Signs that You’re in a Good Relationship with Your Auditing Firm

When choosing an audit firm to partner with, it should be more than just a business transaction: you should be thinking about building a relationship with an organization and how its employees will help your organization in the long run. Like any relationship, there are sure to be challenges along the way, and the auditor-auditee relationship is no exception. Whether it’s your first time partnering with an audit firm or you’ve been working with a firm for years, there’s a few ways to know that you’re in a good relationship with your audit firm. Let’s take a look at six key signs that prove your audit partner is the right firm for you.

Your audit partner wants you to succeed.

The first prominent sign that you’re in a good relationship with your audit partner is that they want you to succeed. As an information security auditing firm, we often have clients who fear the audit process because of the misconception that audits are pass/fail. This is not the case. At KirkpatrickPrice, our mission is to educate, empower, and inspire our clients to greater levels of assurance by partnering with them to achieve their challenging compliance objectives. As your partner, we will do what’s necessary to guide you toward accomplishing your compliance goals, such as providing additional consulting services and free educational resources. If an audit firm simply treats the audit engagement as a business transaction, meaning they reluctantly come onsite or don’t come at all, show little interest in helping your organization succeed, neglect to provide remediation strategies, or fail communicate how vulnerabilities can be mitigated, they aren’t helping your organization succeed.

Your audit partner holds you accountable to your goals.

Whether you’ve been asked by a client to undergo an information security audit or your organization has decided to proactively pursue compliance on your own accord, tackling the audit process can be tedious. That’s why you need a partner to hold you accountable. With our Online Audit Manager, senior-level Information Security Specialists, Audit Support Professionals, and client success team, our clients can rest assured that they have a partner that holds them accountable to their goals. At KirkpatrickPrice, we know that pursuing compliance requires a time, personnel, and financial investment that is not to be taken lightly, and we’re committed to ensuring that our clients accomplish what they set out to achieve by the end of the engagement period. Does your audit firm let you frequently put off answering questions? Do they let you keep pushing back the engagement period? If so, they aren’t holding you accountable to your goals and are missing a critical opportunity to exhibit one of the most important signs that you’re in a good relationship with your audit partner.

Your audit partner goes above and beyond for you.

The audit process is more than just uploading documents, answering auditors’ questions, and going through the onsite visit. It’s about achieving challenging compliance goals to strengthen your security posture. At KirkpatrickPrice, we recognized this and have hired personnel to ensure that not only are our clients receiving quality, thorough services from our senior-level Information Security Specialists, but that they also receive quality, thorough reports that are written by a team of technical writers and are thoroughly reviewed by our Quality Assurance team.

We also know that compliance efforts shouldn’t stop when the engagement ends. Because ensuring that your security posture remains strong is an ongoing effort, any audit firm that stops partnering with you after the audit period is complete is doing you a disservice. Does your audit firm currently update you with information security best practices? Do they provide additional consulting services to assist you in maintaining your information security system once the audit period is complete? An audit firm that goes above and beyond the basic audit process is one of the key signs that you’re in a good relationship with your audit firm.

Your audit partner has strong communication skills.

Good communication is one of the staple signs that you’re in a good relationship with your audit partner. We understand that the audit process is challenging enough and adding poor communication into the mix only makes undergoing audits seem that much more daunting. If you have little to no communication with your audit team during the audit, you’re not in a good relationship. If you are suspicious that any step in your process is being outsourced (penetration testing, report writing, etc.), this should also be a red flag that you’re not in a good relationship with your audit firm. Think about it: how can an auditor conduct a thorough audit if they aren’t speaking with you about your systems? How can they understand your business without analyzing it firsthand?

Your audit partner knows more than you do.

Getting into a relationship with someone who has very little experience can be challenging and extremely frustrating. When you’re undergoing something as complex as an information security audit, you don’t want someone performing the audit who is still learning the ropes. You want a senior-level professional who has decades of experience working in the industry. If your audit firm sends a junior-level auditor to perform an onsite visit, chances are you won’t be building a good relationship. As part of performing your due diligence when vetting audit firms, make sure you’re verifying that only an experienced professional will be carrying out the engagement.

Your audit partner has a good track record.

