In light of numerous security breaches that appear almost daily, it is easy to understand why clients, management, and boards of directors need additional assurance on the reliability and security of the information they report to stakeholders, customers, partners, and management. So how do these stakeholders gain the confidence in their systems? In short, formal independent third-party audits of key systems and controls are a step in the right direction.
Federal and state governments also recognize the need for companies to strengthen their systems of internal controls. We see this with various state-specific privacy regulations and national regulations impacting financial reporting and healthcare (e.g. the Sarbanes-Oxley Act and HIPAA/HITECH respectively). Industry is also incented to improve assurance as shown by the PCI DSS Standard as well as the participation of multiple “critical sector” organizations with the forthcoming NIST Cybersecurity standard.
By conducting external audits, in conjunction with on-going internal reviews, Executive Management can increase its confidence in the security and availability of critical systems. External audits bring a standards-based approach to the review of internal controls. These standards range from well-known ISO disciplines such as ISO 9000, ISO 20000, and ISO 27001 to control assessments based on guidelines from the COSO and COBIT. These audits are expensive and require significant time commitments from internal staff.
As a case in point, my company spends well over 6-figures annually with external auditors and invests significant internal resources to support on-going review of our systems and security (we have three full-time employees dedicated to an internal audit function). These resources are focused on ensuring that our various audits and standards reviews are successful including our Statement of Standards for Attestation Engagements (SSAE) 16 SOC 1 and SOC 2 as well as multiple ISO audits. As a multi-national corporation, my company also goes through the International Standard for Assurance Engagements (ISAE) No. 3402 audits.
Here are four reasons why audits matter:
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.