Top 5 audit questions you should be prepared for

Netwrix sums up auditors’ most common questions to help companies minimize the burden of compliance audits

Irvine, CA, September 1, 2015

According to the 2015 Verizon PCI Compliance Report, around 80% of companies failed to comply with all the requirements of the PCI standard. While some popular frameworks can help companies pass compliance audits more smoothly, many organizations still fail to answer fairly simple questions asked by external auditors. Treating validation tests as a check-box exercise, companies often focus their efforts on creating an illusion of compliance rather than trying to actually fulfil the requirements. Such an approach does more harm than good, as it provides organizations with a false sense of security and leaves them extremely vulnerable to data breaches.

Netwrix Corporation, a provider of IT auditing software that maximizes visibility of IT infrastructure changes and data access, summarizes its clients’ audit experiences and frames five questions that auditors usually ask to determine whether a company is able to safeguard its most valuable assets:

  1. Do you have a documented security policy? Auditors need to make sure that rules and regulations are in place to maintain IT infrastructure security and proactively address security incidents. When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes; obviously, those processes should match.
  2. Are access privileges in your organization adequately granted? Since a lack of control over privileged accounts continues to be a main security risk, a company needs to prove that all its permissions are granted in accordance with the existing security policy and employees’ business needs. IT auditors will not only verify who has access to what (and why); they will also check a company’s ability to detect insider misuse or abuse of privileges.
  3. What methods do you use to protect your data? Most existing compliance standards focus on protecting sensitive data, such as confidential customer records. A company should be ready to present reports about its methods of data classification and segregation (e.g., placing data into a 24/7 protected network) and prove that its most valuable assets will not be compromised easily.
  4. Do you have a disaster recovery plan? A well-structured, clear and viable emergency plan that describes what actions to take in case of a security violation significantly increases a company’s chances of passing an external audit. A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs and what they should do to stop data leaks and minimize their negative consequences.
  5. Are your employees familiar with existing security procedures and policies? Practice shows that auditors are particularly interested in the methods a company uses to encourage its employees to follow internal security policies. A company might need to prove that it regularly trains employees and informs them about existing security procedures.

"Although passing compliance audits is vital for maintaining the security of the IT environment, it doesn’t give you 100% protection against cyber threats," said Michael Fimin, CEO and co-founder of Netwrix. "Any compliance audit shows the state of the IT infrastructure at a certain point; however data must be secured during the entire period between validation assessments. Therefore companies need to have complete visibility into what is happening across their most critical systems and establish absolute control over each security component. Only then will regulatory compliance be considered not as a burden, but as an opportunity to improve business processes and strengthen cyber security."

"As the focus of most compliance standards on logging and monitoring is the detection of incidents and after-the-event fact finding, it’s important to have a clear incident response process," states the 2015 Verizon PCI Compliance Report. "If your logging and monitoring provides the visibility compliance standard requires, it is much easier to demonstrate to an auditor that you have a thorough understanding of your environment and answer their questions."

Want to know more about compliance? Please check out Netwrix white paper Compliance Demystified:

About Netwrix Corporation

Netwrix Corporation is a provider of IT auditing software that maximizes visibility into who changed what, when and where and who has access to what in the IT infrastructure. Over 6,000 customers worldwide rely on Netwrix to audit IT infrastructure changes and data access, prepare reports required for passing compliance audits and increase the efficiency of IT operations. Founded in 2006, Netwrix has more than 70 industry awards and was named to the Inc. 5000 list and Deloitte Technology Fast 500. For more information, visit

Social networks:

Netwrix blog

Media contact:

Erin Jones
E.S. Jones Public Relations
Phone: 704.664.2170

Contact us:

Your questions and feedback are always welcome. Please dial our toll-free number, 888-638-9749, or enter your question details here and we will reply as soon as possible.