Was the Audit Worth It?

by Sarah Harvey / December 20th, 2018

Information security audits strengthen business operations, yet many organizations are fearful of the process. We understand organizations’ hesitance to spend the time, money, and resources on information security – but the threats are only going to get more pervasive and more sophisticated. When a company chooses to invest in information security, it’s evidence of their commitment to providing assurance to clients, prospects, regulators, and business partners. But before they choose to make that investment, they weigh their options and ask whether the audit be worth it.

Health Catalyst, a next-generation data, analytics, and decision support company committed to being a catalyst for massive sustained improvements in healthcare outcomes, sat down with us to answer one question: was the audit worth it?

Getting Rid of the Checkbox Mentality

We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off on a list, rather than something than can strengthen their business. Health Catalyst believes in the value and purpose of information security auditing. Kevin Scharnhorst, Chief Information Security Officer and Vice President of Cloud Operations, says, “The value of auditing is highly dependent upon the perspective of the person going into it. If they go into it with the attitude of just checking an item off of a list so that they can just say that they’ve done it, that’s the wrong attitude. I think everybody has room to improve, and if you go in with a humble attitude, realizing that your processes aren’t perfect and you’re bringing in outside expertise to see those opportunities that you can improve, that makes it well worth it.” Every business – no matter the size, no matter the industry – can benefit from a third party’s perspective. Is the audit worth it? Is the validation worth it? Yes, the investment will be worth it, and much more than an item to be checked off on a list.

The Audit Lifecycle

We like to view the auditing lifecycle in three phases. Organizations most likely begin the auditing process for a specific reason, so during the first year, organizations are almost in denial about having to go through an audit. Most ask questions like, “Do we have to do this? Why do we have to go through this audit? Is the audit worth it – all this hassle? How can compliance help our business?” If an organization never graduates from this mindset, they will get stuck in the checkbox mentality, rather than reaping the benefits of assurance.

In the second year of auditing, hopefully the perspective has changed. With some experience from the first-time audit, the second year seems less daunting. Was the audit worth it last year? Yes. The audit team now knows the process, knows what needs to be done, and is set on getting it done.

By the third year of the audit process, we hope organizations are able to recognize how important assurance is for their business. In this phase, organizations move away from the checkbox mentality and accept the worth of assurance.

Scharnhorst comments, “A lot of it has to do with getting used to the process of going through an audit. You definitely learn that in year one, and come out of it knowing the remediation items that you have, and learn how to effectively manage a security program. It’s just keeping eyes on the things that you’re told that you’re not done with after year one. Rather, in year two, you want to make sure that any of those exceptions are remediated and that you’re growing and strengthening yourself throughout year two and three, etc. At Health Catalyst, our plan is to do ongoing SOC audits. That gives us subsequent opportunity to just improve each year off of the prior year’s audit.”

Was the Audit Worth It?

In our discussion with Health Catalyst, it all came down to one question: Was the audit worth it? “Absolutely.” Health Catalyst leverages the value of their assurance. Scharnhorst says, “I’ve worked with many other firms, but I especially like working with my auditor at KirkpatrickPrice because he’s been a CISO before and over IT operations. He’s just a well-rounded individual and has a strong background, which helps me see not only where I can improve, but gives me challenges on how to do that. That’s where I see the value of working with somebody and having continuity, because the auditor will come in the next year and will see if I followed their advice. If I did, the auditor will go deeper into an area that I can improve. That’s the value and why it’s worth it. I’m using that expert advice to get better year after year and get stronger doing it.” Health Catalyst threw away the checkbox mentality a long time ago – they are making an investment in information security so that they can strengthen their organization year after year.

If your organization is reluctant to begin an audit for the first time, Scharnhorst has advice for you, too. “I would encourage them to consider that they need to have an outsider’s opinion to remove bias and blind spots that an organization could otherwise be uninformed on. Use reference calls to find the provider that is going to be the most compatible with your culture and that meets your checklist or compliance objectives. Don’t look for just a provider, but a partner. It could turn into an ongoing relationship if you go into it with the right mindset.”

More About Health Catalyst

Health Catalyst is a next-generation data, analytics, and decision support company committed to being a catalyst for massive, sustained improvements in healthcare outcomes. They are the leaders in a new era of advanced predictive analytics for population health and value-based care with a suite of machine learning-driven solutions, decades of outcomes-improvement expertise, and an unparalleled ability to integrate data from across the healthcare ecosystem. The Health Catalyst Data Operating System (DOS™), a next-generation data warehouse and application development platform—powered by data from more than 100 million patients, encompassing over 1 trillion facts— helps improve quality, add efficiency and lower costs for organizations ranging from the largest US health system to forward-thinking physician practices. Their technology and professional services can help keep patients engaged and healthy in their homes, communities, and workplaces, and can help optimize care delivery to those patients when it becomes necessary. They are recognized by Fortune, Gallup, Glassdoor, Modern Healthcare and a host of others as a Best Place to Work in technology and healthcare.

More Assurance Resources

When Will You See the Benefit of an Audit?

5 Questions to Ask When Choosing Your Audit Partner

What Type of Compliance is Right for You? 10 Common Information Security Frameworks