In the words of Jim Gaffigan, “I hope you like what some other guy wrote.” When you receive a Valentine’s Day card, have you ever thought about how many people got that same card? It’s meaningless when the canned text applies to you and everyone else in the world. Instead, it’s nice to get a heartfelt message that is uniquely written for you.
An audit report is a love letter to your clients. It should be YOUR description of what YOU’RE doing to protect their information. Your SOC 2 audit report should be uniquely written to explain your controls and why they matter to your client. Your SOC 1 audit report should have complementary user entity controls written in a way to help your client understand what they should specifically be doing to interact with your system and processes. Your ISO 27001 audit report should explain distinctly how you’ve designed your Information Security Management System. Your clients will feel special to know that you took the time to write something to help them understand.
We’re seeing lots of clients use compliance platforms and policy templates, which provide canned control descriptions. These descriptions are showing up in everyone’s reports and turning them into boilerplate language. Worse yet, maybe the static language they gave you doesn’t match with what you’re actually doing and it opens you up to liability! Your clients don’t want to read what a tool wrote. They want to hear thoughtful descriptions about what you do and why.
KirkpatrickPrice advocates for a quality approach to cybersecurity and compliance audit reports. Whether you seek to comply with SOC 1, SOC 2, ISO 27001, NIST 800-53, or the HIPAA Security Rule, they all start with the foundational element of a risk assessment. From there, YOU design your controls in a way that addresses the threats to YOUR business. No two businesses are alike, so please don’t send the same Valentine’s card to them all. It’s time well spent to think about your controls and write them in a way that is applicable to you and your client. They will love you for it.
It’s become more commonplace to see companies touting their “clean” audit report. It might be a company that has finished their first audit and they’re celebrating their success. Whether it’s a SOC 1 audit report that focuses on Internal Control over Financial Reporting, or a SOC 2 audit report that focuses on the Security, Availability, Processing Integrity, Confidentiality and Privacy Trust Services Criteria, it feels good to get that report in your hand to represent the end of the audit process.
But what is a “clean” report? Is that actually something you should be striving to accomplish? A SOC 1 or SOC 2 audit is not a pass/fail result. It is an opinion issued by an independent auditor based on the concept of reasonable assurance. The auditor can issue an unqualified opinion as to your achievement of the control objectives or criteria. They can issue a qualification to that opinion, such as, the company achieved the SOC 2 criteria “except for” vulnerability management. Alternatively, they can issue an adverse opinion or disclaim an opinion altogether.
In the Type II version of both reports, there is a section that details the testing performed on each control. The results of the test might contain and “exception.” For example, we pulled a sample of 10 new hire files and found that one did not sign the Confidentiality Agreement. Or, out of a sample of 30 Windows servers, we determined that 3 did not contain the latest patches released over 6 months ago. These exceptions may not impact the final opinion in the report but they are important details for you and your client to consider when relying on that particular control to reduce risk.
The desire for a “clean” report comes from an expectation that you shouldn’t show any weakness in your audit report. We want the best opinion and we want to show that we have NO exceptions. But is that realistic? What company has no exceptions during a year of activities? People miss things. Technology fails. Processes are flawed. Be authentic in your reporting. Show your clients that you are being thoroughly tested and demonstrate that your mindset is to improve year after year.
The professionals reviewing your report are experienced in compliance and review many reports. They can tell the difference between results that sound too good to be true and an audit that took testing seriously and is reporting honestly. At a recent conference session, we led a group of almost 100 compliance officers through a vendor management exercise and asked the question, do you accept an audit report with no exceptions? Not a single hand was raised. They commented that it makes them suspicious when it doesn’t appear that the report reflects reality.
Don’t fall for the “clean” report trap. Embrace the audit experience as a way to expose findings and demonstrate to your clients that you took those findings to heart by adjusting your controls to meet the ever-increasing threat landscape. They’ll be satisfied and your company will benefit from that mindset too!
What does partnership look like when your organization is in the middle of an audit? When you choose a qualified audit firm to help you in your audit process, you are choosing a partner for an important compliance journey. How does the audit firm you choose support you? What practices does it implement that enable you to successfully complete your audit process? In what ways is an audit firm helping you on your compliance journey? Let’s look at the traits you should be considering when choosing a partner for your audit.
