This is NOT intended to be a mean and/or overly cynical post. By no means do I imply that auditors are bad in general, in fact I have been one and still do audit and compliance work today. But there’s some unspoken truths that I’ve encountered over the years, from both sides of the fence. Things that people think and won’t say, and some common circumstances that are just a fact of life in the world of auditing and regulatory compliance. Here goes.
- I am actually just following a checklist. And that’s that.
- I do not understand the technology I am auditing. This is really common, and it shouldn’t come as a surprise. Too many technologies, not enough technically skilled people in audit.
- The well-dressed, experienced greyhairs came in and sold this deal, but I graduated from college 8 months ago and went through ( E&Y || IBM || Deloitte ) auditing bootcamp. And numbers 1 and 2 on this list are present, too.
- Most firms are really incentivized to help you pass. Why? Because in many cases, you can fire them and get a new firm that is “easier” on you. This is not a universal truth. But it’s a big business, and no firm wants to get a reputation as “very difficult”. Leading us to…
- Show me a viable set of compensating controls, and I’m liable to pass you. Or at least get you a neverending series of extensions. This could be exactly the right thing. Or not (if #1 and #2 are in play). They have to be reasonable though. (See #10)
- Auditing standards suck. Although ISACA and other organizations are trying really hard to help with this, try finding a commonly-accepted auditing standard for Cisco ASA Firewalls, or Ubuntu servers. Lots of random sites, some more well-known than others, but still no universal standard.
- Compliance regulations suck. They are almost all poorly written, vague drivel with 50 pages to somehow ambiguously describe one central point. PCI is much better, but still lots of grey area. This, combined with #6, leads us to…
- You can’t have it “your” way. I’ll work with you, in a polite and professional manner. All part of the schtick. But at the end of the day, I’m following my auditing methodology, with my particular interpretation of things, and whatever skills and knowledge I bring to the table. So yes, it’s all about me.
- I know more than you. The antithesis of numbers 1, 2, and 3 on this list. Sometimes auditors really do know a LOT about an area or areas, and they can really guide you. Two problems usually occur here. First, egos get in the way. Major gender in IT? Male. Do men stop and ask for directions often? No. Second, money and time. Auditors can be educators, sure. But most of the time, they’re there to gather information, provide a report with recommendations, and then check back in. They’re usually billable, and many organizations aren’t paying them for a huge number of training hours.
- Covering my ass is my major goal. No auditing firm will forget the lessons of Arthur Anderson. Although some firms may still be less-than-ethical, most are 100% aboveboard and will pester the everlasting crap out of you to get enough detail to justify audit results and recommendations. This is ultimately a great thing for everyone, as audits are probably more thorough. But no one likes to admit this.
And here’s a bonus:
- I know you probably don’t like me. And that’s a shame. Better communication and collaboration with auditors would go a long way toward improving audits, controls, and likely security as a whole.