There is nothing more perilous – in emotion and in practicality – than an audit. It evokes cold sweats in some employees, hair pulling frustration in others. It is also, arguably, the number one mechanism firms need to routinely gauge the protection they’re offering their employees, intellectual property, privileged information and personally identifying information.
The problem often lies in selecting the right auditor for your company. As The New York Times writes in this Economix blog post the worst offenders are often right under our noses:
“One unfortunate fact about the auditing business is that those who depend on the audit — investors, lenders and customers — are not the ones who choose the audit firm. At the places where an audit is most needed, the people choosing the auditor may be the ones who have the most to fear from a good audit.”
So, when you, an honest person with nothing to hide, are granted the luxury of being a part of the audit selecting team, there are some things you need to know.
Make a list… check it twice. The folks at TechTarget are chock full of informative and easy to digest information on security auditing. One of their top tips is to develop a before-, during-, and after audit checklist. Here’s the questions you should be asking before you give anyone the ‘go ahead.’
- Who are members of the audit team, and what are their roles and assignments?
- What are the credentials and experience of the assigned audit team?
- What orientation or training can you provide them to be comfortable within the environment?
- Communicate with your managers and staff in the areas to be audited.
- If an area was audited before, review the prior report to see the issues raised and recommended made. Get an update of corrections or changes made as a result of prior audit work and give your staff and the audit department credit.
Many of these questions must be answered internally before you even begin the process of interviewing and selecting an auditor. For more ActiveCare tips on identifying best in class auditors, click here.
Location, Location, Communication. You’re going to want to allow your auditor full access to your Information Systems (IS) security and help foster a friendly working relationship with your Information Technology (IT) team. In most cases, face time is crucial in both of these. For that reason, you may want to consider auditors who are local or who have local experts so you’re not burdened with travel expenses on top of auditing fees. If you can find a local auditing firm who understands the importance of solid communication, then it’s a potential win-win. Auditors should be easy to talk with, answer questions or requests in a timely manner, avoid using too much technical jargon, allow employees to continue their work, and be open to working through discrepancies in a solution-oriented format. A my-way-or-the-highway auditor or IT Department head isn’t going to do anyone any good.
Find a specialist and verify their credentials. Once you’ve determined what your specific IT security auditing needs are, you’ll want to find an expert that meets those particular needs. But don’t always take their word for it. Your auditor will have access to, and be handling heaps of, sensitive information, so you’ll want to verify that the information they provide you is true and accurate. That means references, certifications, and examples of their work. Having this information in hand will help you to better compare the list of auditors you’re considering.
Determine your budget. Money shouldn’t be the driving factor in selecting an auditor – after all, one of the reasons you’re hiring them is to protect yourself from fleecing, lawsuits, and theft – but it will probably always be a factor in your decision.
What’s worked for you in the past? We’d love to hear how you found your auditor so shoot us a comment below.