Before you enter any business relationship, it’s especially important to make sure that the organization has a good track record. Why? Because if you’re making the investment in compliance, you must practice your due diligence to ensure that you receive a quality, thorough audit. What would be the impact if your client wasn’t satisfied with the quality of your audit? You would have wasted weeks of your personnel and financial resources, opened your organization up to possible breaches, and/or faced steep fines and penalties for non-compliance. There’s a reason why KirkpatrickPrice has partnered with businesses of all sizes and in all places to deliver our quality, thorough audit services. We’ve streamlined the audit process, hired expert professionals to ensure that quality reports are delivered, and committed ourselves to partnering with our clients to achieve their compliance goals.

If you’re just starting out on your compliance journey or are looking to re-evaluate your current relationship with your audit partner, ask yourself: does your audit firm demonstrate these signs that you’re in a good relationship? It’s never too late to make sure that you’re in a good relationship with your audit partner, so contact us today.

More Assurance Resources

When Will You See the Benefit of an Audit?

Getting Executives on Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For

5 Questions to Ask When Choosing Your Audit Partner

How Can Penetration Testing Protect Your Assets?

Every business has something to lose. But…who loses sleep over it? Whose job is on the line if assets are compromised? Who cares about protecting their assets? In recent data breaches, some companies just haven’t shown the expected response when they compromise assets. Take Uber, for example. The core of Uber’s business is drivers and riders, yet they covered up a hack for over a year. Hackers stole 57 million credentials through a third-party cloud-based service and Uber paid to cover it up. Uber knew they’d face major backlash when they exposed the cover-up because they didn’t protect their assets.

How can organizations protect their assets? Investing in penetration testing is one way to show clients, prospects, and competitors that you are willing to protect your assets and that you recognize the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company.

What Type of Assets Do You Protect?

In any industry, there are assets that need to be protected. You may not think that your organization has a “security issue,” but third-party validation through penetration testing can either validate or deny that. Cardholder data, Social Security numbers, protected health information, access credentials, intellectual property – businesses across industries need to recognize how penetration testing can protect their assets.

  • Casinos – The gaming industry has earned a reputation of strict, effective physical security. As technology advances, though, so should cybersecurity. If a casino is connected to a hotel, are the networks segmented appropriately? If not, a hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, ability to manipulate odds, see payout information for each machine, alter rewards information, or worse.
  • Hotels – Cardholder data, passport information, rewards numbers, room information, security systems, and more could be compromised if a hotel is hacked. The Marriott hack exposed in 2018 is now one of the largest known thefts of personal records in history. When Marriott’s Starwood reservation system was breached, the personal data of up to 500 million guests was compromised.
  • Pharmaceutical – Production and development, intellectual property, operations, clinical trials, and laboratory results can be impacted when the pharmaceutical industry is targeted by cyberattacks. When pharma giant Merck was hit by NotPetya, it disrupted their operations across the world and production of new drugs, ultimately costing them over $600 million in 2017.
  • Utilities – The threat of power grids being attacked by nation states is becoming more real every day. In 2018, the DHS linked Russia to hacking US power suppliers and publicly spoke about the cyberattacks to warn and prepare other energy suppliers.
  • Data Centers – Whatever data is stored in a data center is under threat. Any insecure access point, like security systems, power supply, security cameras, or HVAC systems, are fair game to a hacker.
  • Retail – Cardholder data is the major asset of any retailer. The infamous 2013 Target hack is a nightmarish example of just how much data a retailer is responsible for. The compromised cardholder data of 40 million shoppers led to a $18.5 million settlement for Target.
  • Airlines – Passport details, passenger itineraries, rewards information, cardholder data, flight schedules, and the safety of passengers are things that could be compromised if an airline is hacked. Fortunately, no travel or passport details were revealed in British Airway’s 2018 data breach, but 380,000 transactions were compromised due to digital skimming on the airline’s website and app.
  • Telecommunications – Because telecom providers communicate, transmit, and store sensitive data, they are a target for cyberattacks. Telecom providers also have attacks coming from two sides: directly to their organization’s network and indirectly through their users. There are new channels of attack with every advance in technology.
  • Auto – As automakers incorporate more technology into vehicles and self-driving cars become a reality, the threat of cyberattacks on vehicles is very real. Locks, brakes, volume, AC, acceleration – it’s all been proven to be hackable.
  • Education – Educational institutions hold not only attendance and grade records, but Social Security numbers, cardholder data, billing addresses, and many other forms of personal data. Understaffed universities who hold expensive research have a target on their backs. A data breach in the education industry costs $166 per capita, according to the Ponemon Institute.
  • Insurance – Cardholder data, protected health information, and other sensitive data are assets given to insurers through websites and apps, making the insurance industry a target for cyberattacks.
  • Public Sector – 44% of local governments face cyberattacks daily. The City of Atlanta’s Ransomware attack was an unfortunate example of just how vulnerable cities are to cyber threats and how much it costs for a city to recover.
  • Banking – Social Security numbers, credit information, PINs, cardholder data, mailing addresses, email addresses, account balances – it’s all available to banks. In 2014, JPMorgan Chase was the victim of a hack that left half of all US households compromised, one of the largest thefts of consumer data in US financial institution history.
  • Hospitals – Protected health information, security systems, expensive research and prototypes, drugs, scheduling information, and operations of facilities are all assets that a hacker could hope to compromise through cyberattacks. Ransomware attacks are extensive in healthcare for this very reason. No hospital wants their computers, elevators, locks, medical devices, or HVAC system held hostage.