Choosing a Partner that Supports Your Organization
There is no denying that audits are difficult, but you can confidently achieve your goals when your organization has a quality partner working alongside you on your compliance journey. What are some qualities you can look for when choosing a partner?
A quality audit partner is one that is experienced in the necessary skills and practices regarding security auditing. Audits are complicated and you need a qualified auditor at your side to check your internal controls, security practices, and policies.
You’ll want to make sure you’re choosing a partner that doesn’t waste time during an audit. Working with a timely audit firm that stays true to the timeline developed at the start of the audit is important for an organization looking to complete tasks in their compliance journey on an efficient schedule.
Proper communication is important to creating a system of support and partnership. In order to communicate effectively, the audit partner your organization chooses should have a quality audit team that stays in contact with your organization through every step of your compliance journey.
The audit process needs to be streamlined to gather data and evidence and properly examine your organization’s controls. At KirkpatrickPrice, the Online Audit Manager enables us to partner with organizations before an onsite visit to make the audit process as smooth as possible.
Choosing a partner that fits your organization should be reliant upon your ability to trust that the audit firm is independent and qualified. To perform a PCI audit, the firm must have personnel with QSA and PCIP certifications. Only CPAs can perform SOC 1 and SOC 2 audits. To perform a HITRUST CSF assessment, the auditor must be a CCSFP at an authorized assessor firm.
Why KirkpatrickPrice is the Audit Partner for You
KirkpatrickPrice is an audit firm whose goal is to give the support and guidance your organization needs to embark on a successful compliance journey. You don’t have to settle for choosing a partner that conducts an audit and leaves you with unanswered questions and compliance worries. Instead, you can start and end an audit with a firm that wants to see you defeat the most challenging compliance requirements you face. Make sure you’re choosing a partner that will be by your side throughout your compliance journey. Contact KirkpatrickPrice to be supported by the partner your organization deserves to have on its compliance journey
One of the things that we say here are KirkpatrickPrice is that we partner with our clients to help them achieve challenging compliance goals. When you’re going through an audit, it’s very difficult. When you want to comply with a variety of standards that are out there, it’s a very challenging thing to take on. Everybody wants a good partner at their side – somebody behind them providing coaching and guidance, supporting you through your goals. We want to be that type of partner for you. The spirit that we take on is from the first Kirkpatrick on record. His name was Roger Kirkpatrick – first cousins with William Wallace, loyal to Robert the Bruce. Robert the Bruce had a rival and Kirkpatrick was there to support him and fight along his side in order to defeat the rival. We take on that same spirit here in the way that we partner with you. We want to see you defeat the hacker, defeat those challenging compliance requirements that are coming at you from every angle. We will make sure that we are a great partner to you in your challenging compliance goals.
When you choose an audit firm to start the audit process, you’re choosing a partner. You want an auditor who is highly experienced, can communicate well, and knows how to support your organization on its compliance journey. Once you find an audit firm that meets your expectations, your organization will need to continue building a good relationship with your auditor throughout the audit process. It doesn’t stop at signing a contract, and it’s a two-way street. What actions or behaviors could negatively impact your relationship with your auditor? When does an auditor have the right to withdraw from an audit?
Finding the Right Auditor
What should you be looking for in an auditor? How do you know you’ve picked an audit firm that will support and educate you during the audit process? How you can you make sure you’re not giving an auditor the opportunity to withdraw from an audit? Although audits are difficult, you don’t have to tackle compliance requirements alone. Finding the right auditor for your organization starts with an evaluation of your organization’s timeline expectations, communication goals, and auditing needs. Once you know where you stand, you are able to find an auditor that can support you.
The quality of work you receive when you’re handed a compliance report is directly related to the availability, qualifications, and skill of the Information Security Specialist you work with. At KirkpatrickPrice, our audit team is made up of qualified, experienced auditors. You don’t want to choose a firm that sends a junior-level auditor to check your internal controls, test your physical security, and walk through your processes. You deserve to have a senior-level auditor working alongside you during the audit process. These experienced auditors focus on the goal of independence and support so that there isn’t pressure to withdraw from an audit.
Building a Relationship with your Auditor
Once you choose an audit firm, what is your organization doing to foster a positive partnership with your auditor? Even after an audit process is completed, a healthy relationship with an auditor means continued support and education in your compliance efforts. To make sure you have built a strong relationship with your auditor, you can review our Six Signs that You’re in a Good Relationship with Your Auditing Firm. Following these signs of a good auditor will help point you in the direction of meeting your long-term compliance goals and avoid the possibility of an auditor needing to withdraw from an audit.
