Embrace the Auditor

Written By David Cartwright

Further to our recent talk hosted by our Chair Dave Cartwright, May 2023’s article by Dave teaches us all to embrace the auditors and how we can approach audits in a more positive way to benefit your security operations.

Whenever we hear that an audit has been scheduled, it’s time to celebrate. We break out the Champagne and bunting and reflect on what a pleasure it is to open our office to a team of people who will do us a massive service by asking for obscure data items and ensuring we’re not over-burdened with free lots in our usually empty calendars.

Oh, hang about. Actually, I think the opposite might be true. The cry of “Oh, great!” is more of a sarcastic groan, issued through gritted teeth. Because even the least painful audit will take many hours, possibly over a number of weeks, and will generally result in a non-zero number of things to fix (or at least improve).

Let’s take a step back, though, and contemplate how we can make audits a less troublesome and negative experience. Because, believe it or not, it’s a perfectly feasible thing to wish for.

First of all, remember who is working for whom. In the vast majority of cases, it’s your own company that’s paying the auditors (or, normally, their employer) – so don’t be shy about making sure you get decent auditors. On two occasions in my career I’ve been saddled with unsuitable auditors, and both times they were sent packing with instructions to their employers to send someone better. The result in both instances was the arrival of replacements who were much better, with much better attitudes – and in fact one of them has become a friend.

Second, remind yourself that an auditor shouldn’t be hell-bent on giving you a poor audit. They are there to examine the effectiveness with which you’re operating your controls and complying with policies and regulations, and they should do so with an open mind. If you think the auditors are being unfairly biased toward negativity, say something (or exercise your rights under the previous point). They’re not there to roll over just because you’re upset they find a lot of issues, but they should at least be fair.

Third, you should also be fair. I’ve had ding-dongs (usually fairly polite ones) with auditors when I’ve disagreed with their findings. I’ve won some and I’ve lost some. The ones I’ve won were when I was able to explain the context of why we were doing something a particular way, or how they’d not quite understood something about the organisation which meant things weren’t as bad as they thought. Similarly, I’ve often capitulated when the auditor has explained the reasoning for the finding. Importantly, I’ve also had cases where something has been noted as an “observation” (that is, advisory rather than a must-fix) and I’ve been open and said: y’know what, I think that should be a finding. After all, sometimes you can get a bit of budget to fix a finding but not an observation.

Next, be open. If there’s a problem with your compliance with a policy or regulation, one of two things will happen: either (a) you tell the auditor about it; or (b) you keep your mouth shut and they find it themselves. Option (c) – stay quiet and they don’t find it – seldom works. If you’re honest and tell the auditor of your known issues, you get a massive boost of trust from them.

And to this former point, audits are a periodic (generally annual) thing, but surely you’re checking your own compliance through the year … aren’t you? If you’re doing your job properly, you should know where you have issues and have a plan for remediation of the problems you know about. If a shedload of negative findings at audit time comes as an utter, out-of-the-blue surprise, there’s something fundamentally broken with you or your organisation.

Next point: remember auditors are human too. Take them out for a beer, or for lunch, or for dinner. Get to know them socially. You might be surprised how normal they are (well, actually you almost certainly will be surprised). Don’t for a moment worry that they’ll think you’re trying to influence their findings or thought processes – a steak and a couple of pints is unlikely to sway any half-decent auditor. I’ve spent many happy evenings chatting about both work and personal stuff with auditors, and have often learned interesting things (chatting over a beer is a good chance to ask what other types of business they work with, or how they’ve seen other companies solve a problem that you’re facing).

And finally, why not consider becoming an auditor yourself? By which I mean maybe do a course. I did the ISO 27001 Lead Auditor course and exam, and it was an eye-opening experience that showed me the framework our auditors followed and demonstrated that once you’ve had things explained to you, there’s no rocket science, smoke or mirrors.

So yes, audits can be inconvenient and can reveal inconvenient truths about your policy compliance. But you should make the most of them and get the maximum value possible whilst being co-operative and open.

I once received an audit report whose executive summary contained the words “very pleasant experience”. We didn’t get an easy time, and we got a few findings to address, but we all made the most of it and the pain was minimal. So my advice to everyone who’s subject to audit is: embrace the opportunity and make the most of it.

David Cartwright

Dave Cartwright is Head of Technology Operations & Risk / Chief Information Security Officer for Santander in Jersey, and current Chair of the CIISF.

Previous

Preparing your first cyber incident response plan
Next

Good Bye Cyber Security, Hello Cyber Resilience?