Seeing some similarities, here? Any industry can benefit from penetration testing. Any service provider would be embarrassed to sell something that isn’t secure. Any healthcare organization on the HHS’ “wall of shame” will be used as an example of what not to do. Any payment processor’s reputation would be tainted from compromised cardholder data. No matter the industry, organizations need to protect their assets. What is the value of your assets?

How Can Organizations Use Penetration Testing to Protect Their Assets?

Penetration testing can be used to determine how vulnerable your assets are. It puts your security intelligence in your own hands instead of a hacker’s. It shows your security strengths and weakness, then allows you to prioritize your risk levels. If you have compliance requirements, then penetration testing helps align your organization’s security with those requirements. If you do not have compliance requirements, penetration testing is a proactive way to see and analyze the holes in your security posture. Because penetration testing is a simulated yet real-world exercise, it also gives your team a chance to have true “what if” scenarios to practice incident response and, hopefully, avoid the downtime that a breach would cost in the future.

Consider all types of penetration testing and consult with a qualified consulting firm to decide which would be most beneficial for protecting your assets. Internal or external network penetration testing, web application penetration testing, API testing, mobile app penetration testing, code review, social engineering – there are many options that could be useful to your organization’s security efforts.

If you’re questioning whether or not penetration testing would be appropriate for a business of your size or in your specific industry, remember to consider the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company or your industry.

If your default belief is that we, as an auditing firm, do not employ in-house penetration testers, let us make it clear: we do. We recognize the value of your assets and want to help you find your vulnerabilities and correct them. Contact us today to learn more about our penetration testing services.

More Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Not All Penetration Tests Are Created Equal

Components of a Quality Penetration Test

Canada’s New Breach Notification Law: Preparation and Impact

On November 1, 2018, Canada’s Data Privacy Act amended the Personal Information Protection and Electronic Data Act (PIPEDA) to include Breach of Security Safeguards Regulations. Organizations subject to PIPEDA will now have to report breaches that pose “real risk of significant harm” to affected individuals to the Office of the Privacy Commissioner of Canada (OPC). What does this new regulation mean for organizations and how can they operate in a way that supports the regulation?

Why Did Canada Introduce a New Breach Notification Law?

The entire world is stepping up its game when it comes to privacy laws because of the continual growth of personal data sharing, unauthorized disclosures, and controversial uses of personal data. PIPEDA is Canada’s federal privacy law that regulates how organizations and businesses handle personal information. Like many privacy laws, it applies when personal information is collected, used, or disposed of for commercial purposes.

The purpose of PIPEDA is similar to that of GDPR or CCPA: to facilitate growth in electronic commerce by increasing the confidence of digital consumers, and to contribute positively to the readiness of Canadian businesses. PIPEDA aims to balance the privacy rights of individuals with the legitimate needs of business. Because so many Canadian organizations are required to comply with GDPR, this new regulation will further align PIPEDA with GDPR.

What Does My Organization Need to Know About Canada’s New Breach Notification Law?

If you’re not familiar with PIPEDA, Canada’s Data Privacy Act, or the new Breach of Security Safeguards Regulations, the following basic principles will help you understand the basics of Canada’s new breach notification law:

  • PIPEDA defines a breach of security safeguards as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
  • PIPEDA defines significant harm as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
  • Whether the breach of security safeguards impacts one individual or thousands, it still needs to be reported if there is a real risk of significant harm.
  • Under PIPEDA’s accountability principle, even if an organization transfers personal information to a third party for processing purposes, it’s still responsible for the security of that personal information. Organizations must have appropriate contractual agreements in place to ensure that the relationship complies with PIPEDA.
  • Under the Breach of Security Safeguards Regulations, the contents of notification must include the description and/or cause of the breach, date or period of the breach, description of the personal information that was breached, number of individuals impacted, what the organization has done to reduce risk of harm to victims, how the organization will notify the victims, and a point of contact for information about the breach.
  • When a breach has occurred, the organization must maintain a record for a minimum of 24 months.
  • Failure to report a breach that poses real risk of significant harm could result in fines of up to $100,000 for each individual affected by the breach, if the federal government decides to prosecute a case. Under the current law, the OPC cannot issue fines or corrective actions, only advise organizations on how to make changes.