The key to maintaining a good relationship with your auditor is recognizing the audit firm’s requirement for independence. Auditors can withdraw from an audit if the rules of independence are broken during the audit process. If an auditor feels as though something has happened to where they cannot be objective, they have the right to withdraw from the audit. To make sure your organization doesn’t cross those boundaries, you can focus on respecting the auditor’s independence throughout the audit process. You can trust that your audit is in good hands when you choose an auditor with the integrity to remain independent.
Fostering a good relationship with your auditor puts you on the right path towards compliance and encourages a support system for your audit process. Start your journey with an independent audit firm that meets your needs and avoid any problems that might require an Information Security Specialist to withdraw from an audit. Contact KirkpatrickPrice, today.
Did you know that an auditor can actually withdraw from your engagement? There are certain rules that we must follow that require us to withdraw if certain circumstances are met. For example, we have to maintain independence at all times. If something happens that comprises that independence, we have to withdraw from your engagement. If a company puts undue pressure on us and they say, “We’re not going to give you that next contract unless you find certain things favorable for us in this audit,” we can’t do that audit. We have to withdraw from the engagement. If a company is combative or argumentative with us through the audit, if it puts that undue stress on the auditor to where they can’t be objective, then we have to withdraw from that engagement. I think understanding the nature of audits and understanding how that relationship works is very important to making your audit a successful engagement.
There are many decisions that organizations need to consider when choosing an audit firm, like cost, expertise, location, timeline, and audit process. You need to be confident in who’s performing your audit, especially in a clear, accurate audit process. If not, you’re risking a case of the never-ending audit.
The Audit That Never Ends
A never-ending audit is one where you’re revisiting the same tasks time and time again with no end in sight. You’re working diligently on your audit tasks, but you don’t know what stage you’re in. You’re lost in the processes and can’t see an end in sight. There’s a lack clarity and understanding which leaves you wondering what evidence the auditor is looking for or how many tasks are left in your queue. A never-ending audit is not an audit you want to spend valuable time and money on. To avoid a never-ending audit, you need to know your audit firm and its processes well.
Getting to Know Your Audit Firm
How can you put your best foot forward as you begin your audit process? You can start by getting to know your audit firm. It’s important to understand the processes of the audit firm you choose, because a high-quality process produces an accurate and timely audit report. What questions should you be asking when choosing an audit firm?
What is their audit process? How does the audit firm conduct an audit? Do they visit your location in an onsite visit or is the audit completed remotely?
What are the expectations for your organization? How fast are you expected to complete the tasks? Are you expected to be on weekly calls? Is there an expectation that you will initiate communication or is that left up to the auditor?
How will the audit timeline be kept? Are they working on a timeline you have presented? Are you supposed to follow a timely system that has already been developed? How will you be notified of your timeline? Will you be able to see your progress as you move through the audit process?
Who will you be working with? What members of a team will be included on calls or in communication with your organization? What qualifications does this auditing team have to conduct an accurate, quality audit for your organization?
Gathering information on their processes is integral in getting to know your audit firm. You have to know how they perform an audit in order to trust them and be confident in their firm. At KirkpatrickPrice, we use the Online Audit Manager to visually provide direction, progress, and clarity during your audit process. You get to know us through our high-quality procedures and practices which provide your organization with a timely, accurate audit report. You won’t have to endure a never-ending audit when you start your audit with KirkpatrickPrice.
A common story we hear from clients who have gone through audits with other audit firms is that they think they’re done with their audit, but then the auditor comes back with another spreadsheet or another request for evidence. Now they think they’re done, again, but then, later, the auditor comes back again and says, “Oh, I just need a few more things.” It always feels like the never-ending audit. You don’t have that experience at KirkpatrickPrice because using our Online Audit Manager, you always have a visual understanding of exactly where you are in the audit process. You understand whether or not the auditor has looked at your submission or not. You also understand whether or not the auditor has accepted, meaning they finished looking at it, or whether or not something is pending, meaning that they might have to do something else on that particular item. Regardless, it always tells you exactly where you stand and whether or not to expect something else from your auditor before finally being complete with your audit.
