Home > Information Security > 10 Things Your Auditor Isn’t Telling You

10 Things Your Auditor Isn’t Telling You

June 24th, 2009

This is NOT intended to be a mean and/or overly cynical post. By no means do I imply that auditors are bad in general, in fact I have been one and still do audit and compliance work today. But there’s some unspoken truths that I’ve encountered over the years, from both sides of the fence. Things that people think and won’t say, and some common circumstances that are just a fact of life in the world of auditing and regulatory compliance. Here goes.

  1. I am actually just following a checklist. And that’s that.
  2. I do not understand the technology I am auditing. This is really common, and it shouldn’t come as a surprise. Too many technologies, not enough technically skilled people in audit.
  3. The well-dressed, experienced greyhairs came in and sold this deal, but I graduated from college 8 months ago and went through ( E&Y || IBM || Deloitte ) auditing bootcamp. And numbers 1 and 2 on this list are present, too.
  4. Most firms are really incentivized to help you pass. Why? Because in many cases, you can fire them and get a new  firm that is “easier” on you. This is not a universal truth. But it’s a big business, and no firm wants to get a reputation as “very difficult”. Leading us to…
  5. Show me a viable set of compensating controls, and I’m liable to pass you. Or at least get you a neverending series of extensions. This could be exactly the right thing. Or not (if #1 and #2 are in play). They have to be reasonable though. (See #10)
  6. Auditing standards suck. Although ISACA and other organizations are trying really hard to help with this, try finding a commonly-accepted auditing standard for Cisco ASA Firewalls, or Ubuntu servers. Lots of random sites, some more well-known than others, but still no universal standard.
  7. Compliance regulations suck. They are almost all poorly written, vague drivel with 50 pages to somehow ambiguously describe one central point. PCI is much better, but still lots of grey area. This, combined with #6, leads us to…
  8. You can’t have it “your” way. I’ll work with you, in a polite and professional manner. All part of the schtick. But at the end of the day, I’m following my auditing methodology, with my particular interpretation of things, and whatever skills and knowledge I bring to the table. So yes, it’s all about me.
  9. I know more than you. The antithesis of numbers 1, 2, and 3 on this list. Sometimes auditors really do know a LOT about an area or areas, and they can really guide you. Two problems usually occur here. First, egos get in the way. Major gender in IT? Male. Do men stop and ask for directions often? No. Second, money and time. Auditors can be educators, sure. But most of the time, they’re there to gather information, provide a report with recommendations, and then check back in. They’re usually billable, and many organizations aren’t paying them for a huge number of training hours.
  10. Covering my ass is my major goal. No auditing firm will forget the lessons of Arthur Anderson. Although some firms may still be less-than-ethical, most are 100% aboveboard and will pester the everlasting crap out of you to get enough detail to justify audit results and recommendations. This is ultimately a great thing for everyone, as audits are probably more thorough. But no one likes to admit this.

And here’s a bonus:

  • I know you probably don’t like me. And that’s a shame. Better communication and collaboration with auditors would go a long way toward improving audits, controls, and likely security as a whole.
Categories: Information Security Tags:
  1. June 25th, 2009 at 06:37 | #1

    What a good description… of my actual job. Great post.

  2. June 25th, 2009 at 08:33 | #2

    MHO on point 2; this needs to change and improve, it would help if the auditor has basic awareness of the area he is auditing. I have come across auditors having Mechanical Engg. background come for ISO27001 audits.

    pt. 6 & pt. 10 are also very important.

  3. June 25th, 2009 at 12:17 | #3

    Rather than vomit all over your comments, I posted a reaction to your entry. Feel free to respond here, as I’ll pop back in! 🙂

  4. Greg
    June 26th, 2009 at 06:08 | #4

    #4 – I have had much experience with auditors here. When the auditor’s company also does your books and has many other contracts in place he has to #10 and #4.

  5. Garry
    June 26th, 2009 at 07:07 | #5

    Those are interesting points, and I don’t agree with more than half of them. As follows.

    1) Auditors and their proficiency and experience are as varied as the Cisco engineers, IT managers, security practitioners, and Windows admins whose stuff is being audited. Some good, some not. Most just trying to make the best of an ever-changing business and always new technologies.

    2) I use a checklist. Just like you do when implementing your systems. Otherwise we’re “making it up” and “winging it” right out of our own heads. That’s usually bad for IT systems work, and it’s ALWAYS bad for business.

    3) You hate me. That’s part of my job.

    4) If I wasn’t around the IT industry would slack-off to its previous abysmal and unconscionable neglect of IT systems security. It’s not just firewalls and IDS, blokes! It’s management processes, contingency, backup, policies, and the rest of the stuff that every other part of a business is required to do. But experience shows that if us auditors back off, you IT managers and implementers will willingly and happily drop the ball.

  6. admin
    June 26th, 2009 at 08:06 | #6

    @Garry
    No one is arguing that auditors aren’t important. Or that checklists aren’t OK. It’s the subjective nature of it all that is really the problem, and lack of standardization in skillsets, etc. Your #3 is really a part of the issue, too – we shouldn’t hate audits and measurement of performance/compliance/etc, nor the people who do the measuring.

  7. July 8th, 2009 at 10:32 | #7

    @admin

    Why doesn’t anybody like us auditors???

    Other than that, I agree with Garry on the need for checklists and the like. It’s just that you mentioned that the subjective nature is a problem. The biggest thing about audit is called “professional judgment”. At the end of the day, accounting and auditing standards and all the checklists in the world cannot be compehensive and exhaustive. They have to be weighed in with a whole lot of judgment, more than most people think.

    I know I just glorified my number crunching job but really, it is what it is.

  8. July 10th, 2009 at 21:03 | #8

    As a security audit company we understand the sad truth is that Dave is right on. Now we have a new data point for the list: we were recently notified that we were being “reviewed” by a security company review site that is really just a front for a company that sells IT audits. So not only do you need to really do some due-diligence to select a good audit firm, now you even have to question your sources when you are doing your research. Here is what we found.

    http://www.redspin.com/blog/2009/07/10/taking-the-ethical-out-of-hacker/

  9. Jos
    July 13th, 2009 at 07:54 | #9

    Great article, and it highlights a lot of the issues extant today with the audit industry, particularly as traditional finance-style audit companies attempt to take on PCI and SOX auditing, where you can’t just have a little IT knowledge and follow a checklist, you really need to understand the technology. #5, for example, is really bad when coupled with #2, which allows companies that are good at snow-jobbing their auditors to get away with stuff. This, in turn, creates problems for companies that really do have legitimate compensating controls in place (sometimes this *is* OK, after all).

    RE:hating your auditors, one of the things I like to remind customers is that they shouldn’t hate me, if I’m doing my job right. If my report is good, then the customer looks good. If the report is bad, it’s a chance for the customer to use the report to justify the fixes to their environment that they’ve had trouble justifying to management on their own. The only time they might really hate me is when they’re actually not doing what they’re supposed to, and that’s really no one’s fault but their own, isn’t it?

  10. September 10th, 2009 at 03:36 | #10

    To a skilled practitioner checklists are gold to make sure things aren’t missed. It also gives your interviews more structure. In the hands of an untrained consultant, they are poison. I loved making the transition from auditor to security consultant. You gain a lot more respect as a trusted advisor, not someone just looking to nit pick and point the finger.

Comments are closed.