Starting your first audit can be intimidating. Our first-time audit clients often ask the same question: how does the audit process work? At KirkpatrickPrice, the audit process can be broken down into 5 steps:

1. Kickoff call

Every audit begins with a kickoff call. On this call, we will establish the timeline for the audit along with all audit objectives and expectations.

2. Document collection

After the audit begins, we will collect documents through the Online Audit Manager for your audit team to begin reviewing. This includes policies, procedures, inventories, asset lists, and diagrams.

3. Client visit week

Next, we will conduct an onsite visit at your office. This is one of our favorite weeks of the audit because we get to dive deep into your processes together. This is essential for understanding your environment and the unique controls needed to secure it.

4. Weekly evidence collection sessions

After the onsite visit, we’ll continue collecting evidence in weekly sessions. These sessions last for 4-6 weeks depending on your unique needs and audit type.

5. Report delivery and review process

Your audit will end with an expert report written by our in-house team of Professional Writers. You will be able to review the report and provide feedback before finalizing the report. Once your report is finalized, your audit journey will be complete.

To learn more about our audit process, watch the video below where Callie and Kyle dive deeper into the process:

Choose the audit partner who will help you accomplish all of your security and compliance goals.

We know that audits are hard and overwhelming. That’s why we promise that when you work with KirkpatrickPrice, your audit will be worth it. We’ve issued over 20,000 reports to 1,200+ clients and have been able to give them the assurance they deserve. You deserve to be confident that your organization is ready to face today’s threats confidently.

Connect with one of our experts today to start your compliance journey with an experienced partner who will make sure you meet all of your security and compliance goals.

The Online Audit Manger is the best and fastest way to start and complete your audit.

We believe if you’re going to use a compliance tool, it should be the one from a licensed security auditor that can actually deliver the audit you need.  We understand you want tools that make your life easier.  That’s why we created the Online Audit Manager (OAM), the world’s first compliance platform, to bring you both technological innovation and direct interaction with a certified auditor.  

Here’s how it works:  

1. Create a Free Account  

The OAM gives you everything you need to get started on your audit today for free. With your account you can learn about what is necessary to complete your audit and complete all audit readiness activities within one platform.  

2. Connect with an Expert  

In the OAM, our certified professionals work alongside you every day so you can have immediate answers to your questions and test your controls whenever you’re ready, all in one convenient location.  

3. Start and Complete an Audit 

You won’t need to work with anyone else to complete your audit.  You can leverage the work you’ve already started in the OAM to finish your KirkpatrickPrice audit.  Receive your report from the same place you’ve already started working.  

Choose the compliance platform that can deliver the audit you deserve.

Stop worrying if you chose a tool that was a waste of time, money, and effort. Instead, choose the platform where you can start working with the expert who will complete your audit.  With the OAM, you can be sure that your audit journey will end in success.  

Sign up for a free account today!

Guide to the OAM

You deserve a compliance tool that makes your life (and audit) easier.

Whether you’re ready to start your audit, need some help preparing, or just want to manage your compliance practices, the OAM will make sure you accomplish your compliance goals. Download our guide to learn how.

Get the Guide

When you’re wondering how to choose the right audit firm, it can be difficult to tell what sets each firm apart. At KirkpatrickPrice, it’s our experienced auditors.

Our auditors have years of industry experience, multiple certifications, and a passion for learning about information security best practices. Every auditor must have their CISSP certification when they are hired, but many auditors start with multiple certifications. They continue to pursue and achieve multiple certifications while working at KirkpatrickPrice in a pursuit of learning and bettering themselves so they can perform better audits. One of our auditors has 40+ certifications!

Our auditors have years of experience in the field as well that only strengthens the skills they’ve learned while gaining certifications. They have worked in a multitude of industries, like healthcare, technology, hospitality, government, construction, engineering, manufacturing, financial, and more. And when they worked in these industries, they went through compliance audits just like you, so they’ve been in your shoes and know how hard an audit can be. That’s why they’re so passionate about working with you to make sure your audit is worth it.

Choose the audit partner who will help you accomplish all of your security and compliance goals.

We know that audits are hard and overwhelming. That’s why we promise that when you work with KirkpatrickPrice, your audit will be worth it. We’ve issued over 20,000 reports to 1,200+ clients and have been able to give them the assurance they deserve. You deserve to be confident that your organization is ready to face today’s threats confidently.

Connect with one of our experts today to start your compliance journey with an experienced partner who will make sure you meet all of your security and compliance goals.

