5 Project Management Tips for Information Security Audits

When most people think of auditing, they automatically associate it with negative emotions such as stress or anxiety. At KirkpatrickPrice, we understand that undergoing an information security audit can be an overwhelming task for organizations, and we want to partner with you to ensure that we can alleviate as much of that stress as possible. However, while we have processes, personnel, and tools like our Online Audit Manager to help your organization succeed, an audit engagement is a two-way street, and your organization must be sure to manage the project efficiently. To do so, we’ve come up with a five tips for project management for information security audits.

Project Management Tips for Information Security Audits

1. Know What You’re Getting into Before the Audit Begins

Often times, organizations fail to thoroughly research and understand what exactly will be expected of them during an audit engagement. For many organizations, this is because it is their first time undergoing an information security audit. Before an audit engagement begins, organizations need to familiarize themselves with their audit firm’s audit processes and the framework(s) that they are going to be audited against. This might mean reviewing the actual framework itself, like the PCI DSS or HITRUST CSF, or referencing educational materials to prepare your organization, like KirkpatrickPrice’s SOC 2 Academy.

In addition to familiarizing your organization with the frameworks and audit processes, organizations must ensure that everyone in their organization is on board with the information security audit from the start and that they are willing to participate as needed. Gaining the buy-in from C-level executives all the way down to department heads or key team players will make the audit engagement more efficient because everyone knows and understands what’s at stake during the audit and how they can play a roll in ensuring the completion of the engagement.

2. Make an Audit Strategy

For every organization, the audit process is different depending on the time, personnel, and financial resources available. The audit process is also different based on what services you choose. Will you go through a gap analysis? Are you provided with a remediation plan? How long will it take you to remediate? Do you have multiple audits happening simultaneously? This is why establishing an audit strategy is essential to project management for information security audits. Organizations must determine who will oversee the engagement, how the progress of the engagement will be tracked, and other considerations that could impact the completion of the audit, such as what would happen if someone from the company (i.e. a Director of IT) left the company during the audit.

3. Select a Leader to Oversee the Project

Want to ensure a successful audit? Selected a leader to oversee the engagement. At KirkpatrickPrice, we call this person the executive sponsor. This is typically a C-level executive who will manage the project, serve at the point of contact between your organization and ours during the engagement, and ensure that the project remains on schedule. If a problem arises during the audit, this person should be able to effectively communicate those problems to other stakeholders in the audit and work with the audit partner to find solutions and get the engagement back on schedule. This component is especially important when it comes to project management for information security audits.

4. Stay on Top of Deadlines

By far and large, sticking to deadlines during an audit period seems to be one of the most pressing concerns for organizations. When prospects approach us about engaging in an information security audit, we’re often asked if we be able to complete the audit and report by a specific date or told about a hard deadline that compresses the timeline. Because most organizations do need an audit by a specific date, we have streamlined our audit process to ensure an efficient delivery system. However, this system only works the way it’s designed to if our clients are held accountable and complete the work they’re assigned on time. Why? Because even the smallest delay, such as not turning in artifacts or evidence when requested, can lead to receiving your report later than it’s needed, and it could also cost you in late fees, clients, or even legal penalties. Additionally, to ensure efficient project management of information security audits, organizations must analyze the availability of the key players in the engagement. For example, what holidays will impact your deadline? Are there any team member vacations scheduled during the engagement? If so, how will the workload be distributed or completed to ensure that no delays occur?

5. Utilize Your Audit Partner

Project management for information security audits may seem like a daunting task. If you feel unsure about your progress during the audit engagement, utilizing your audit partner is a great way to get back on track. At KirkpatrickPrice, our Client Success Team and experienced Audit Support Professionals are available to answer questions, provide time management help, and additional resources to ensure the successful completion of an audit engagement all year round. Unlike many other CPA firms who drop or neglect clients during the busy tax season, we won’t because we’re solely an information security auditing firm. Our clients can rest assured that if they have questions about their audit – no matter what time of year – we’ll be there to help.

Here’s the thing: whether done because it’s required or because your organization wants to be proactive, information security audits are an investment that should not be taken lightly. At KirkpatrickPrice, we’re committed to helping our clients get the most out of their investment, but our clients must understand the critical role project management plays into information security audits. Project management helps ensure the efficiency of the engagement, ensure that deadlines are met, and ensure that reports are delivered on time. Ready to get started on your audit? Want to learn more about project management for information security audits? Contact us today.

More Auditing Resources

When Will You See the Benefit of an Audit?

