Beyond these tactical benefits, we have also found significant strategic benefits by working with our audit team. Recently, we determined that we needed better visibility into how our global sites were handling their PCI remediation work. However, since we lacked the staff and infrastructure to conduct these reviews, we contacted our internal property audit team to determine whether there were synergies between the global work that they conducted and our compliance reporting. I was able to have one of my team members, a former internal auditor, map PCI controls and test methodologies to the audit team’s control matrix and determined that with very little additional overhead we could obtain significant insight into a wide swath of our global operations. The cost to us was little more than parsing the individual audit reports for the controls that mapped to PCI.
Further, we had hoped to send a questionnaire to each property for self-assessment but could not get management support to do so. Fortuitously, a few months later, audit decided to undertake a similar effort, and even though its primary focus was on financial controls, they offered to include several dozen security controls at what is effectively no cost to us. We also benefit by not being the group with which the rest of the organization that has to complete the questionnaire is unhappy.
Popularity: 1%
2 Comments
I have been on both sides of the equation. I have a CISA and a CISSP. I started life on the IT Security side and then went to work for the big4.
I always thought that this was a well understood principal, but as I look for a new position, I find that this idea of Auditor and IT Security being friendly is not well understood.
Organizations that worked with me when I was auditing them, benefitted from the relationship. I was able to point out the areas that they knew needed fixed and didn’t have the budget to fix.
The groups that tried to keep me at arms length were looked at with a magnifying glass because we assumed that they MUST be hiding something large or they don’t know their environment or sometimes both.
Auditor being Auditor and IT Security/Engineer being what they are, I suggest finding someone with both skills to sit in between and manage the relationship, find data and get the auditors what they need and on their way. It saves money and can turn a bad audit finding into something more useful.
Thanks for your comments, Darian. I actually do play that “sit in between” role now, and the collaboration has paid huge dividends, though I’m not sure the detente will survive the current economic upheaval as our company cuts costs.