Most audits are started because of a client request. However, we believe an audit will benefit your organization by validating your controls and strengthening your security posture. By engaging with an independent third-party audit firm, you can trust the results of your audit engagement to give you an accurate representation of your security posture so you know if you’re ready to face today’s threats confidently or if you need to spend some time adding more controls to create an even stronger environment.

An audit also allows you to demonstrate and prove your mature security posture to your clients and the marketplace. Having that trustworthy opinion will open new doors of business opportunities and create trust amongst your current clients that you’re doing everything you can to keep their data safe.

Partner with KirkpatrickPrice for all of your compliance needs

We know that audits are hard and overwhelming. That’s why we promise that when you work with KirkpatrickPrice, your audit will be worth it. We’ve issued over 20,000 reports to 1,200+ clients and have been able to give them the assurance they deserve. You deserve to be confident that your organization is ready to face today’s threats confidently.

Connect with one of our experts today to start your compliance journey with an experienced partner who will make sure you meet all of your security and compliance goals.

Audit Readiness Guide

Starting an audit is overwhelming. Our Audit Readiness Guide will tell you what you need to know.

You know you need an audit, but don’t know what to expect or how to get started. This guide will tell you exactly what will be tested and how to start your compliance journey.

Get the Guide

The future of cybersecurity is full of mystery, intrigue, and intimidating trends.  Threats loom larger every day and defending ourselves against them becomes more and more challenging.  At the Secure Miami 2023 Conference, industry leaders gathered to discuss these trends and how we can safeguard ourselves and our businesses against them.  The day covered exciting new topics like AI and ChatGBT while also touching on the importance of information security basics, like access and risk management.

But whether or not the conversation was about the next big thing or the classics we all need to master, it seemed there were key trends and themes running throughout the entire day.  Let’s discuss the five key takeaways that emerged from every discussion that your organization can use to strengthen its security practices:

1. Proactively Plan

We all know the landscape of security culture is changing.  Businesses will no longer be able to survive if they only react and respond to the threats and attacks coming for them.  To survive, businesses must adapt from a reactive mindset to a proactive one.  We cannot hope that we won’t be attacked; we have to assume the attack is coming.  This is a classic case of when not if.

The good news is that businesses can create a plan to secure their business and protect their valuable assets.  Having an incident response plan and a business continuity/disaster recovery plan in place allows organizations to plan their response to an attack and avoid ruin.

An incident response plan is a predetermined approach for identifying and addressing a security incident dictating the procedures following detection to minimize the impact. At a minimum, your plan should include:

  • Roles, responsibilities, communication, and contact strategies in the event of a compromise including notification of the payment brands
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data back-up processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands

A business continuity plan is a deliberate and actionable strategy to ensure service delivery in the event of a major disruptive event impacting essential business functions, processes, or technologies. At a minimum, a business continuity plan should include:

  • Document Control
  • Priorities & Responsibilities
  • Key Risks
  • Roles & Responsibilities
  • Emergency Recovery Process
  • Business Recovery Process
  • IT Business Continuity Plan
  • Emergency Delegations List
  • Contact Lists

In addition to creating these plans, businesses need to test them to ensure they operate as designed.  Tabletop testing is one of the best ways your organization can test these plans under pressure to make sure they will actually keep your business safe.

The worst thing that can happen during a breach or attack is not knowing what to do next.  Proactively plan to keep your organization safe.

2. Know Your Environment and Its Risks

In order to properly plan for the threats your organization is facing, you must know the risks you are facing throughout your entire environment. And to do that effectively, you need to fully understand your environment.  No one should know your network, environment, or processes better than you. You need to know your assets, the functions of those assets, and who has access to those assets.  This is the only way you can know which defenses are needed and what will work best to protect your unique environment.

Once your assets are properly accounted for, your organization will be prepared to perform an effective risk assessment.  A risk assessment is the most trusted weapon against all of the threats we’re facing.  By understanding what you are protecting, you will be better equipped to put the right controls in place for your organization’s unique environment and vulnerabilities.

In our Founder’s presentation at this conference, he discussed risk management as it relates to Star Wars.  Spoiler alert: Darth Vader’s lack of a proper risk management plan led to the destruction of the Death Star.  To have been properly prepared, the Empire should have inspected the ship for vulnerabilities and then planned to defend them.  The threat they faced was the Rebel Alliance’s X-wing Starfighter, but the vulnerability was the thermal exhaust port.  Being too focused on the operation, they did not manage the one thing that made them vulnerable.

