If you’re in a regulated sector, you’re aware of auditing requirements. Every 12-24 months, you have to hire an independent third-party to look at IT controls, processes and procedures and determine vulnerabilities and weaknesses.
What’s not apparent is the cost you may incur due to the audit firm you choose. The audit price may be reasonable, but how much are the recommendations going to cost? Saving money on the audit firm may end up costing tens or hundreds of thousands over the next few years.
A typical GLBA IT audit will consist of document grinding, network testing, systems testing, application review, and physical safeguards review. Once the data has been gathered and analyzed, it’s fed into the organization’s risk assessment. Or that’s how it’s supposed to work.
However, what usually happens is the auditor performs the review and testing, then assigns risk, either on a 1-10 scale or on a critical, high, moderate, low scale. The recommendations are rarely mapped to your organization’s risk profile and are usually based on generic best practices, assuming every organization has the same network, employees, exposure, and customers.
Once recommendations are delivered, the auditor leaves the building to move on to the next audit. There’s little consideration of IT budget and how to take a finite amount of money and implement what may seem like limitless controls.
Why a risk-based approach? With a risk-based audit, the organization’s size and complexity play into which controls to recommend.
For example, with a non-risk-based audit, the auditor may decide you should install a network access control (NAC) solution. NAC is a software solution preventing an unauthorized device from connecting to the network. Additionally, the auditor may cite you for a lack of employee email phishing training and having a sub-par backup system. Your budget allows you to implement two of the three recommendations. Which do you choose? How do you know which of these will provide the most value while making your organization safer?
While a NAC solution is ideal, the auditor could recommend installing a monitoring system designed to detect unauthorized network devices instead of a NAC. As the organization grows in size and complexity and the risk of rogue network devices increases, a NAC may be necessary.
However, the real danger is not having employee phishing training and a reliable backup system. Rogue network devices rarely occur, but phishing and, subsequently, ransomware occurs frequently. Phishing training and testing is the first line of defense, and if that fails and the organization is infected with ransomware, the network can be restored from a good backup.
If you’re written up and have to install a NAC, you will have tens of thousands of dollars in software, implementation, and subsequent administration while marginally reducing risk. And if you don’t install the NAC, you’ll be written up again on the next audit and maybe with a higher risk (even though the threat may not materially change). When the examiners visit and read the reports, they may pressure you to implement the recommendations regardless of the actual risk.
So what can you do?
- Ensure your audits are risk-based and take into account the size and complexity of your specific environment.
- Get auditor recommendations from your peers. The auditor’s experience doesn’t necessarily translate into whether the audit is looking at your specific risk so keep that in mind.
- If your audit turns out to have expensive and unnecessary recommendations, not based on risk, find another auditor for the next round.
- Your risk assessment is the only tool allowing you to push back on unreasonable control recommendations.
- Educate yourself. We encourage customers to push back on auditor unreasonable recommendations.
- Let the auditor know in advance you’ll have an outside compliance expert present for the audit exit meeting. Having a 3rd party present may temper some of the more unreasonable recommendations or at least put pressure on the auditor to justify recommendations.
At RedRock, we see dozens of audits every year, and most are not risk-based. Our frustration is with unreasonable recommendations that won’t make the organization safer while also taking money away from controls that could.
If you’re facing these circumstances, please reach out. Let’s discuss how to get you back on track. There’s no obligation and no cost.