Leveraging Information Security as a Competitive Advantage

Getting Executives on Board with Information Security Audits

Celebrating Women’s History Month at KirkpatrickPrice

The Role of Women in Information Security

Women play critical roles in advancing science, medicine, human rights, social justice issues, and so much more, but there’s one industry where women are just getting their foot in the door: information and cybersecurity. While this growing industry has been long dominated by men, it’s quickly starting to change. In fact, according to Cybersecurity Ventures, the percentage of women in the industry is projected to grow from the long-reported 11% to 20% by the end of 2019. Although this number may seem small, the impact these women have made on securing some of the world’s most sensitive assets is tangible. In honor of Women’s History Month, we’d like to spotlight KirkpatrickPrice’s Information Security Specialists and Audit Support Professionals who work tirelessly to ensure that our clients are secure.

Meet Our Auditors – Lee and Lorna

Information Security Specialists at KirkpatrickPrice are responsible for not only performing various audit and consulting services, but they’re responsible for building lasting relationships with our clients by educating, empowering, and inspiring them to greater levels of assurance.

Although she has only been with KirkpatrickPrice for two years, Lee Sirotnak’s 35 years of experience in the information security industry has helped her excel in her current role and achieve Lead Practitioner status. Clients have referred to Lee as a “driving force” during an audit engagement, and claimed that calls with her are worth thousands of dollars based on the education they walk away with. Holding CISSP, CRISC, and CSNA certifications, Lee uses her background and education to conduct regulatory and security audits, as well as serve as a mentor to her audit team. Lee believes that women play an especially important role in the information security industry because “as in all things, women have a different perspective than men, and having a diversity of perspectives makes us a stronger team.”

Lorna Willard also recently joined the KirkpatrickPrice team as an Information Security Specialist. With more than 20 years of experience working in the information security industry, especially within the federal government and the Department of Defense, Lorna’s insight into the industry is telling. She explains that throughout her years working in IT, she’s grown used to working in a male-dominated industry and acknowledges that many opportunities have opened up for women. She feels that working in this industry satisfies her desire to learn, test herself constantly, and earn a living doing something that she really enjoys.

Meet Our Audit Support Professionals – Jodi, Selena, Jessica, Mary Beth, and Erin

Audit Support Professionals at KirkpatrickPrice play an integral role in delivering our audit services. They are responsible for serving as a client liaison, ensuring quality services before and during the audit process, and providing any necessary training for clients.

Jodi Carson is KirkpatrickPrice’s most veteran Audit Support Professional. She has a B.S. in Information Systems Security and holds the Security+ certification. Clients often comment on Jodi’s hardworking attitude and commitment to the project. Jodi especially enjoys helping clients become confident about security – something that many are reluctant to be because of the ever-changing threat landscape.

Selena Carlton has seven years of experience working in the information security industry.  She enjoys the problem-solving aspect of her position and is committed to providing a quality experience for clients.

Jessica Leo was one of three women in her program who graduated with their IT degree and was advised early on about entering a male-dominated industry. Thankfully, she has not experienced any adversity throughout her experience working in the industry. Instead, Jessica remains optimistic about the opportunities for women in the industry, saying that “women should work in information security because it has excellent opportunities for growth, empowerment, and an all-around lucrative and successful career.”

Erin Gregory has a B.S. in Computer and Information Technology, and will also pursue a Master’s in Engineering Technology Management. Although she is just beginning her career in the industry, Erin most enjoys that she is constantly learning and being challenged on the job. She sees the information security industry as a lucrative industry full of opportunities for women, especially because of the flexibility that many IT jobs offer.

Mary Beth Muniz is new to the information security industry but believes that women are the future of technology. Like Lee, Mary Beth believes that women can bring a fresh perspective to the industry and individual engagements. In her own experiences, her ability to engage her nurturing side can prove to be useful during high-stress audit engagements.

What is the Future for Women in Information Security?

When asked what the future looks like for women in the industry, one thing remained constant across the board from our female professionals: the importance of education and empowerment. Whether it’s joining or partnering with technology organizations, supporting STEM groups for women and girls, such as Girls Who Code, or participating in professional development activities through KirkpatrickPrice, our female professionals know that in order for women to be successful in the industry, they need to feel empowered and have access to the right resources.

