In this video, Kip Boyle discusses how to communicate compliance information and improvements in an organization's information security program. Learn how to communicate with auditors about cyber risk work.
- Working with auditors can feel intimidating, but I've found that it doesn't have to be. In most cases you have a lot more influence than you may realize. The audit function is designed to improve an organization's performance, specifically, it's supposed to help an organization improve the effectiveness of the risk management, control and governance processes. Auditors may be internal or external. Internal means they probably report up to your CFO, and you can expect them to know something about your culture and how your company makes money.
An external auditor reports to an outside organization or agency, and they may not know as much about your business model or culture. As a core part of their work, auditors almost always review your policies, relevant management reports and other documents. And sometimes they perform testing of your controls. You will likely get an initial batch of written questions related to controls that the auditors are expecting you to have in place. You will be allowed a certain number of days to respond, often in writing.
Sometimes you'll review your answers with the auditor over the phone or in a face to face meeting. You will likely receive follow-up questions a few days later. And this is where difficulties most often start to pop up. The tone you've set to this point and how you act going forward will play a major role in how it all turns out. Those of us being audited almost always struggle with the experience. It can feel awkward to show someone you don't know the inner details of your work. Many people feel a strong sense of anxiety because it seems like the auditor's trying to catch you doing something wrong.
It's not fun. Here's my general advice. From the very start, show the auditors respect and be friendly even if they're not obviously friendly in return. However, do not take orders from them as though they were your boss. It's your job to disagree with them when necessary and even push back when you believe they are wrong. The key is to remain respectful through all your interactions. Despite what you may think, auditors sometimes struggle to do their jobs.
A common challenge for them is to properly interpret a regulation within the context of your operations. And they often fail to fully appreciate how local circumstances affect the generic risks they are examining. Here's a simple example. The auditor may check to see if you monitor system activity to guard against the theft of your customers' personally identifiable information. But, because you've deployed strong encryption on the data, you believe it doesn't matter if someone steals it as they will not be able to decrypt it.
So you believe the monitoring control is unnecessary and a waste of time and money for you to perform, but the auditor won't concede the point, and insists you're deficient. What should you do? First, get advice from your boss. If she agrees, you should challenge the auditor. Remember that confidence and respect can carry you a long way. When you meet the auditor again, be assertive but not beligerent about your reasons for why you believe you're compliant.
In my experience, auditors have more discretion than they'll admit upfront. So don't be surprised if you win. What if they write you up anyway? Always submit a thoughtful management response and stay confident.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance