I recently read the KPMG Value of Audit, The Audit Model and the Profession by Rupert Bruce. Although the focus was on financial audits, the journal resonated with me as an information security auditor. Several takeaways made the article worth review. Beginning with the assumption ‘auditor’ is synonymous with ‘compliance auditor’. When in reality, an audit looks at what creates value in a business with compliance one dynamic.
For leading companies particularly those practicing lean and six sigma, compliance audits are mostly reporting. I mean this to say the most successful enterprises continuously self-audit. You can say they demonstrate a culture of self-regulation. Compliance audits are one aspect of their security reporting and review processes. This is not to take away from compliance, but rather to say information security audits go much deeper or at least they should.
An IT audit reports holistically on an assortment of risk management initiatives. Compliance reporting represents a subset of the information collected for workflow, reporting, and decision-making. With today’s complexity, innovation is required to evolve new reporting, assurance and compliance tools that work in the real world and add value to the auditor.
In the article, five KPMG partners were interviewed about the audit model and the profession. Many of the points discussed overlap with the IT audit process and a compliance auditor role. The experts’ concurred auditors must widen the scope of the information that they offer assurance over. A compliance auditor should take a holistic perspective, examine quality controls, and assume risk management ownership.
Refocusing Information Security and Compliance Audits
The world expects more communication and better communication from compliance auditors related to early warnings and what’s happening in the system as a whole. Stakeholders and shareholders assume better communication and real-time information and analytics. To do so, auditors require better and more relevant tools. As one KPMG partner summarized, the quality of an audit is one thing and the relevance of the information audited another.
As an auditor, you possess broader access to an enterprise’s operations than almost any other entity or professional. Your risk management perspective must span across IT, HR, legal, compliance, finance, and sales. In your audit, you control and oversee the most important elements of operation. You make judgments based on the way you understand the business.
As a compliance auditor, you want your auditors in the US and China to apply the same standard as those in London and Amsterdam. This total-compliance focus puts more emphasis on internal controls. Systems rely on IT automation, workflow, and tools that let you drill-down until you understand what’s happened.
Innovation Assumes an Information Security Culture
Technology creates both the requirement to expand the scope of audits and the ability to enable it. In addition to auditors, automated compliance auditors can just as easily deliver predictive data analytics to help desk professionals, line managers, and even employees themselves, thereby, making the entire enterprise more effective. Technology has not only improved the efficiency of audits. It empowers your workforce with data analytics to help identify problems and raise awareness around risks that traditional techniques could not. With more eyes, more auditors and more transparency, the more quickly you can identify risks, determine root causes, and avoid the next crisis.
In the new compliance auditor model, you gain the opportunity to provide more significant insight to investors and stakeholders. You communicate better, because your tools are better and everyone in your organization is onboard. Ideally, you arrive at a point where you are engaged in a continuous audit process that provides assurance and reporting in real-time. For information security to become a part of the company culture, audits must become relevant.
Audits must positively contribute to operations and add value as key performance indicators. And, they must be embedded at all levels of an organization. For an enterprise to experience the true value, audits must result in more than identifying issues and validating controls. The remediation of uncovered issues becomes the critical determinant and an area where organizations must improve.
Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.