At KirkpatrickPrice, our core mission is to educate, empower, and inspire our clients to greater levels of assurance, but we’re also committed to educating, empowering, and inspiring our personnel too. This means that the women who work at KirkpatrickPrice can know they’re supported and valued. In fact, Lee explains, “I can honestly say that I’ve never been so fully supported. KirkpatrickPrice is the first company at which I experienced absolutely no difference in treatment for being a woman – I am an auditor just like all of the other auditors.  I’ve not had to work harder – or less hard – because I’m a woman. In a positive way, this company is gender neutral, and the greatest strength in my opinion is that we are all supported very well.” KirkpatrickPrice is committed to delivering quality, thorough audit and advanced penetration testing services, and that would not be possible without the talented women on our team. As the roles and opportunities for women across the globe continue to grow, especially in the information security industry, we’re thankful for the female professionals that have chosen to dedicate their lives to securing the sensitive assets that fuel our businesses.

Signs that You’re in a Good Relationship with Your Auditing Firm

When choosing an audit firm to partner with, it should be more than just a business transaction: you should be thinking about building a relationship with an organization and how its employees will help your organization in the long run. Like any relationship, there are sure to be challenges along the way, and the auditor-auditee relationship is no exception. Whether it’s your first time partnering with an audit firm or you’ve been working with a firm for years, there’s a few ways to know that you’re in a good relationship with your audit firm. Let’s take a look at six key signs that prove your audit partner is the right firm for you.

Your audit partner wants you to succeed.

The first prominent sign that you’re in a good relationship with your audit partner is that they want you to succeed. As an information security auditing firm, we often have clients who fear the audit process because of the misconception that audits are pass/fail. This is not the case. At KirkpatrickPrice, our mission is to educate, empower, and inspire our clients to greater levels of assurance by partnering with them to achieve their challenging compliance objectives. As your partner, we will do what’s necessary to guide you toward accomplishing your compliance goals, such as providing additional consulting services and free educational resources. If an audit firm simply treats the audit engagement as a business transaction, meaning they reluctantly come onsite or don’t come at all, show little interest in helping your organization succeed, neglect to provide remediation strategies, or fail communicate how vulnerabilities can be mitigated, they aren’t helping your organization succeed.

Your audit partner holds you accountable to your goals.

Whether you’ve been asked by a client to undergo an information security audit or your organization has decided to proactively pursue compliance on your own accord, tackling the audit process can be tedious. That’s why you need a partner to hold you accountable. With our Online Audit Manager, senior-level Information Security Specialists, Audit Support Professionals, and client success team, our clients can rest assured that they have a partner that holds them accountable to their goals. At KirkpatrickPrice, we know that pursuing compliance requires a time, personnel, and financial investment that is not to be taken lightly, and we’re committed to ensuring that our clients accomplish what they set out to achieve by the end of the engagement period. Does your audit firm let you frequently put off answering questions? Do they let you keep pushing back the engagement period? If so, they aren’t holding you accountable to your goals and are missing a critical opportunity to exhibit one of the most important signs that you’re in a good relationship with your audit partner.

Your audit partner goes above and beyond for you.

The audit process is more than just uploading documents, answering auditors’ questions, and going through the onsite visit. It’s about achieving challenging compliance goals to strengthen your security posture. At KirkpatrickPrice, we recognized this and have hired personnel to ensure that not only are our clients receiving quality, thorough services from our senior-level Information Security Specialists, but that they also receive quality, thorough reports that are written by a team of technical writers and are thoroughly reviewed by our Quality Assurance team.

We also know that compliance efforts shouldn’t stop when the engagement ends. Because ensuring that your security posture remains strong is an ongoing effort, any audit firm that stops partnering with you after the audit period is complete is doing you a disservice. Does your audit firm currently update you with information security best practices? Do they provide additional consulting services to assist you in maintaining your information security system once the audit period is complete? An audit firm that goes above and beyond the basic audit process is one of the key signs that you’re in a good relationship with your audit firm.

Your audit partner has strong communication skills.

Good communication is one of the staple signs that you’re in a good relationship with your audit partner. We understand that the audit process is challenging enough and adding poor communication into the mix only makes undergoing audits seem that much more daunting. If you have little to no communication with your audit team during the audit, you’re not in a good relationship. If you are suspicious that any step in your process is being outsourced (penetration testing, report writing, etc.), this should also be a red flag that you’re not in a good relationship with your audit firm. Think about it: how can an auditor conduct a thorough audit if they aren’t speaking with you about your systems? How can they understand your business without analyzing it firsthand?

Your audit partner knows more than you do.

Getting into a relationship with someone who has very little experience can be challenging and extremely frustrating. When you’re undergoing something as complex as an information security audit, you don’t want someone performing the audit who is still learning the ropes. You want a senior-level professional who has decades of experience working in the industry. If your audit firm sends a junior-level auditor to perform an onsite visit, chances are you won’t be building a good relationship. As part of performing your due diligence when vetting audit firms, make sure you’re verifying that only an experienced professional will be carrying out the engagement.

