Survival Kit
Story by Nigel Stanley, 01-11-2008, 0 comment
When auditors are in the building, life can be tough for the database administrator flying by the seat of their pants. But a due diligence audit needn’t be a huge ordeal. Here are some tips to see you through.
One of the most exciting events for any business is a successful trade sale to a friendly purchaser. Many small and medium-sized private business owners plan for their exit when they start their businesses, and the chance to reward what can be many years of effort in the form of a payment for shares is a good way to end a project.
Unfortunately, many of today’s businesses are subject to hostile takeovers as a result of business failures. In these less pleasant times, the pressure is still on but the outcome not always so good. Other businesses may be looking for funds as part of a growth strategy. Whatever the reason, potential investors or acquirers will want to conduct technical due diligence. This ensures that IT systems are up to scratch and capable of supporting the business, and that the IT systems are not about to collapse and bring the company down.
As a database administrator or IT manager responsible for database systems across a business, what can you do to make the due diligence experience as painless as possible? How can you avoid the wrath of shareholders when the company valuation is driven down because your database server crashed just before the deal was signed?
Be Prepared
This month I will share my experiences of working with investment companies and prepare you for the day when your systems are subject to a due diligence or audit review. As a reader of Server Management you probably have a good grasp of the latest trends and best practice guidelines for IT systems.
However, if you are running around like a headless chicken trying to keep the databases up and running minute by minute, you can be assured that the audit process will be tough.
Auditors may only warn you a few hours or days before they arrive; the most you’ll get is a couple of weeks’ notice. As many business transactions happen quickly, the interested parties won’t want to delay getting the deal signed just to give you time to get your act together.
As soon as you know that an audit is in the offing, you need to work out what the objectives are for the process and how long has been allocated. Some due diligence audits can be completed in a few days; others can take months. The duration of the audit depends on the nature of the business activity and often the size of the investment. If you are looking at second- or third-round funding from an incumbent investor, the audit could be very short.
The next step is to try to contact the audit team. This way you can judge the type of people that are coming in and the approach they are likely to take. It is perfectly reasonable to request an agenda so that at least you know what resources to make available on what days. Putting your database administrators on standby for two weeks when they are not needed is wasteful and stressful. If possible, speak to the lead auditor and try to understand what makes them tick. Are they experts on SQL Server or are they generic database people? Do they have a nose for detail or are they just working through a checklist automatically? Are they a bunch of college interns or seasoned professionals?
Once you have gained some understanding of the audit people, you can start your planning. Most audits will take the route of people, technologies and processes.
People
These are the lifeblood of your IT team. Without a group of good people behind you, the quality of your database environment will suffer. Even if you work alone, you’ll need some kind of support. Decide which members of your team need to be made available for the audit and make sure they are fully briefed. Don’t expect your junior staff to fly by the seat of their pants. If staff members are expected to work with the audit team directly, make sure they know what can and can’t be said and done. In some cases you may want a chaperone available to sit in with some staff to help them through any technical interviews.
Book a quiet room or area for the audit team to work in. That way you can shut the door and prevent unnecessary wanderings – audit teams are auditing from the minute they arrive to the minute they leave your building. I am not suggesting they are spying on you; rather they are taking in the atmosphere and environment around them to gauge how professional it is.
Technologies and Processes
Here we get to the meat of the discussions. The audit team will want to know everything about your setup from networking through to server configurations through to database usage statistics. It can be extremely embarrassing when a database administrator has to keep leaving the room to get more information or details in order to answer a question. On the other hand, it is impressive when they have prepared the required data and diagrams and can refer to them effortlessly.
Don’t forget, as soon as an auditor smells blood they will push you in a certain area. A good example could be database security. They will start off talking about patches and updates and then move onto issues such as patch testing, code security and data encryption. All the time they will be gathering information as well as searching for any weak spots. If it transpires that you are running an insecure database server, and have not even changed the default admin password to SQL Server, you will look very silly. On the other hand, being able to provide full and effective documentation in support of your database security, backups and table structure will win you brownie points. If you have pulled the documents together at the last minute in response to the audit, and in fact you don’t have a documented backup plan, you will be found out.
