Audits are not typically seen as positive to organizations since performance as to their technical and or financial operations appears under inspection. The fear attached to audits can be reduced by selecting an auditor who acts as a business partner, ally and educator. Below is a short checklist against which you can choose an external auditor before engaging them.
Diversity -- Has the organization providing the audit performed a variety of audits, such as HIPAA, Sarbanes Oxley, PCI DSS and FSA? If not, this may indicate an auditing firm that is more of a niche provider. While this can be beneficial in some cases, it does reduce the expertise of the auditor to adapt their findings against unfamiliar territory. If your organization is subject to more than one regulation, retain an auditing firm that has a diversified practice or whose audit staff has worked on a variety of audits over a period of time regularly.
Background -- Request the organization's auditors' resumes. Examine the years of experience the auditors possess; this can also reveal if the auditor has a previous background in IT operations. Most of us understand that everyone must start somewhere and in some cases, you may be assigned an auditor who is in the beginning of their career. While permissible, require a senior-level auditor as a shadow. This will ensure the beginner stays on-track and provides you with comfort that findings have been vetted against someone with experience.
Auditors who have an IT operations background are of value since they can be more objective in recognizing compensating controls. They will not require every single control or countermeasure in the audit checklist be accounted for. In the case where additional controls or countermeasures are required, they can suggest solutions to identify gaps. In this role they are an educator.
Samples -- Request samples of all documentation used throughout the lifecycle of the engagement. This can help you understand if the organization is working from a customized or boilerplate template. While boilerplate templates have their place, they can result in a more stringent approach if competing regulations are not considered. Say for instance the boilerplate is ISO-based; while ISO is broad enough to cover most organizations around the world, it is not prescriptive enough to address PCI DSS requirements. As mentioned at the outset, one of the roles of an auditor is being an ally. Your auditor becomes an ally when they have the tools that will compliment additional compliance requirements as it can reduce conflicts which may occur between regulations.
The final report is of importance as well because it will become a historical artifact against future activities and findings. Reports that do not differentiate against informational as opposed to critical findings are not helpful. The report should be developed in a manner that enables you or anyone else to easily identify actionable items which require immediate attention.
Vocabulary -- Have a clear understanding of your organization's internal definition culture. Definitions can sometimes vary depending on locale, experience or organizational culture. This is important when choosing an auditor as vocabulary mismatch can taint the findings of audits. You must ensure terms communicated to the auditor are aligned to the operations of your organization.
Understanding how well the auditor understands vocabulary is equally important. There are distinct differences between authoritative artifacts and informational artifacts. If your auditor cannot differentiate between a standard vs. a procedure vs. a FAQ, the outcome of your audit will undermine future audits. Why? If the auditor certifies that a FAQ is a standard that you don't really have, you will have a gap for that standard when a more knowledgeable auditor arrives.
Prior to the start of the audit, agree on what the various information artifacts you provide mean to you and your organization. Policies are fairly straightforward; however standards and guidelines can mean different things to different organizations. If the audit organization does not align but agrees, ask them to note this as a finding in the report. This is where they fulfill the role of a business partner.
The goal of the auditor is to provide assurance of business related operations and offer opportunity for improvement. When chosen well, they can reduce your organization's operational footprint.
Ravila Helen White is an information security strategist with Business Model Inc., and formerly headed up the information security programs for The Bill & Melinda Gates Foundation and drugstore.com.
Send comments on this technical tip firstname.lastname@example.org.