Your audit partner has a good track record.

Before you enter any business relationship, it’s especially important to make sure that the organization has a good track record. Why? Because if you’re making the investment in compliance, you must practice your due diligence to ensure that you receive a quality, thorough audit. What would be the impact if your client wasn’t satisfied with the quality of your audit? You would have wasted weeks of your personnel and financial resources, opened your organization up to possible breaches, and/or faced steep fines and penalties for non-compliance. There’s a reason why KirkpatrickPrice has partnered with businesses of all sizes and in all places to deliver our quality, thorough audit services. We’ve streamlined the audit process, hired expert professionals to ensure that quality reports are delivered, and committed ourselves to partnering with our clients to achieve their compliance goals.

If you’re just starting out on your compliance journey or are looking to re-evaluate your current relationship with your audit partner, ask yourself: does your audit firm demonstrate these signs that you’re in a good relationship? It’s never too late to make sure that you’re in a good relationship with your audit partner, so contact us today.

More Assurance Resources

When Will You See the Benefit of an Audit?

Getting Executives on Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For

5 Questions to Ask When Choosing Your Audit Partner

Remote Auditing vs. Onsite Assessments: What Do I Want?

There’s a lot to consider when choosing an audit partner. What does their audit process look like? What kind of services do they offer? How will they help you reach your audit objectives? How much do they charge? Will they perform a remote audit or an onsite assessment? While these are all valid concerns, organizations also have to consider their own intentions behind pursing compliance: is it required to partner with new business partners? Is it to help strengthen your security posture? Is it just another item to check off on a to-do list? If an organization is looking to partner with a firm that doesn’t come onsite because it’s “easier” or cheaper, KirkpatrickPrice won’t be a good fit for you. At KirkpatrickPrice, we want to partner with organizations to help them meet their compliance objectives, and part of that is performing our due diligence and conducting an onsite visit. Why do many other audit firms advertise that they can effectively conduct an audit 100% remotely? Why do so many organizations loathe an onsite visit? Is there really that big of a difference between a remote and onsite audit?

Why the Difference Matters

For organizations that are just starting out on their compliance journey or for organizations looking for a new audit firm to work with, there’s one critical component that needs to be kept in mind: the audit firm you choose should always perform an onsite assessment. Why? Audit firms who promote remote-only audits are doing you a disservice. And we would know – in 2006, we were the pioneers of the remote audit. However, our remote audit methodology was never intended to eradicate the onsite visit. Instead, we positioned ourselves as a trusted audit partner for helping our clients streamline the audit process and complete 80% of the audit before going onsite.

Licensed CPA firms also have an ethical obligation to perform their due diligence while conducting audits, and we take that obligation very seriously. We are committed to delivering quality audits, which would not be possible if we did not perform onsite visits. Without an onsite visit, an auditor can’t personally experience a company’s culture and integrity, processes, or physical security. For example, when our auditors have gone onsite in the past, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. So, when you’re choosing an audit partner, ask yourself: what are you willing to risk so that your auditor doesn’t come onsite?

Controls that Require an Onsite Assessment

We know that undergoing audits requires a financial, personnel, and time investment from our clients, and we want to help them get the most out of their compliance efforts. Even more so, we want our clients to actually remain compliant, and performing an onsite visit assists us in doing that. Information security frameworks require that an auditor verifies that physical controls are in place to safeguard sensitive data. For example, PCI Requirement 9 says that entities should “restrict physical access to cardholder data.” How will an auditor be able to determine if an organization has implemented physical safeguards to protect their cardholder data environment if they don’t come onsite?

Getting Over the Fear of the Onsite Assessment

The onsite assessment versus remote audit debate really comes down to this: getting over the fear of the onsite visit. Because the audit process can be so rigorous and intimidating, many organizations fall into the trap of fearing the audit process altogether. This has resulted in organizations seeking out those audit firms that “guarantee” that they can deliver “quality” audits without coming onsite. Many of our clients  that come to us after working with other information security firms actually enjoy our onsite visits because they can feel good about knowing their auditor. While you may want a remote audit, you need an onsite assessment – it’s critical for ensuring compliance and strengthening your security posture.

If your audit partner isn’t currently performing an onsite assessment, it’s time to rethink that partnership. We know audits can be hard, but don’t take the easy way out. Contact us today to learn more about our commitment to quality, thorough audits and how we can overcome the fear of the onsite together.

