An auditor can be seen as a nit-picky, negative, overly involved outsider coming into your environment, asking questions and looking for any control that’s insufficient. This mindset causes organizations to fear auditing and auditors, when in reality, an audit is a healthy habit and auditors are trained to help you better understand and protect your assets. Audits don’t need to be so intimidating. Instead, a successful, quality audit should include two things: honesty and documentation 

Honesty Really Is the Best Policy 

Even though auditors can seem scary at first, they aren’t your enemy. It’s natural to want to present the best version of your organization to your auditor, but it’s important that you don’t try to hide controls or processes that you know don’t meet a standard. Instead, our advice is to be honest and involved in your audit process.  

Your job is to protect your assets, and your assessor’s job is to verify how you’re protecting them. If you’re declaring that you do something that you’re not actually doing, you’re setting your organization up for exploitation. Your auditor is there to help you, but they can only do that if they are seeing everything they need to understand how your business regularly functions. If you know you have an insufficient control, be up-front with your assessor; let them know you have a plan to fix the control and when you expect the modifications to be implemented. 

Imagine that during an audit, you hide an insufficient control from your auditor. You get through the audit and receive your report where that exception isn’t listed. Everything appears to be secure and compliant on paper to both your competitors and your clients. Then a breach happens. What caused the breach, you might ask? You guessed it: the control that you weren’t up-front about with your auditor. Now, you’ve not only placed your client data at risk but you’ve also damaged your own reputation.  

Your auditor isn’t there to judge you during an audit. They should want to help you find exceptions so you can strengthen your organization’s security posture. Honesty paired with a thorough, quality audit process will help result in a successful audit.  

Document It, or It Didn’t Happen 

We say it over and over and over again: if it’s not written down, it’s not happening. Documentation is another key to a successful audit. You must prove that you’re actually doing what you say you’re doing as part of your due diligence, and the best way to prove that you’re doing everything you should be is through policies and procedures.  

A policy is an executive-level order that defines that something must be done, and a procedure defines how you do it. In other words, policy defines a rule, and the procedure says, “This is who is expected to do it, and this is how they are expected to do it.” Standards are the tools, means, and methods that you will use to meet policy requirements.  

Documentation and honesty support each other when you’re working to have a successful audit engagement. When you document everything that you should be doing to remain compliant and secure and follow that documentation, it’s easy to be honest with your auditor as you show them how your organization regularly operates.  

Find a True Audit Partner with KirkpatrickPrice 

At KirkpatrickPrice, we understand that audits are hard, but our goal is to make them worth it. Our expert auditors want to help you have a successful audit. With an average of 25 years of industry experience, our auditors understand complex environments along with the frameworks and requirements you’re operating under. When you partner with KirkpatrickPrice, we are dedicated to helping you become unstoppable. If you’re ready to start your audit or simply want to talk to one of our experts, connect with us today.  

The Buyer’s Guide to Compliance Tools.

Looking for the right compliance tool is overwhelming. With so many options, it’s hard to know that you’re making the right choice for you. This guide will prepare you for the compliance journey ahead.

Get the Guide

With the holiday season always comes a rise in cyber crime and data theft. With that in mind, it’s a perfect time to remind ourselves of important information security tips to keep us safe and secure this holiday. So don’t let the Grinch ruin your holiday. Here are 5 things the Grinch can teach us about information security:

1. Beware of Social Engineering

“With this coat and this hat I look just like St. Nick!” These infamous words led the Grinch straight through Whoville, sneaking into homes, successfully impersonating someone they trusted, and stealing Christmas. This popular form of hacking, known as social engineering, can be avoided by training your employees to never give out sensitive information (e.g., username and password combinations or unauthorized access to an area) without fully identifying the other person.

2. Ensure Network Security

Don’t let the Grinch slide down your chimney unannounced. Ensure Network Security by implementing and maintaining a firewall configuration. As auditors, a common gap we see when performing audits is a poorly maintained firewall. Maintaining a secure firewall is important in order to monitor incoming and outgoing packet requests and blocking unauthorized requests. Ensure network security by having effective and fully documented policies and procedures.

3. Secure your Last Line of Defense

Train the little Cindy Lou Who’s to recognize security incidents when they happen. Regularly training your employees on security awareness and policies and procedures is a critical component of your organization’s security. You’re only as strong as your weakest link, so continually train employees on logical and physical security responsibilities to ensure your employees will know how to respond in the event of a security incident.

4. Perform Annual Risk Assessments

Don’t let the Grinch rob you blind – Protect your assets from theft and breach. The first step in safeguarding your business from theft or a data breach is by performing an annual risk assessment. Risk assessments are a way to identify assets and prioritize risks to those assets, allowing organizations to ensure the proper controls are put in place to protect those assets from vulnerabilities and threats.

5. Test your Incident Response Plan

The Whos didn’t let the Grinch ruin their holiday. They were prepared to move forward in light of a security incident. Have a plan in place that you have tested and train employees on your incident response plan policies and procedures. Your Incident Response Plan should include policies and procedures that dictate to your organization the immediate actions that are to be taken following the detection of an incident.

Stay safe over the holidays, and don’t forget these 5 important tips to ensure the Grinch doesn’t ruin your holiday.