It’s easy to make mistakes. We’ve all done it. Maybe you’ve put the milk in the cupboard and the cereal in the fridge this morning! These things happen with busy lives. But what about the security audit? There are dozens, if not hundreds, of small mis-steps that can turn a security audit sideways. And many of them seem to happen over and over again, regardless of how experienced the security teams may be. The bad news is that they can make the security audit process a lot harder; the good news is that many of them can be avoided with some careful planning.
Here are the top 5 mistakes we see with companies who are starting the security audit process.
1. You don’t prepare sufficiently ahead of time
By far the biggest mistake companies make is not being ready for an audit. They have chosen an audit firm and think they are ready to go but are they really ready for the rigorous process of a security audit? Thinking you are ready and actually being ready are two different things. For example, you might think you have all your data secure but do you understand the boundaries of the security audit? This could involve systems and potential supply chains that you have not considered being in-scope and have not properly secured them. Do you know where all your sensitive data is stored and who has access? Consider getting outside help to prepare for your audit. It will save you time and money in the long run and make the audit process a lot easier and faster.
2. You’re not taking advantage of tools and technology
Spreadsheets everywhere! No version control! If you don’t have the right tools to complete an audit it will drive you crazy. Consider using an application that can help you manage your documents, keep track of approvals and share the documents real time with your auditor. A system that allows for comments and updates to documents real-time will move your audit process along faster. And if you haven’t checked out the latest in audit preparation software, take some time to do your research. You might be surprised at how many companies are using integrated risk management software to help prepare for audits more efficiently.
3. You have policies and procedures in place but can’t prove that you’re adhering to them
So you have the policies and procedures in place - great! How does the auditor know that they are being followed? You need to show evidence. And we hear from auditors on a regular basis that one of their biggest headaches is a lack of evidence. Find a system to track not only the policies and procedures you have put in place but one that will also map the evidence back to them to support your work. Fixing this common mistake will solve a big auditor headache and help your security audit run more smoothly.
4. You don’t allocate sufficient budget
Have you developed a realistic budget that will cover the cost of a security budget? Or have you developed an optimistic budget based on low-cost suppliers and “almost-right” systems. Having a realistic budget is essential. Doing a security audit is a significant investment of both time and money for your company. The rewards are great but in order to ease the pain you need to start at the right place and invest in the process as an ongoing quality commitment for your business. Low-cost suppliers will cost you more in the long run as it will take more time to complete the audit and you will pay more in auditor fees. As in points 1, 2 and 3 above, prepare well ahead of time, invest in the right tools for the job and gather the evidence ahead of time to make sure your security audit runs smoothly. Talk about your budget with a company who can help in security audit preparation and also talk about your budget with an audit firm so that you understand ahead of time what kind of financial commitment you are making.
5. You want to debate and pressure auditors to cut corners
Although we love the old saying that “the customer is always right”, it probably shouldn’t apply when it comes to security audits. Customers should not make the mistake of putting pressure on auditors to cut corners or argue with them about what element of the audit is necessary or not. If you have selected an auditor who is an AICPA member then you should already be in good hands. These auditors work to a strict code of professionalism, are well-trained and have experience in the security audit process. Agreeing to the scope of the audit ahead of time can save a lot of conflict down the road. If you are looking for an auditor check out a previous Ostendio blog post: “How to choose a SOC2 auditor - 6 questions to ask” for some guidance around selecting an audit firm that fits your needs.
Overall, we all make mistakes from time to time but many can be avoided with good preparation and planning. Focusing on the task of a security audit and planning ahead of time can help make the whole process less painful.
Ostendio helps customers every day as they prepare for audits and meet over 100 standards globally. We even help our customers find and engage qualified audit firms through our Auditor Connect platform. Speak to our experts to discuss your needs and see if the MyVCM integrated risk management platform can help your company take the pain out of security audits.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.