Some auditors may ask that you issue them with a database login and allow them to dig around in the systems to see what is going on. Be cautious – a couple of finger slips can result in severe damage to the database. It’s much better to sit down with them and have an experienced administrator drive the keyboard and help steer the auditor through their questions.
Other processes that will be examined include your quality assurance (QA) and test function. How do you ensure that any stored procedures are efficient and don’t expose a security hole? Often code QA and code security checks are carried out at the same time, probably by the development team. While this may be acceptable for an initial QA check, a formal sign-off process mapped against a test plan comes across as far more professional.
With the wealth of tools available with SQL Server, administrators should be able to present a raft of performance statistics, down to as much detail as any auditor is likely to want to see. Basically they are trying to determine whether your application is performing as it should or whether you have bottlenecks that could adversely affect the business. This is especially important if you are supporting an online business such as retail or trading.
Disaster recovery will be scrutinised. All database administrators will be familiar with the need to back up data and often believe their job is done when they see the backup job has completed. Any auditor worth their salt will expect to test these backups and see if they restore. They will also expect to see that the backups are stored off-site. This is where organisations with an outsourced strategy will probably score well as their servers and backups are stored remotely from the main office by definition. They are also likely to be in a secure and resilient site with round-the-clock security. If they aren’t, then expect to be challenged on your choice of hosting partner. Even if your solution is hosted, auditors will expect to see the backups stored away from the primary server site.
You will also be expected to produce any legal or compliance paperwork. If you are also responsible for maintaining your Data Protection Act registration, you’ll need to make sure that you have your paperwork to hand. You’ll also need copies of audit paperwork relating to checks such as the Payment Card Industry Data Security Standards.
A due diligence audit need not be a huge challenge. If you run an efficient database ship, taking appropriate professional care of the data under your command, you will probably be fine. But if you have put some of these detailed jobs to one side as you cope with the day-to-day business, you will find the audit extremely challenging and very stressful. I know what I’d prefer.
Unfortunately, many of today’s businesses are subject to hostile takeovers as a result of business failures. In these less pleasant times, the pressure is still on but the outcome not always so good. Other businesses may be looking for funds as part of a growth strategy. Whatever the reason, potential investors or acquirers will want to conduct technical due diligence. This ensures that IT systems are up to scratch and capable of supporting the business, and that the IT systems are not about to collapse and bring the company down.
As a database administrator or IT manager responsible for database systems across a business, what can you do to make the due diligence experience as painless as possible? How can you avoid the wrath of shareholders when the company valuation is driven down because your database server crashed just before the deal was signed?
Be Prepared
This month I will share my experiences of working with investment companies and prepare you for the day when your systems are subject to a due diligence or audit review. As a reader of Server Management you probably have a good grasp of the latest trends and best practice guidelines for IT systems.
However, if you are running around like a headless chicken trying to keep the databases up and running minute by minute, you can be assured that the audit process will be tough.
Auditors may only warn you a few hours or days before they arrive; the most you’ll get is a couple of weeks’ notice. As many business transactions happen quickly, the interested parties won’t want to delay getting the deal signed just to give you time to get your act together.
As soon as you know that an audit is in the offing, you need to work out what the objectives are for the process and how long has been allocated. Some due diligence audits can be completed in a few days; others can take months. The duration of the audit depends on the nature of the business activity and often the size of the investment. If you are looking at second- or third-round funding from an incumbent investor, the audit could be very short.
The next step is to try to contact the audit team. This way you can judge the type of people that are coming in and the approach they are likely to take. It is perfectly reasonable to request an agenda so that at least you know what resources to make available on what days. Putting your database administrators on standby for two weeks when they are not needed is wasteful and stressful. If possible, speak to the lead auditor and try to understand what makes them tick. Are they experts on SQL Server or are they generic database people? Do they have a nose for detail or are they just working through a checklist automatically? Are they a bunch of college interns or seasoned professionals?
