Fortunately, the auditors who originally reviewed my proposal vetted it thoroughly so no new issues were identified, but I was gratified to see how insightful and animated many of the attendees were. Despite a belief some in security and business circles that auditors are meddling outsiders who get in the way of organizational success in the pursuit of “gotcha” findings, I have noticed almost universally that, once engaged, many auditors do see themselves as contributors to corporate solutions. More important, I have had tremendous success partnering with audit teams in my current role and in prior jobs to develop and deliver reasonable and effective controls. Giving auditors a stake in your success is also an excellent way to improve ratings at your next review.
When engaging auditors, we have always been clear that we know our processes and controls are not perfect and we are looking for an opportunity to improve them. We have also benefitted by openly discussing our current control and process shortcomings and why they concern us. That disclosure demonstrates that we know our environment and are not trying to hide issues from the auditors. While no defense lawyer would ever let us get away with such self-incrimination, it is likely that attempting to gloss over those weaknesses and hoping the auditors do not notice will likely fail on two counts. First, there is a good chance the auditors will find it anyway, so you will still have a finding but you will have no opportunity to initiate a dialogue that can effectively present the issues in a reasonably supportive context. If audit happens to not find the breakdown, you will have lost any leverage with your organization to more strategically enhance the control or process.
Popularity: 1%
2 Comments
I have been on both sides of the equation. I have a CISA and a CISSP. I started life on the IT Security side and then went to work for the big4.
I always thought that this was a well understood principal, but as I look for a new position, I find that this idea of Auditor and IT Security being friendly is not well understood.
Organizations that worked with me when I was auditing them, benefitted from the relationship. I was able to point out the areas that they knew needed fixed and didn’t have the budget to fix.
The groups that tried to keep me at arms length were looked at with a magnifying glass because we assumed that they MUST be hiding something large or they don’t know their environment or sometimes both.
Auditor being Auditor and IT Security/Engineer being what they are, I suggest finding someone with both skills to sit in between and manage the relationship, find data and get the auditors what they need and on their way. It saves money and can turn a bad audit finding into something more useful.
Thanks for your comments, Darian. I actually do play that “sit in between” role now, and the collaboration has paid huge dividends, though I’m not sure the detente will survive the current economic upheaval as our company cuts costs.