What Security Teams and Board Members Want from an Audit: A Case Study
by Tori Thurmond / February 17th, 2023
Audits are a lot of hard work.
During an audit, both the auditors and the members of the organization undergoing an audit are working to make sure that the organization is as secure as possible. Even though both parties involved in the audit are working towards the same goal, have you ever wondered what security teams and decision makers within a company want from their IT audits?
At the 2022 ISACA Chicago conference, Katherine Mowen-Matz, a former IT auditor, explored this question in her session, “Tales of a Recovering IT Auditor.” She boiled the desired outcomes of an IT audit down to these three main points:
- To know that the assurance given is comprehensive and robust
- To perform work designed to highlight the unknown
- To support initiatives that are necessary but not getting traction
A thorough compliance audit should find areas within an organization where breaches and security threats could occur so the organization can work to strengthen their security posture.
With the ever-changing nature of cybersecurity, new threats arise frequently. Audits should inform security teams of risk they weren’t aware of so they can work to remediate that risk. Are there policies, standards, or procedures that are not being followed consistently? Are people circumventing controls that are putting your data at risk? This is the type of information Mowen-Matz suggests is most valuable to security teams.
Receiving an audit report with findings may seem scary at first, but the findings are how we strengthen our security postures and prepare to face new threats. A clean report may mean that your audit was not as thorough as it should have been.
Sharing Our Experience
At KirkpatrickPrice, we believe audits are hard, but a thorough audit is worth it when it identifies areas for improvement and illuminates the things an organization is already doing well.
After speaking with our Founder and President, Joseph Kirkpatrick, he shared an instance where, because of the audit we performed, we were able to provide valuable information that enabled a client of ours to improve their security posture.
This client had developers located in India. Because we make it a priority to make sure our client’s third-party vendors are following secure practices, our auditors working on the project visited the vendor site in India. We found out that the lead developer was pushing code into Azure over File Transfer Protocol (FTP) unencrypted. We were able to educate the client on why that practice was risky and why they should be pushing code in a more secure manner. This finding would not show up on a less thorough auditing firm’s dashboard. We believe there is value in taking the time to do things the right way when it comes to security and compliance.
Not only did we find that code was being pushed without being properly encrypted but we also discovered that our client’s code was leaving the building through laptops when the CEO believed the developers were only using desktop computers on site and no code was leaving the premises.
These were just two of the vulnerabilities our auditors discovered on their trip to India. Because of these findings, our clients were able to remediate issues that they didn’t know about to better protect their organization. This type of thorough investigation into our client’s controls and security practices allowed the client to strengthen their environment and decrease their chances of a breach. Even though the audit report showed a finding, that finding lead to a stronger, more secure organization. If it feels easier to choose a less difficult audit experience, ask yourself if it’s worth it to trust that a depersonalized audit tool’s “clean” report is giving you the full picture.
Partner with an Auditor Who Cares
At KirkpatrickPrice, we want you to get the most out of your audit, so we look beyond the surface to highlight vulnerabilities that could be easily overlooked with a less thorough audit. Our purpose is to make sure. We want to make sure that we are working with you on your compliance journey to help you feel confident to face today’s inevitable threats.
Let us help you prepare for your next audit through cloud security scans, risk assessment reviews, and information security policy reviews. If you have any questions about our audit process or other resources, connect with a KirkpatrickPrice expert today.