Once you have gained some understanding of the audit people, you can start your planning. Most audits will take the route of people, technologies and processes.
People
These are the lifeblood of your IT team. Without a group of good people behind you, the quality of your database environment will suffer. Even if you work alone, you’ll need some kind of support. Decide which members of your team need to be made available for the audit and make sure they are fully briefed. Don’t expect your junior staff to fly by the seat of their pants. If staff members are expected to work with the audit team directly, make sure they know what can and can’t be said and done. In some cases you may want a chaperone available to sit in with some staff to help them through any technical interviews.
Book a quiet room or area for the audit team to work in. That way you can shut the door and prevent unnecessary wanderings – audit teams are auditing from the minute they arrive to the minute they leave your building. I am not suggesting they are spying on you; rather they are taking in the atmosphere and environment around them to gauge how professional it is.
Technologies and Processes
Here we get to the meat of the discussions. The audit team will want to know everything about your setup from networking through to server configurations through to database usage statistics. It can be extremely embarrassing when a database administrator has to keep leaving the room to get more information or details in order to answer a question. On the other hand, it is impressive when they have prepared the required data and diagrams and can refer to them effortlessly.
Don’t forget, as soon as an auditor smells blood they will push you in a certain area. A good example could be database security. They will start off talking about patches and updates and then move onto issues such as patch testing, code security and data encryption. All the time they will be gathering information as well as searching for any weak spots. If it transpires that you are running an insecure database server, and have not even changed the default admin password to SQL Server, you will look very silly. On the other hand, being able to provide full and effective documentation in support of your database security, backups and table structure will win you brownie points. If you have pulled the documents together at the last minute in response to the audit, and in fact you don’t have a documented backup plan, you will be found out.
Some auditors may ask that you issue them with a database login and allow them to dig around in the systems to see what is going on. Be cautious – a couple of finger slips can result in severe damage to the database. It’s much better to sit down with them and have an experienced administrator drive the keyboard and help steer the auditor through their questions.
Other processes that will be examined include your quality assurance (QA) and test function. How do you ensure that any stored procedures are efficient and don’t expose a security hole? Often code QA and code security checks are carried out at the same time, probably by the development team. While this may be acceptable for an initial QA check, a formal sign-off process mapped against a test plan comes across as far more professional.
With the wealth of tools available with SQL Server, administrators should be able to present a raft of performance statistics, down to as much detail as any auditor is likely to want to see. Basically they are trying to determine whether your application is performing as it should or whether you have bottlenecks that could adversely affect the business. This is especially important if you are supporting an online business such as retail or trading.
Disaster recovery will be scrutinised. All database administrators will be familiar with the need to back up data and often believe their job is done when they see the backup job has completed. Any auditor worth their salt will expect to test these backups and see if they restore. They will also expect to see that the backups are stored off-site. This is where organisations with an outsourced strategy will probably score well as their servers and backups are stored remotely from the main office by definition. They are also likely to be in a secure and resilient site with round-the-clock security. If they aren’t, then expect to be challenged on your choice of hosting partner. Even if your solution is hosted, auditors will expect to see the backups stored away from the primary server site.
You will also be expected to produce any legal or compliance paperwork. If you are also responsible for maintaining your Data Protection Act registration, you’ll need to make sure that you have your paperwork to hand. You’ll also need copies of audit paperwork relating to checks such as the Payment Card Industry Data Security Standards.
A due diligence audit need not be a huge challenge. If you run an efficient database ship, taking appropriate professional care of the data under your command, you will probably be fine. But if you have put some of these detailed jobs to one side as you cope with the day-to-day business, you will find the audit extremely challenging and very stressful. I know what I’d prefer.
Post new comment
Top 10 Most Popular Articles
Second Site Saver
Browser beating
The outer reaches
Rewrite the script
The name game
Patch control
Are You Certified?
Family Tradition
Survival Kit
Stirling Work
Browser beating
The outer reaches
Rewrite the script
The name game
Patch control
Are You Certified?
Family Tradition
Survival Kit
Stirling Work
Syndication.
