Audits often strike fear in the hearts of senior managers across an organization. Whether it’s based on ISO, CMMC, TISAX or another standard, audits can be a major source of anxiety for leadership and a fire drill for staff. Truth be told, I too was once a panicked manager and fire drill captain before I came to understand the real value in audits come more than once a year.
First, let’s align on some definitions. An audit is a first-, second- or third-party review of practices aligned with a formal standard or framework such as ISO 27001. Successful third-party audits often include a formal certification. An assessment is similar but may not be directly aligned with an auditable framework or conclude with a certification. NIST CSF for example is not an auditable framework but can be used as the basis for an assessment.
Audit anxiety is a learned behavior. All too often, staff are taught by their managers to fear audits and even worse, be dismissive of their findings. Auditors are often portrayed as being insulated from operational realities and out of touch with the ever-evolving threat landscape. This toxicity toward auditors can be pervasive and only increases the divisions between audit and operations.
Effective auditors do not pretend to be experts on your specific business line. This is a common, but incorrect basis for detractors to dismiss the work of an auditor. In fact, an auditor’s principal responsibility is to determine whether the framework-based, management system that’s been implemented is operating effectively in that it is meeting the goals of quality, environmental responsibility, information security, privacy, etc.
Audit is ubiquitous but misunderstood and consequently, has a public relations problem.
Audit’s image issues are due in part to traditional approaches that frame it as a silo. In those approaches, audit is part of three lines of defense:
First Line: Operational Management (not just IT) who identifies and manages risk within their functional area.
Second Line: Risk Management and Compliance who observe and monitor risk management functions for the enterprise.
Third Line: Internal Audit who provides assurance functions to verify compliance and whether it’s effective.
On one occasion in an organization, out of design and necessity my position oversaw two lines at once: IT Operations and Internal Audit. While not recommended because of how it tests objectivity, the experience taught me a lot about the value of embedding assurance functions versus the siloed model.
In this joint approach to IT operations and internal audit, I implemented a cyber risk management strategy that paired cybersecurity professionals with internal IT auditors to facilitate rapid identification and remediation of underperforming controls. This tight integration allowed me and the information security management committee to closely monitor high risk controls and quickly apply countermeasures or safeguards if protection objectives were missed rather than wait for a planned audit to identify the deficiency.
In traditional, siloed organizations, key performance indicators (KPI) or key risk indicators (KRI) are critical to the monitoring function at the business- or operating-unit level. The difference between the traditional and integrated cyber-audit approaches is the close working relationship between the operations an internal audit function.
In the integrated approach, at the operational level the front-line cybersecurity team members gained an appreciation for the value of measuring control effectiveness. This helped them conceptualize their efforts as consistent, incremental achievements rather than adversaries, wins and losses. In turn, the internal audit team gained a better understanding of the threats, challenges and uncertainties surrounding cybersecurity operations. Internal auditors came to understand the operational influences on control selection, application and monitoring instead of seeing framework alignment as simply black and white.
At the organizational level, the integrated cyber-internal audit group was seen as a joint entity with different objectives and value-aligned responsibilities. Both cyber and audit made contributions to the ISMS program and operated within the guide rails established by the Information Security Management Committee and corporate governance.
An integrated approach isn’t appropriate for all organizations. Because of the reduced auditor independence, it requires a strong and effective third-party audit program as well. Periodic third-party audit by a reputable and accredited firm helps ensure the integrated audit function is operating effectively as well as objectively measuring the health of the management system.
The path to an integrated approach will vary greatly by organization. An enterprise with an established but siloed internal audit function may propose backfilling open internal audit slots within an operational group, like IT, rather than within its own internal audit organization. In other enterprises, if third-party audit findings recommend expanding continual improvement activities, rather than adding a task-oriented role within an operational unit, they may consider embedding an internal auditor with a CI mindset. An enterprise without any audit function at all can use second- or third-party reports on their organization to iteratively improve, if the source is trustworthy. External security assessment tools like Security Scorecard and BitSight are good examples, keeping in mind that most of these services can see external assets only.
Regardless of the approach, the focus should always be on high-risk areas and their respective controls. The value in a hybrid approach is the close coordination between operations and audit toward the goal of reducing overall risk. The more critical the risk, the closer it should be monitored in terms of periodicity and depth.
To learn whether an integrated cyber-audit approach can benefit your organization, contact me at jeff@southlakecyber.com.