So, to avoid your organization falling to the dark side, you must start thinking about the real vulnerabilities you are facing.  When you connect the threats you face to the parts of your environment that make you vulnerable, you can implement stronger controls that are designed to properly protect your valuable data.  By identifying the risks that could stop you from being successful and proactively planning how you will secure your organization from risks, your organization can be confident when facing today’s ever-evolving threats.

3. Training

Creating these processes isn’t enough to secure your environment. You have to make sure your employees know how to implement them and are willing to do so.  One of the biggest threats to an organization is human error.  According to a study conducted by Stanford University in 2020, approximately 88 percent of all data breaches are caused by an employee mistake.

The only way we can combat this is through security awareness training.  Train your employees often on a variety of topics so you can ensure everyone is on the same page about how to protect your organization against threats.

While your training should cover all your organization’s unique processes as well as common attacks and breaches, here are five areas to consider focusing on to encourage your employees to practice security in the workplace:

  • Physical Security – Protect the home front.  Implementing requirements like wearing badges while on the property, appropriate identification and sign-in procedures at the front desk, video surveillance, and proper locks all protect your office and the people inside of it.
  • Password Security – Passwords should be at least 8 characters long and use a variety of upper and lowercase letters, numbers, and special characters. Default passwords should never be used, and passwords should never be shared.
  • Phishing – Train your staff to be wary of phishers and to know what to look for. Make sure they know not to open attachments in emails if they do not know the source. Encourage them to not send confidential information in response to an email claiming that “urgent action is required.” Test and train your employees to make sure you’ve created an environment where if in doubt, someone will ask before engaging in an email that may look suspicious.
  • Social Engineering – Social engineering threats are threats based on human vulnerabilities. It’s a way attackers manipulate people into giving away confidential information, password/ID combinations, or to gain unauthorized access to a facility. Train your employees to operate with a healthy amount of skepticism, and to never give out sensitive information without fully identifying the other person.
  • Malware – Malware, much like phishing, can enter your environment through non-malicious looking threats such as employees opening emails from unknown sources, using a USB drive that is infected, or going to websites that may be unsafe. Be sure employees are trained to be aware of these kinds of attacks, and practice identifying malware threats.

4. Quit Freaking Out About AI

AI is taking the world by storm right now.  It’s all our auditors have been talking about because it’s new and unknown.  The sessions at Secure Miami all heavily focused on how AI and ChatGPT will change our security landscape and how we can securely implement it into our own security processes. 

And while the unknown is scary, the overwhelming opinion was that we need to stop freaking out just because new tech has entered the chat.  Our processes and our people have adapted in the past, and they can again. Think about when the cloud was a new concept – people freaked out about that, too, but now it is common practice with new security measures developed to protect the data that we store in the cloud. 

AI will be the same way.  We will build the controls we need to protect our data, but that will allow us to still benefit from this new technology.

Remember, AI is just a tool.  Here are a few takeaways about how to securely approach it currently:

  • Be smart about how you implement your controls and secure your use of AI (knowing your environment and proactively planning for threats is how you do this).
  • Use compliance frameworks to know what controls you need.
  • Educate your users on how to use AI securely.
  • Make risk-based decisions. Make them proactively, not reactively.

5. Invest in People

Despite current fears, people cannot be replaced by AI.  We still need to invest in people and train them on security best practices so AI can be used as a tool and not as a default security measure.  While training your employees is always a good investment, you need to focus on your culture as well.  This means investing in and creating internal relationships on your team as well as across departments.  This type of relationship will create the buy-in you need to implement the controls you’ve so carefully designed. 

Outside of your own organization, consider offering internships or mentorships to aspiring cyber professionals.  Share your knowledge and make sure that the next generation of IT and cyber professionals knows the importance of these controls and processes even in light of new cool tech.  Recruiting talent you can trust is hard enough, so why not invest in young professionals and help them be the best they can be while in turn creating talent worth hiring.

Get Back to Basics

This day at Secure Miami was a great reminder that no matter what flashy new tech comes our way or attack threatens our business, we can prepare to face it with core security principles. Proactively planning how we will defend our data and respond to a breach with well-trained people helping us will always be the top trend in our industry. 

While we may have boiled this day down into 5 takeaways, we understand that implementing these things can actually be really overwhelming and challenging.  If you’re feeling that way, reach out to one of our experts at KirkpatrickPrice.  We’ve been in your shoes and know how challenging implementing these controls can be.  But we’ve worked with over 1,200 clients to issue 20,000 audit reports and are passionate about helping organizations get the assurance they deserve.  We’ll help you create the controls you need to secure your unique environment.

Connect with one of our experts.  We promise that cybersecurity and compliance will no longer be a mystery.