More Assurance Resources

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Getting Executives On Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For

Choosing the Online Audit Manager: One Tool, Multiple Audits

Because of the complexity of today’s threats and the innovation of new businesses, it’s not uncommon for organizations to pursue multiple compliance goals at the same time. Let’s say you provide IaaS solutions – you may want not only a SOC 2 attestation, but also HIPAA compliance for the healthcare clients you serve. Let’s say you’re a payment processing SaaS who needs PCI compliance and a SOC 2 attestation. When an organization is pursuing multiple compliance goals, it’s crucial to find an auditing firm who has the technology and expertise to not only streamline your process, but also use your resources in the most responsible way. At KirkpatrickPrice, we utilize our Online Audit Manager to do so. Let’s discuss the common challenges that come along with pursuing multiple compliance objectives and the solutions we provide.

Road Blocks for Multiple Compliance Objectives

We see three common challenges when companies try to undergo multiple audits: a heavy focus on remote auditing, a steep price, and lack of expertise.

Many auditing firms simply don’t have the necessary certifications and experience to provide a wide span of information security audits. Let’s go back to the SaaS example – to gain a SOC 2 attestation, you’ll need a CPA firm that has auditors who specialize in information security. To gain PCI compliance, your audit needs to be performed by a QSA. Looking for a CPA firm that’s also a QSA firm may prove to be challenging, but you want to perform due diligence to find a qualified, experienced information security auditing firm. If not, you’ll have to work with several different firms and several different auditors, who all have different processes.

Many auditing firms market themselves as the firm that doesn’t have to waste time and money on onsite visits because of their online portal (which is actually just a document upload site). They tout “100% remote auditing” as their best feature. If you’re an organization who wants to check information security off your to-do list, these types of firms could be a good fit for you. We believe that an audit that is completely remote is actually a disservice. When we created our own portal with remote auditing functionality, we never intended to use it to make ourselves an “only remote auditing” firm. Onsite visits are needed to witness physical security controls, company culture, integrity, and to cultivate the best partnership possible. Don’t choose a firm who pushes a full remote audit.

With the development of online portals came new software providers. They offer a GRC portal as a service, but not the actual auditing. At KirkpatrickPrice, that’s not the way it works. We’re not going to charge you separate prices for an audit and for the use our Online Audit Manager. Shane Shissler, Technical Services Manager at Anexio, put it this way, “Other GRC products are really great, but as I was watching demos, I realized that your portal did so much of the same stuff. Your portal essentially does all of the same things and has many of the same functionalities. Companies are charging up to $5,000 a month to use their GRC software. Your Online Audit Manager is automatically granted with doing the audit; it’s included in your pricing. Not only does KirkpatrickPrice do a great job with your reports and pricing, but with that report and that audit, you also give access to your portal which maps multiple frameworks. It’s just such an added value.”

Our Solution: The Online Audit Manager

The Online Audit Manager - KirkpatrickPrice | Streamline Your Audit Process

When an organization asks why they should work with KirkpatrickPrice, we can’t help but talk about our Online Audit Manager. When Joseph Kirkpatrick began his career in the information security industry, he noticed a major gap: a way to perform multiple audits through a single process. Thus, our Online Audit Manager was created. KirkpatrickPrice was the first authorized company to provide multiple audits through an online portal process.

Our Online Audit Manager isn’t intended for 100% remote auditing or solely a tool to store documents. Our portal is the way our auditors, audit support staff, technical writers, and client success team interact with clients and manage the audit progress. It’s how we combine multiple audit frameworks into one audit. The portal acts as a guide through the audit control objectives, allowing each client to organize their requirements and document their process.

Steve Grzybinski, Director of Security, Compliance, and Technology at Connectria Hosting, explains, “What used to be difficult has become easier after incorporating the KirkpatrickPrice portal into our processes. KirkpatrickPrice has made the audit process a more efficient with the tools and partnership mentality that they bring to the table. The online portal that allows us to combine all of the questions from all of the audit disciplines that we require has made this effort quicker, easier, and more engaging. The KirkpatrickPrice team has become an extension of the Connectria team throughout each exam effort. This harmonization is important for minimizing duplication of effort for any organization that must demonstrate compliance in multiple audit disciplines. Year over year, we continue to grow and improve our auditing processes. Connectria has been able to create repeatable automated processes for vulnerability management, evidence gathering, and monthly reporting after engaging with KirkpatrickPrice.”

If you’re wondering how you can meet all of your compliance goals, let us walk you through an Online Audit Manager demo and discuss your compliance plan. With KirkpatrickPrice, it may be more achievable than you think!

More Assurance Resources

When Will You See the Benefit of an Audit?

5 Questions to Ask When Choosing Your Audit Partner

What Type of Compliance is Right for You? 10 Common Information Security Frameworks