How Can Organizations Prepare?

This new breach notification law was released in April 2018, but went into effect in November, giving organizations six months to prepare themselves. Some reasonable preparation steps for your organization include the following:

  • Create a formal incident response plan that has been tested and implemented.
  • Create breach notification templates that include fields for all required content.
  • Conduct a formal risk assessment to determine the likelihood of a breach and the factors that are relevant to real risk of significant harm.
  • Perform data mapping to determine where personal information is collected, processed, or stored.
  • Assess user access activities and consider operating under a business need to know basis.
  • Stay aware of other breaches in your industry and learn from them. Don’t make the same mistakes as your competitors.

More Resources

OPC’s Tips for Containing and Reducing the Risks of a Privacy Breach

OPC’s Self-Assessment Tool for Securing Personal Information

OPC’s Breach Report Form

Voice-Enabled Devices and Data Privacy: Lessons Learned from Amazon

“Alexa, what’s the weather like in Nashville today?” Amazon’s Alexa, Apple’s Siri, the Google Assistant – the list of voice assistants and voice-enabled devices seems to just keep growing. “Hey Google, could you set an alarm for 8:00 AM tomorrow?” Their basic goal is to make our lives easier, right? Through voice assistants’ language processing abilities, they can complete all types of tasks – stream music, set an alarm, take notes, order products, smart home functionality, and integration with other applications. Voice assistants and voice-enabled devices live in the bedrooms, kitchens, and living rooms of millions of users. Voice assistants and voice-enabled devices are simultaneously helpful and vulnerable; what threats do they pose to data privacy? How do companies protect the data that users give Alexa, Siri, and the Google Assistant?

Amazon’s Data Privacy Worst Case Scenario

Under GDPR, any EU data subject may request that a company send them the entirety of the data collected about them, so a German Amazon user did just that. Amazon sent back fairly average findings – Amazon searches, orders, etc. – but also 1,700 voice recordings and transcriptions. The issue? This user doesn’t own any Alexa-enabled devices. He listened to the voice recordings to see if they were connected to him in some way, but concluded that it was an error on Amazon’s part. When he discovered this information leak, the user contacted Amazon but never heard back.

This story broke when the user went to German magazine c’t with his concerns, which eventually led to the identification of the voices in the recordings. C’t reported, “We were able to navigate around a complete stranger’s private life without his knowledge…The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.” This case is proof that even when users don’t think they’re giving up personal data to voice assistants, the culmination of that data can lead to a full picture of who they are, where they are, their habits, and their community. Our digital footprints reveal so much about us. Voice assistants must store or have access to stored personal data in order to personalize the user experience, resulting in a cycle that is ever-increasing users’ digital footprints.

In an effort of due diligence, c’t decided to contact the user behind the voice recordings. C’t report, “We couldn’t find a phone number, so we used Twitter to ask the victim to contact us. He called back immediately and we explained how we found him. We had scored a direct hit and Neil Schmidt (not his real name) was audibly shocked when we told him about the personal data Amazon had sent to a stranger. He started going through everything he and his friends had asked Alexa and wondered what secrets they might have revealed. He also confirmed that we had correctly identified his girlfriend.”

Lessons Learned from Amazon’s Mistake

Obviously with the purchase of a voice-enabled devices and use of Alexa, Siri, or the Google Assistant, a user is agreeing to terms and conditions that address data privacy concerns, but when these terms and conditions aren’t upheld by the data controller or processor, the foundation of trust is damaged.

Amazon’s reaction to this data privacy incident was disappointing. The first misstep occurred when Amazon didn’t even notice their mistake. Then, when the user notified Amazon of the data privacy incident, he reported that Amazon never responded. When Amazon did recognize this incident, there was seemingly no timely notice to a data protection authority or the victim. After c’t got involved, Amazon finally contacted the user and victim about the mistake and an Amazon spokesperson stated, “This unfortunate case was the result of a human error and an isolated single case.” Was Amazon planning to respond to this case, or did the media attention prompt them to address the situation?

