as banking, insurance, and pharmaceuticals. Audits are the preferred way to ensure compliance with these.

Generally an audit operates by inspecting documentation on the operations of the organization and conducting interviews with relevant members of staff. But a model is also a form of documentation, and can be a very effective way to convey information – “a picture paints a thousand words”.

Here are some examples of where a model can help:

Process maps – process maps are an obvious area, given that inspection of processes is a common aspect of audits, no matter the type of audit. In particular, process maps can be very useful in illustrating responsibilities in a given business operation, as well as the handovers that take place between actors involved in the process.

Application design – showing the application design can be useful when there are specific concerns about the separation of data. The most interesting case of this that I’ve seen is in Islamic banking in the UAE. Banks that offer Islamic products are required to keep funds in Islamic accounts separate from non-Islamic funds, so that Islamic savings accounts cannot be used for non-Islamic loans, for example.

Infrastructure – at first blush, you might think infrastructure models would be an area that has no significance for audits. But this turns out to not always be the case. An interesting use that I’ve seen for infrastructure models is to illustrate that the organization has the necessary level of redundancy and handover for disaster preparedness required for that industry (e.g. banking).

Now for the caveat. Auditors are likely to be unfamiliar with modeling terminology, so they will likely need to have the model explained to them - it may even be worth creating specific views for the auditors. If it is likely that the auditor might get confused by a given model then they shouldn’t be offered it – the purpose of a model is clarity, after all. Regardless, when properly used models can be an extremely useful way to give auditors a higher comfort factor about your operations. 

And if you want to know what makes IT Auditors tick, why not check out our handy poster, Concerns of an IT Auditor, down below!