What I Know It’s About Experience

Documentation and Auditors

I was involved in a dicussion with a few close friends and collegues of mine last week where the subject of 'documentation'  came up. Just to give you an indication of what business disciplines were around the table; 1 x lawyer, 3 x IT gurus, 2 x project managers (IT and Civil), 1 x business analyst, 1 x business process consultant (BPC) and myself (GRC). The subject came up due to 2 IT guys being hammered by an external audit performed on their division. The term 'Auditors, what do they know? It is not a perfect world!'.

To my surprise, everyone agreed except for myself and the lawyer. When we asked for more information which they saw as 'the spanish inquisition', it turned out that the auditors requested documentation. Needless to say, there was 'some', not 'much' but 'some'. When pressed for the meaning of 'not much' it turned out that the documention was a visio diagram. You have it, a 'picture'. When asked what the picture showed, it came out that there were pictures showing how the systems were placed or located on the network including all network devices. When asked 'Do you know what the systems do? Does your subordinate? Does your manager?' the answer was "yes, should hope so, will ask if they don't know".

From an auditing perspective this is foolish, why? Simply put, documentation saves you from all types of unpleasant experiences in life. Lets take two examples;

1. You have a contractual problem with a person, you go to a shark, oops lawyer, what does he ask for first (other than money), yep you got it, paperwork, proof so to say.
2. You need a loan, you go to the bank, what do they ask for? Yep, your salary advice slip and your monthly expenses (unless they are loan sharks then they ask you if you have insurance just incase you default).

Simply put, no documentation results in nothing.

Back to Auditing, simply put, if it is not written down it does not exist! Auditors work with proof, evidence or better still 'show me the money' and yes, while a picture is better than a 1000 words it does not show 'Who, What, Where, When, Why and How'. 

So, when thinking about documentation, think about what you will need to prove you did your job!