Skip to content

Know your auditor - and know how to audit

Continuous Professional Development

08:00 Friday, 26 November 2021

UK Cyber Security Council

Traditionally, audit was a financial concept - it was used almost exclusively to ensure that the finances of a business were being run correctly, and that the reality matched the policies, laws and records. These days, the tendrils of audit span a much wider scope, and we in cyber security experience just as much - in fact, probably more - audit activity than any other part of the business.

The other traditional with audits is that they are generally terrifying for the person or team being audited. And this should absolutely not be the case. Why, then, are we so horror-stricken when we learn an audit is about to take place?

The main fear is that the auditor is there to catch us out - to ask difficult, probing questions that we weren't expecting, and to dig into systems in inordinate detail to root out evidence of malfeasance. And while that is what often happens, it shouldn't. And we in cyber security need to understand what auditors are supposed to do, and how audits work, so that we can push back on things that shouldn't happen.

Imagine we have ISO 27001 certification - as is the case in an increasing number of organisations to whom security matters. How can we guess what the auditor is going to dig into when they next visit? Easy: we don't have to, because the output of an ISO audit includes a list of the controls that will be looked into at the next audit. You can be confident that next time around the auditor will look at what he or she told you he would, as well as following up on any areas of non-compliance that came up in the latest audit. There really is no excuse for failing an external ISO audit, because part of the regime is to run your own internal audits in the gaps between the external ones, thus giving you the chance to pick up and deal with issues.

As for what constitutes an audit finding - a discrepancy that is called out by an auditor in the formal report - this is another area of fear, uncertainty and doubt. And again, there's no need for it to be so. A formal audit finding states that the auditor has found an instance where a control (a policy a procedure) wasn't being followed properly, or potentially where there wasn't enough evidence to show convincingly that it was being used correctly. If the policy says that PCs must be signed off by the security team prior to deployment to users, and this isn't happening, that's a formal finding. It's common for auditors to look at how you are dealing with a particular risk and its corresponding control, and to suggest that you look to a particular best-practice guide, but unless you're breaching one or more of your policies, this is merely an observation, or an “opportunity for improvement” (OFI) if you prefer. The auditor may call these items out in the report, but you have no compulsion to do anything about them; that said, you would be wise to consider them as they are written with the benefit of the auditor's experience of the other organisations he or she audits.

One way to become less fearful of auditors is to become one yourself. This may sound slightly extreme, but actually it isn't. To be a fully-fledged certifying auditor for the likes of ISO requires you to do a course, pass the exam, then do some supervised audits, and be associated with an accredited audit firm. For your purposes, though, doing the course is enough - because that's where you will gain the understanding of what the auditor should be doing. Better still, since the exam is generally part of the course, why not do that too as it's great CV fodder?

Audits and auditors should, then, be largely predictable. Sometimes they are not, and if you have the skills and knowledge to see that this is the case, you have the power to do something about it - which may even be to ask for a different auditor (something this correspondent has seen happen twice in recent years for external auditors).

Fear is often founded in a lack of knowledge or understanding. So it should be no surprise that an approach to quelling the fear of auditors is to understand what they are doing, and why.