Ask an Auditor Anything: Recap of a Live Q&A Session
by Tori Thurmond / June 5th, 2023
The truth is that compliance is hard. We know that getting ready for an audit and remaining complainant is a year-round effort that can feel overwhelming. Our clients often ask us what they can be doing to prepare for their next audit, how to stay on top of the ever-evolving industry, and how to tackle new cybersecurity trends. That’s why we decided to host a live Q&A session with our auditors so they could answer any and all compliance questions.
In May, one of our audit directors, Jennifer Peters, hosted a discussion with two of our expert auditors, Steven Collins and Bob Welch, where they spent the hour answering questions submitted by attendees.
Note: The answers below have been summarized for the purposes of this blog. Listen to the full webinar to hear exactly what was discussed.
Q: What are the biggest challenges you’ve seen emerge for your clients so far this year?
A: Even though the cloud has been around for a while, organizations are still working on moving everything over to the cloud. There are many benefits to storing data in the cloud, but a common misconception that still surrounds the cloud is that once the data is in the cloud, organizations aren’t responsible for its security anymore. The different cloud environments like AWS, Azure, and Google Cloud are not responsible for managing your data. Make sure your organization reads the cloud controls matrix and understands the idea of shared responsibility to understand the risk associated with using the cloud and what you can do to keep your data secure.
Another major challenge our experts have seen this year is organizations being short staffed and having to lay off some of their employees. Generally, some of the first people who get cut are on the security or IT team. While it’s inevitable that sometimes companies go through periods of consolidation, make sure you have the proper staff to maintain your organization’s security and compliance. Without the proper security professionals, the risk analysis and risk assessment processes are harmed. We understand that when you’re short staffed, the last thing you want to worry about is vendor management and other time-consuming security measures, however, skimping on security and compliance measures now could cause extensive damages later.
Q: How should companies promote a compliance culture throughout the organization?
A: The key to creating a compliance culture within an organization is through a top-down model. The CEO or board members of an organization need to care about compliance. The higher-ups need to champion compliance by being vocal about why security and privacy are so important and mandatory. If members of the organization don’t understand the reasoning for compliance and the consequences that will occur if the organization isn’t compliant, it’s hard to build a company-wide security and compliance culture.
When employees see that the people who lead the organization are committed to compliance, they are more likely to take on individual compliance responsibilities to help strengthen the company’s security posture.
Q: How should organizations stay on top of multiple frameworks?
A: The best way to stay on top of different frameworks is by staying up to date on your audits. Audits are the best tool to tell you where your security and compliance issues are. After your audit, your auditor will issue an opinion about what they see in your environment, like if your controls are doing what they are supposed to and if any vulnerabilities are present. Audits help you stay up to date on framework changes and help prioritize your security and compliance budget. Make sure you have an expert compliance partner that will give you a thorough audit you can trust.
Another step you can take to stay on top of the different frameworks is having a dedicated compliance professional who’s responsible for keeping up with any framework changes that occur and making sure the organization remains complaint. They will be able to notify management how changes will affect the organization and what compliance goals need to be set for the next few years. When you better understand the regulatory environment you’re operating in, you can know what frameworks you need to acknowledge within your organization.
Q: How are auditors addressing the use of ChatGPT by employees within organizations?
A: Since ChatGPT and similar chatbots are new to the scene, organizations are still figuring out how to use these tools within their organizations. Organizations are asking our auditors if and when it’s ok to use ChatGPT, how they take advantage of the technology in a secure way, and even how they can prevent their employees from using these tools at all.
When deciding if and how you’re going to allow the use of ChatGPT within your organization, our auditors encourage you to look at other organizations that have already started using the tool. What we’ve seen so far is that ChatGPT holds onto the data that is entered into the tool, so if people know how to ask questions in the right way, ChatGPT can give up sensitive information from one organization to another. All questions and answers are being used to train the tool, so whatever information you input becomes a part of the tool’s data set.
There have also been news stories about people failing to validate the output of tools like ChatGPT, leading to false claims. Steven referenced a case where a lawyer used ChatGPT to assist in preparing a court filing. ChatGPT created court cases that didn’t exist and attested that they were real. The lawyer failed to validate that the information ChatGPT provided was true and is now in legal trouble. While ChatGPT can be helpful, it is an unreliable source that, if used, must be validated.
Q: During the upcoming audit, will clients need to have a new policy in place specifically addressing the usage of ChatGPT and other AI?
A: Yes. You need to be able to tell your employees what is and isn’t acceptable when it comes to using AI and machine learning within your organization. Just like you need policies and procedures for everything that’s being used in your environment, you need one for AI as well. Members of your organization shouldn’t have to guess when they can and can’t use AI.
You can also work to clarify existing policies, especially for the use of external AI. If confidential information is being typed into a tool like ChatGPT, that should be a breach of your current privacy policy. Your existing policies should cover the use of external AI, but adding clarifying language that includes AI is a good addition.
