Why Quality Audits Will Always Pay Off: You Get What You Pay For

by Sarah Harvey / December 4th, 2018

What would be the impact to your organization if your information security auditor did not conduct a thorough audit? How would it impact your organization if you partnered with an auditing firm whose quality of services and integrity was questioned by industry regulators? Too often, organizations must deal with the aftermath of receiving an audit that wasn’t thorough enough. This could mean public-facing S3 buckets, active directory policies do not reflect written policies, failure of physical safeguards, cardholder data that is inadvertently exposed to the public, or worse. These organizations have to deal with breaches, fines and penalties, and in extreme cases, losing their business altogether. At KirkpatrickPrice, we want to make sure that your organization never faces these consequences, and we do this by delivering quality audits. But what does that mean? Let’s discuss what a quality audit looks like and why it will always pay off.

What is a Quality Audit?

A quality audit can mean different things depending on the intention of the organization receiving the audit. If a business seeks out an audit firm for the sole purpose of checking a box off a to-do list, they probably aren’t looking for what we believe to be a quality audit. We want to partner with organizations who are committed to improving their security posture, finding and mitigating vulnerabilities in their systems, and collaborating with an auditor to ensure that the audit process is effective. To us, a quality audit has the following qualities:

The audit firm is qualified. This means that members of leadership have extensive experience in information security and the firm itself has the appropriate qualifications. For SOC 1 and SOC 2 audits, that would be a CPA firm. For a PCI audit, that would be a QSA. For a HITRUST CSF assessment, that would be a validated HITRUST CSF Assessor.
The audit will be conducted by senior-level information security specialists who hold industry certifications and are regarded as experts. If a junior-level auditor or an auditor with no relevant information security certifications has been assigned to perform your audit, consider how that lack of experience could impact your organization.
The organization has appropriate communication. If you have little to no communication with your audit team during the audit, this should be a red flag. If you are suspicious that any step in your process is being outsourced (penetration testing, report writing, etc.), this should be a red flag. How can an auditor conduct a thorough audit if they aren’t speaking with you about your systems? How can they understand your business without analyzing it firsthand?
There should absolutely be an onsite visit. If an audit firm offers to conduct an entire audit remotely, they are going to miss physical security vulnerabilities that could greatly impact your security posture. When our auditors go onsite, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. What would your auditor miss if they didn’t come onsite?
The audit firm would have a quality assurance program in place to ensure that auditors’ work is consistent and thorough. If there is no quality assurance program, how can you be sure that the auditor performed their due diligence?

The Cost of a Quality Audit

When it comes to an information security audit, it’s critical that those approving budgets for information security audits understand that you get what you pay for. If you’re being pressured to find the lowest-cost audit, ask yourself what you’re willing to give up in order to save money. If you see a quote that is significantly lower than the others, will the cheap price be worth a lack of thoroughness? How shocked would your supervisor be if you were considered to be, for example, PCI compliant, but then an undiscovered vulnerability was breached, and your organization’s reputation was compromised? Would a cheap audit be worth the aftermath of an expensive breach? Being able to explain the value of a quality audit to your team is crucial.

Misconceptions About Quality Audits

While financial considerations play a major role in why organizations partner with certain firms, there’s one other quality that many businesses look for in an audit firm: name recognition. Many organizations fall into the false perception that firms like the Big Four, who have names that are recognized across industries, deliver the most credible reports. That isn’t always the case. In fact, in recent years, the Financial Reporting Council (FRC) has investigated the Big Four due to significant decreases in the quality of their auditing practices. They’ve even gone so far as introducing harsher penalties for insufficient audit practices, because even after multiple fines and warnings, the Big Four still showed a lack of quality and integrity in their audits.

Ensuring that your organization receives a quality audit doesn’t have to be a difficult process; a little due diligence on your part can go a long way when vetting information security auditing firms. Don’t fall into the trap of engaging with a firm that won’t be able to deliver the kind of thorough audit that you need. Protect your organization’s financial stability, reputation, and operations and gain assurance by partnering with KirkpatrickPrice to receive a quality audit. Contact us today to begin learning about our quality guarantees.