Discussions with Internal Auditors are always interesting, particularly when deciding what to audit next year. Do I go for areas where I know there are problems and want help to come up with solutions - but do I really want the solutions to come in the form of a 22 page Audit Report with numerous recommendations and get hauled in front of Audit Committee for obviously being incompetent? Or do I pick areas where I don't think there are any problems - but then still get a 22 page Audit Report with.... and you can guess the rest. Or (more fun) do I pick areas where I think the Auditors will be totally clueless and we can run rings round them? Yesterday we went through a number of areas and came up with about 6 areas from which they'll pick 4 (4 audits a year is just not fair...). Data Security/Information Leakage will almost certainly be the main one - should be fun. One of the things they want to know is what controls we have in place to stop users connecting portable storage devices (such as USB sticks) to PCs and laptops! Well, that will be an easy one to answer.
Looks as though we might get an audit on our Green IT policies as well - I'm not too bothered about that one as I think we're fairly good on that. My mission at the moment on this topic is to stop people printing stuff - I am amazed by how much paper we use - people still print documents out which have been emailed to them and file them, (perhaps if I ban filing cabinets in the department....), we run a perfectly good electronic diary, and yet I see people with printed copies of it - in colour, and as for papers for meetings - don't get me started on that one again!