However, internal AI is a different story. For internal use of AI, make sure you have documented processes for how outputs are being verified and what metrics you have in place to determine that the information is accurate. When using AI tools, make sure you check to see if the company that owns the tool has documentation with how they handle confidential information and their third-party due diligence. If you don’t know where the information you put into the tools is going, don’t use the tool.
In short, the biggest thing to keep in mind with AI for external use is having a privacy policy that covers when the tools are approved to use. If it’s not an approved tool, don’t use it. If you decide that a tool would be good for internal use, you need to have some sort of privacy contract like an NDA in place with that company. Our experts suggest waiting until some sort of commercial service for AI exists where data regulations can be put into place.
Q: How do you find the balance between implementing new technology and security?
A: If you decide that a new technology would be helpful for your organization, make sure you ask yourself what exactly it would be used for and how it would help your organization. Once these things are determined, it’s time for a risk assessment. Make sure to assign a risk score to the new technology before having someone in management sign off on the new technology’s use. You need to be able to determine if the new technology is worth the risk for your organization and if the organization is willing to accept that risk. Risk assessments are a key component to compliance and should be conducted whenever you’re considering adding a new technology to your environment.
Q: Are there any impending regulations regarding AI?
A: There are some regulations in the works for AI and even some voluntary frameworks available for reference but nothing official yet. We are currently in the “wild west” period for AI, meaning that people can pretty much do whatever they want with AI since no formal regulations exist yet. We do expect to see some sort of impact or damages from organizations that are already using AI technology, but that’s why risk assessments are so important.
Different countries from around the world are already working on regulations when it comes to AI technology, but just because nothing specific to AI currently exists doesn’t mean that existing confidentiality standards don’t apply.
Q: How do start-ups (or Enterprise Clients) need to think differently about data resilience & data residency requirements as they expand internationally?
A: There are different data laws and regulations around the world that you must comply with when doing business internationally. For example, the US has HIPAA where the EU and Asia do not, and the EU has GDPR where the US does not. You have to make sure that you’re following all data regulations that apply to your organization and your clients.
Look at the contractual obligations you have with your clients. They might say you can’t cross borders with their data. Many organizations use offshoring in their business, but do you know where the data is actually living? Even if a virtual desktop is used where the data technically resides in the US, the data is still being transferred. It’s all about data jurisdiction when you’re expanding your business to different parts of the world.
Privacy is a legal issue with legal consequences, so you need to work with someone like an attorney who really understands privacy matters, including international privacy laws.
Q: What controls and documents are necessary when your 100% remote workforce is accessing CDE?
When working remotely, make sure employees are using a VPN, strong multifactor authentication (MFA), and encrypting every device that data will go to. If someone loses a laptop that wasn’t encrypted, you’ll have to try to prove what was on the laptop, and, even if you can do that, the lost laptop is still a data breach. Make sure to enforce more than the bare minimum when it comes to password best practices as well.
The cardholder data environment (CDE) is the scope of your PCI assessment, including the systems you are using to provide services under the PCI DSS framework. The same controls that apply to a server in an office need to apply to all work from home controls devices. Those devices need to be patched regularly, vulnerability scans need to be performed, and data should not be able to be downloaded from the CDE to the local machine. All of these controls and regulations should be listed in your work from home policy.
Q: How critical are the results of internal controls to auditors?
A: Internal controls are very important to an auditor. They want to see that you’ve been monitoring certain controls throughout the year, see that you’ve done the proper internal audits, and if not, why you haven’t. Failing to provide this information can result in a non-compliant audit. Auditors also want to see how you’ve worked to remediate any issues that were identified during the internal audits. Compliance is a year-round effort, and a good auditor will want to see the work you’ve been doing to remain compliant and secure your organization’s data.
Q: What are some recommended processes for a newer organization looking to complete a SOC 2 audit and what are some pitfalls to look out for as well?
A: A good place to start when looking to undergo a SOC 2 audit is a gap analysis. A gap analysis will tell you where you stand against the SOC 2 controls. You’ll be able to see which controls you’ve already implemented and which ones you need to work on. The gap analysis can help you identify where you need to spend your time and money before you start your audit.
Newer businesses are at somewhat of an advantage when putting controls in place because they can customize the controls from the beginning instead of needing to remediate existing issues with controls that have been in place for a longer period of time.
Advisory services is another great tool for new organizations to utilize. A member of the advisory services team can help guide the organization when implementing controls, running risk assessments, and more.
One pitfall we see new businesses fall into is being so overwhelmed that they put compliance on the backburner. We understand how intimidating and overwhelming compliance can be on top of all of the other ins and outs of running a business. That’s why working with an advisory services team member is so valuable. They can provide a template for risk assessments and other compliance objectives that can make your compliance journey run more smoothly, or even walk you through the entire risk exercise so you can make sure you’re doing it right.
Still have compliance questions?
Audits are hard whether you’re getting ready for your first one or you’ve been through 100, but we are here to help. If you have a question that wasn’t addressed in our webinar or you want more details on any of the topics that were discussed, connect with one of our experts today. We would love to help make your compliance journey less overwhelming so you can become unstoppable.