The benefit of regulations like GDPR and CCPA are new ways to hold organizations accountable for securing data subjects’ personal information. Building customer trust is a difficult task in this day and age; digital consumers are fearful of unwanted follow-up, sales pitches, cold calls, and spam. Organizations who demonstrate a commitment to privacy regulations like GDPR and CCPA have the potential to rebuild the trust that many digital consumers have lost. This trust, in turn, may actually result in greater sharing of personal data.

The paranoia around voice assistants and their listening-in abilities will, hopefully, not fade anytime soon. Users must be aware of the relationship they’re creating with companies like Amazon, Google, and Apple by inviting them to listen into their lives. Likewise, data controllers and processors must protect personal data with the appropriate controls and care.

If any data privacy regulations apply to your organization, contact us today to avoid situations like this. We want to empower your organization to protect the data you hold and ensure the privacy of your customers.

More Data Privacy Resources

CCPA vs. GDPR: What Your Business Needs to Know

Privacy Policies Built for GDPR Compliance

Investing Where It Matters: Unbounce’s Commitment to GDPR Compliance

Remote Auditing vs. Onsite Assessments: What Do I Want?

There’s a lot to consider when choosing an audit partner. What does their audit process look like? What kind of services do they offer? How will they help you reach your audit objectives? How much do they charge? Will they perform a remote audit or an onsite assessment? While these are all valid concerns, organizations also have to consider their own intentions behind pursing compliance: is it required to partner with new business partners? Is it to help strengthen your security posture? Is it just another item to check off on a to-do list? If an organization is looking to partner with a firm that doesn’t come onsite because it’s “easier” or cheaper, KirkpatrickPrice won’t be a good fit for you. At KirkpatrickPrice, we want to partner with organizations to help them meet their compliance objectives, and part of that is performing our due diligence and conducting an onsite visit. Why do many other audit firms advertise that they can effectively conduct an audit 100% remotely? Why do so many organizations loathe an onsite visit? Is there really that big of a difference between a remote and onsite audit?

Why the Difference Matters

For organizations that are just starting out on their compliance journey or for organizations looking for a new audit firm to work with, there’s one critical component that needs to be kept in mind: the audit firm you choose should always perform an onsite assessment. Why? Audit firms who promote remote-only audits are doing you a disservice. And we would know – in 2006, we were the pioneers of the remote audit. However, our remote audit methodology was never intended to eradicate the onsite visit. Instead, we positioned ourselves as a trusted audit partner for helping our clients streamline the audit process and complete 80% of the audit before going onsite.

Licensed CPA firms also have an ethical obligation to perform their due diligence while conducting audits, and we take that obligation very seriously. We are committed to delivering quality audits, which would not be possible if we did not perform onsite visits. Without an onsite visit, an auditor can’t personally experience a company’s culture and integrity, processes, or physical security. For example, when our auditors have gone onsite in the past, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. So, when you’re choosing an audit partner, ask yourself: what are you willing to risk so that your auditor doesn’t come onsite?

Controls that Require an Onsite Assessment

We know that undergoing audits requires a financial, personnel, and time investment from our clients, and we want to help them get the most out of their compliance efforts. Even more so, we want our clients to actually remain compliant, and performing an onsite visit assists us in doing that. Information security frameworks require that an auditor verifies that physical controls are in place to safeguard sensitive data. For example, PCI Requirement 9 says that entities should “restrict physical access to cardholder data.” How will an auditor be able to determine if an organization has implemented physical safeguards to protect their cardholder data environment if they don’t come onsite?

Getting Over the Fear of the Onsite Assessment

The onsite assessment versus remote audit debate really comes down to this: getting over the fear of the onsite visit. Because the audit process can be so rigorous and intimidating, many organizations fall into the trap of fearing the audit process altogether. This has resulted in organizations seeking out those audit firms that “guarantee” that they can deliver “quality” audits without coming onsite. Many of our clients  that come to us after working with other information security firms actually enjoy our onsite visits because they can feel good about knowing their auditor. While you may want a remote audit, you need an onsite assessment – it’s critical for ensuring compliance and strengthening your security posture.

If your audit partner isn’t currently performing an onsite assessment, it’s time to rethink that partnership. We know audits can be hard, but don’t take the easy way out. Contact us today to learn more about our commitment to quality, thorough audits and how we can overcome the fear of the onsite together.

More Assurance Resources

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Getting Executives On Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For