Why you do what you do matters. As your institution's compliance or audit leader, you do what you do in order to help the rest of your organization better serve your customers. At FIPCO, that's why we do what we do, too. Our goal is to help you focus on your customers by making auditing information security and risk management tasks meet reasonable requirements and be less time-consuming.
One of the challenges today's institutions face is how to implement reasonable security without breaking the bank. Audits can provide your institution with valuable insights into upcoming information/cyber security trends and accepted control practices. It is not always just what an examiner wants to see, but what reasonably mitigates risk for the cost to implement.
Choosing the right auditing firm is an important aspect of making future exams easier and meeting more than just your regulatory requirements. Ensuring that your controls are based on industry-accepted practices and that they meet management expectations will give you confidence that your information/cyber security program is continuing to mature. When it comes to choosing your auditor, it should be done with care and confidence; select a strong partner to support your organization. When selecting an audit partner, consider the following accepted best practices:
- Skill level – An auditor's skill level should go beyond a predefined audit checklist. Along with industry accepted certifications, they should illustrate past experience with information technology and information security. What's more, they should demonstrate their understanding of the process, methodology, and results of any testing that they perform. In short, check their track record, references, and client testimonials.
- Reporting – Rather than "exception-based" reports that fail to illustrate what was reviewed, examiners are looking for documentation that illustrates the scope of what was tested. Will your auditor freely provide the work program that documents the areas tested, or specifically list each item audited whether there was a finding or not, and whether they match to your scope of work?
- Timelines – Be sure to include a deadline for receipt of your final report that includes a reasonable turnaround time. Once completed, any exceptions should be agreed upon by both you and the audit firm.
- Communication Skills – Audits can be challenging for the organization as well as the auditor, often resulting in defensive staff and territorial issues. Look for someone who offers a level of common sense and can be flexible and responsive to your needs. Although an auditor may possess a high level of information security expertise, they should convey this knowledge to your organization at an appropriate level that is not overwhelming. Consider whether they provide a consultative approach and offer resources to help or are just looking for a list of deficiencies.
- Ask to See Their Work – If you want to see what type of audit report you are going to get, ask to see a template of the structure and sample content. Be sure it reads in a manner that you feel fits your requirements and the audience you intend to include in its review (i.e. Board of Directors, non-technical or technical staff).
One last recommendation: Consider how interruptive each audit is to your day-to-day activities. Can the audit firm work within your schedule or do they need your dedicated time? Can they work with you in a manner that allows you to respond to questions and gather evidence on a schedule that fits your time, not theirs, or do they take you away from your daily duties for an extended period of time every audit. You will need to spend time working on each review, but do it on your time, not the auditors.
For more information, please contact FIPCO Director – IT Services, Ken Shaurette at 800-722-3498 or via email.