Audit Rant

I'm in the middle of our twice-annual SAS 70 audit.  Audits are pretty much a part of any InfoSec professional's life at one time or another.  Some of us act as the proxy for our organization, providing what's needed to the auditors.  Others of us are responsible for doing the auditing.  There are several jobs in InfoSec that don't really deal with Audits, but if you work in the industry long enough, you're likely to experience audits eventually.

Some have asked me what exactly an audit is.  Those who've been through a tax audit know that audits aren't fun.  There are many types of audits depending on the industry you're in.  Hospitals and Medical firms must comply to HIPAA.  Firms that handle payment card information must comply to PCI DSS, and if you work for a publicly traded company in the US, you can thank the turn-of-the-century financial scandals of Enron, Tyco, WorldCom and others for the Sarbanes-Oxley Act and the audits that ensued.  The list goes on and on, and there are audits to ensure proper controls are in place.

Being on the "receiving" end of the SAS 70 this time around, I can try to convey what happens.  Imagine if someone comes by and asks for your car's odometer readings at each fill-up, all of your phone bills and bank statements for the past six months.

Imagine after having turned that over, you get them back a while later, with a bunch of items highlighted.  The auditor wants to know where you drove on 20 specific tanks of gas or on specific days.  He wants to know what you purchased with 50 randomly-highlighted withdrawals from your bank statement, and wants to know the nature of a bunch of your phone calls.

Now, take that a step further, and widen the scope. I have to provide that kind of detail, but not about personal finances and the like, but about my entire enterprise.  The people, the systems, the procedures, the documentation authorizing certain actions to be done, and all that.  Yes, at this point, the "auditee" (that's me) is tasked with answering for pretty much every action that's taken place within their organization, regardless if they had anything to do with the actions taken or not.

I've been on the auditor end of things as well, but it's been quite a few years.  It comes with its own challenges.  That's another rant for another day... or does someone feel like doing a guest post with a counter-point to this article?

blog comments powered by Disqus