No matter what role you play in the audit process, the experience can be painful. If you’re an external consultant, you have to work with clients who have limited budgets and high expectations. And if you’re an internal IT/security auditor, you might have to wade through a sea of internal politics to get your work completed and pass internal audits.
In this blog post, I describe the 3 most common audit issues I’ve faced over the past 15 years and share some tips that have helped me be more successful in conducting external audits. I hope they will help you overcome similar challenges you are facing in your work.
1. Lack of communication undermines your work.
If the organization you are auditing doesn’t understand the scope and purpose of your audit program, you risk creating an environment in which the people you’re interviewing become less helpful and more tight-lipped with their answers — even to the point of being hostile. Here are some ways to avoid this trap and develop a healthy, trusting work relationship instead:
Avoid techno-babble; it just leads to confusion and lost opportunities.
As an auditor, you’re probably super comfortable with all the acronyms and jargon that go along with your line of work, but don’t assume that your clients are. As you ask your audit questions, remember to keep them in simple terms whenever possible. You could be asking extremely technical things from staff members who aren’t extremely technical. If you ask something and get a room full of blank stares, try explaining it a different way or using an example. For instance, when I ask about a firm’s network perimeter protections, I don’t mention things like “IDS/IPS” and “next-gen AV.” Instead, I start with something like, “Tell me a little about your firewall — is it just doing traditional blocking or does it include more advanced technology that does extra things like scanning for viruses or blocking people from viewing certain websites?”
- Make friends with IT and security staff. On many of my audit engagements, my initial conversations are with a C-level business executive, but the bulk of the actual assessment is done with a member of the IT or security staff. Understandably, these folks can feel threatened and get a little defensive when they have to explain to a stranger how the network is architected and secured. The two best ways I’ve found to ease the tension are kindness and food. Bring donuts to your first meeting with the client’s IT/security department. As conversations get rolling, provide some assurances like, “Just to be clear, my job here isn’t to criticize the work you’re doing. I want to work together with you to identify risks and then help you make a remediation plan. And I want to hear your insights about what this company needs to better protect its people and data. Maybe you’ve wanted a SIEM and the security automation capabilities that come with it for years but nobody will listen. Part of my job is to support you and echo these types of requests to management. Ultimately, I want to try to get you some of the things you want.” Once the team sees you are on their side, your questions will be answered with more honesty, the audit evidence will be more accurate, the audit quality will be higher, and everyone will get more value out of the assessment.
2. Scope creep costs everyone time and money.
Once an audit starts, it’s easy for discussions to get off topic and before you know it, you’re spending time talking about and working on things that are out of scope. It’s natural to want to help, but after a while, you will likely find that all these extra little pockets of time can cost you and the organization you’re auditing a lot of time and money.
Know that there’s nothing wrong with defining your scope — and sticking to it — during an engagement. Since most organizations have to comply with one or more regulatory standards (the Sarbanes-Oxley Act, PCI, HIPAA, GDPR, etc.), use that to set the internal controls of the organization as your compass. It will help guide your work and keep everybody on task and on track.
If the client insists on asking for your opinion and time on out-of-scope items, clearly they value your expertise. Explain that any questions out of the initial scope qualify for a new project, which will cost additional time and money, especially if your audit fees are billed by project. Make these kinds of requests easy on clients by having a change order form on hand so they can approve the additional hours quickly. That way, it’s a win for everybody.
3. Audits that are full of shame and blame are demeaning and unproductive.
I think it’s easy — and tempting — to write your audit assessment with a scathing or accusatory tone, thinking that if you fill the report with enough high severity findings you will get management motivated to start remediating things. Instead, what often happens is the IT/security staff (the responsible ones who are actually trying to make things better) get reprimanded for your findings, their team morale takes a hit, and everybody suffers audit fatigue from your thousand-page report.
Instead of focusing on reprimands, focus on remediation. At the end of the day, most companies know they have issues, and they’re looking to you for help and guidance. One item I include with my deliverables as a result of the audit is a security action plan that offers remediation guidance for each identified risk, along with the expected time and costs. That way, clients can couple the detailed audit report with the security action plan, and essentially have a playbook they can follow to actually make the organization better! That’s what we as consultants and auditors want for our clients and organizations, and that’s why we got into the audit profession in the first place, right?
Unemployment in the audit industry remains extreme low, and the pool of IT and security auditors is only growing larger. If you’re an auditor, that means you will have to work even harder to differentiate yourself in the market. I hope this information helps you increase your effectiveness and ensure your future audits have a positive impact while staying within scope and budget. Most of all, I hope it provides a great deal of value and makes your organization more secure.