Compliance auditors may be the last people your team wants to see, but they have a job to do and there are ways you can make it easier--for all of you. Much of it comes down to common courtesy and being prepared, but too often organizations fall short in these simple duties, writes Ericka Chickowski at Dark Reading. There are three mistakes IT professionals commonly make when they face a compliance audit.

Shielding oneself behind jargon can deflect unwanted inquiries in some cases, but not in the case of a compliance audit. Using big words can make you look like you're showing off or trying to baloney your way through an audit, warns Glenn Phillips, president of audit firm Forte Inc. It can also make an auditor wonder what you might be trying to hide.

"My biggest pet peeve as an IT auditor is when network administrators, developers, or any other positions that are more technical in nature attempt to undermine my technical knowledge," says Andrew Weidenhamer, audit and compliance practice lead at SecureState. "Because the developer assumes that I am technically inept, they think that they can give me a low-level answer [to] confuse me to believing that they know what they are talking about. Unfortunately for the developer, I used to be a penetration tester and used these types of vulnerabilities to break into organizations, which, in the end, simply makes the developer look silly."

A second way IT departments tend to annoy auditors is by providing inadequate documentation or questioning the auditor's information requests. Auditing requires written records, so activities have to be documented, and policies have to be written down and readily accessible. The more helpful you are in getting auditors the information they request, the smoother an audit will go. Arguing with them isn't likely to help your case.

Finally, holding back information, being vague or trying to change the subject will only serve to spur most auditors to work harder, cautions Weidenhamer. "What the organization doesn't understand is that any good auditor is going to do what is necessary to uncover what is needed for the audit. This is true even if this means talking to six more individuals or collecting 35 more pieces of evidence," he says. "Not being forthcoming can not only cost the organization more in the long run, but also further inconvenience organizational personnel as no one likes to be audited."

For more:
- see Ericka Chickowski's article at Dark Reading

Related Articles:
How Bertucci's learned to embrace compliance
Do your compliance officials have it wrong?
Should you be the cop on the compliance beat?