“The auditors are here!” Your blood runs cold, like seeing red and blue flashing lights in the rearview mirror. You needn’t worry. An external audit doesn’t have to incite fear and horror. In fact, the process can be affirming, a strengthening experience for service companies that deal with sensitive client data.
In part one of this two-part series, we dealt with internal audits and best practices to conduct an effective assessment using company resources and staff. Here, we will deal with external audits, which are conducted by independent professionals certified in their particular field of practice.
Let’s review: Auditing is a process by which organizations and leaders learn how well policies and procedures are followed, how closely the company’s documentation describes actual practices and how effective those processes are in achieving organizational goals. Auditing is about measuring and testing — creating a good security, financial, or quality posture.
Internal audits are conducted by a company’s staff, who have familiarized themselves with the policies, procedures, and practices. Internal auditors must also learn specific controls associated with a security or financial standard — a framework — that has been tailored to fit the organization’s business operations. Company management commissions and charters internal audits with senior managers setting the timeline, objectives, and scope for the audit team. The results of an internal audit are designed to closely mimic the findings that an external audit would produce, so there should be no surprises when an external audit occurs.
Now it’s time for the external audit. It’s easy to get lost in forests of buzzwords, certifications, and claims made by audit firms. Here are some tips for a successful external audit that won’t freeze your blood.
Selecting an Audit Firm
Senior management is in charge of this process, which includes engaging an audit firm. Don’t let outside influences overly affect this process; just because a key client or supplier uses a gold-plated national audit firm doesn’t mean that your organization must also use them. Your organization is paying for the audit and the firm you engage works for you. Select them with the same care you would use for any other service provider.
Check their certifications, references, and prior engagements. Ensure they possess the kind of experience with the same types of organizations as yours — we are in the mailing business. It will make life much easier if you don’t have to explain your business practices over and over to an auditor who is unfamiliar with the industry. For SOC 1 (financial control) audits, you want to ensure the firm will assign a licensed CPA to your engagement. For SOC 2 (security) audits, look for credentials like Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP). If you offer payments, you may want to select a firm that also conducts PCI-DSS assessments using a Qualified Security Assessor (QSA), even if you don’t sign up for the assessment.
Finally, don’t be afraid to negotiate price. Interview several firms and let them know they are competing for your business. Even if you have used the same firm for years, it is a good practice to get a quote from a different firm now and then. In fact, many auditors recommend that you change audit teams every three to five years, just to ensure the company and audit firm don’t get into too comfortable a rhythm and overlook important items.
Scoping and Scheduling the Audit
Most importantly, someone must be in charge of dealing with the audit firm. Do not overlook this. Many times, senior management will negotiate and approve the engagement and leave the “details” to underlings. Be sure to intentionally name someone on staff, and their backup, to be the liaisons and ensure the lead auditors meet those individuals as early as possible.
Work with your audit firm and their team to determine the scope of controls they will be examining. If your internal audit team determined that a particular set of controls does not apply, share that with the external auditors. It wastes time and creates unnecessary confusion for the external auditors to request evidence for items you never intended to include in the scope. It is far better to resolve any conflicts before the audit.
Schedule the audit with plenty of time for your team and their team to prepare. A rushed audit schedule is stressful, not just for you and your staff, but also for the external auditors. Go over the audit schedule with your team and the external auditors. Specifically, ensure milestones are established for “populations” and “evidence.” A population is a list of all items that could be included in audit evidence, such as a list of employees as of a particular date or a list of clients. From the population list, the auditors will select a set of items for which they require evidence to satisfy control standards. Knowing when the auditors require the populations and when they will supply the set requiring evidence (and specifically, which evidence) is key to a problem-free audit. Nobody likes surprises or ambushes.
On-Site and Off-Site Responsibilities
Audit firms typically have some kind of web-based data management tool for their evidence, controls, and follow-up questions. Before the start of the audit, ensure the proper individuals in your organization have credentials to use that system, and that individuals who are not part of the audit team do not have access to areas about which they have no “need to know.” It’s incredibly frustrating not to be able to upload evidence when it’s required, but it’s even more disheartening when a person who shouldn’t have access attempts to “correct” something to cover up a deficiency, spoiling many hours of billable work.
The schedule should lay out what information is to be collected on-site, who will be interviewed, and what systems and processes will be observed. Do not let auditors simply walk around your facility with a clipboard and a pen. That’s not auditing. If certain information to be collected on-site is not available, let the auditors know and give them an indication of when they can expect to have it.
Know who is responsible for any “portal” work with audit standards organizations. For example, HITRUST requires their portal to be used to upload all evidence in an assessment. Is this the responsibility of the auditors or is it your organization’s responsibility?
When the on-site portion of the audit is complete, the audit itself is not done. Most times, auditors will continue to require evidence, explanations, or responses as they prepare their report. Your engagement and schedule should spell out when draft reports are due and when to expect final reports.
Be Honest
This goes without saying. Be honest with your auditors. If you are unprepared for a portion of the audit, tell them. If you do not have a particular bit of evidence, explain why. Getting defensive or deceptive only makes the audit more stressful. Your organization is paying professional auditors to prepare a report and findings according to well recognized standards about which they are trained and certified. There is no need to force ethics, which are always strictly enforced, to become an issue. Senior management should not fear findings that require remediation and attention. That’s the purpose of the audit, after all.
Any organization should be proud of the effort required to obtain a “clean” audit; it’s worthy of celebration. A successful audit occurs when all the applicable controls have been tested and measured, resulting in a stronger company with less risk, whether that is in financial controls, cybersecurity, or quality.
This article is part 2 of a 2-part series on security audits. Part 1 focused on internal audits.
Steve Berman is the Director of Risk and Compliance for DATAMATX. Steve has been involved in cybersecurity for over 25 years, and has a CISSP certification.
This article originally appeared in the May/June, 2024 issue of Mailing Systems Technology.