In light of numerous security breaches that appear almost daily, it is easy to understand why clients, management, and boards of directors need additional assurance on the reliability and security of the information they report to stakeholders, customers, partners, and management. So how do these stakeholders gain the confidence in their systems? In short, formal independent third-party audits of key systems and controls are a step in the right direction.
Federal and state governments also recognize the need for companies to strengthen their systems of internal controls. We see this with various state-specific privacy regulations and national regulations impacting financial reporting and healthcare (e.g. the Sarbanes-Oxley Act and HIPAA/HITECH respectively). Industry is also incented to improve assurance as shown by the PCI DSS Standard as well as the participation of multiple “critical sector” organizations with the forthcoming NIST Cybersecurity standard.
By conducting external audits, in conjunction with on-going internal reviews, Executive Management can increase its confidence in the security and availability of critical systems. External audits bring a standards-based approach to the review of internal controls. These standards range from well-known ISO disciplines such as ISO 9000, ISO 20000, and ISO 27001 to control assessments based on guidelines from the COSO and COBIT. These audits are expensive and require significant time commitments from internal staff.
As a case in point, my company spends well over 6-figures annually with external auditors and invests significant internal resources to support on-going review of our systems and security (we have three full-time employees dedicated to an internal audit function). These resources are focused on ensuring that our various audits and standards reviews are successful including our Statement of Standards for Attestation Engagements (SSAE) 16 SOC 1 and SOC 2 as well as multiple ISO audits. As a multi-national corporation, my company also goes through the International Standard for Assurance Engagements (ISAE) No. 3402 audits.
Here are four reasons why audits matter:
1. Your own clients want to know.
We can set our watches by when our clients ask us to send them our latest audit reports. Financial services firms will make such requests at the beginning of each year. Healthcare groups inquire for their audit reports later in the year for their own auditors. Plus, we get similar scattered requests throughout the months when our clients are getting set to onboard a new business customer. It adds up to hundreds each year. Our audit reports can be the catalyst for our clients’ ability to land a new deal and we take that to heart. We know we’re providing a direct benefit to their sales and productivity.
2. Organizations want peace of mind.
Good Managed Services Providers (MSPs) can be as much of a strategic advisor as they are an IT vendor. Such firms desiring to gain the trust and confidence of clients will leverage successful independent audits of their systems to do that. The certifications can authenticate the ability for MSPs to offer expert insight in addition to providing the safety and security that can increase productivity and revenue potential while also mitigating risk.