Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

Three Surefire Ways To Tick Off An Auditor

Avoid these common mistakes to improve your chances for a smooth compliance audit

Funny thing about auditors: They're not machines. They're people -- people who are capable of pet peeves and whose emotions can color the way they approach their work. So wouldn't it make sense for an organization to do everything in its power to keep auditors happy since they hold your organization's compliance success in their hands?

We're not talking bribes or home-baked cookies. We mean engaging in common professional courtesy and a state of readiness that will smooth the way for an easier encounter. The following are three ways that organizations fail to do this on a regular basis.

1. Putting On Airs
Nothing steams an auditor like an IT staffer who tries to use jargon as a weapon, says Glenn Phillips, president of Forte Inc., an audit firm that does IT security and HIPAA assessments.

"Many IT staff have learned that if they use big words or complicated technical language, management may leave them alone. It is also a means to show off how smart they are, and they may even learn to B.S. their way through things this way. After all, who will call them out?" Phillips says. "A good audit team won't fall for it and will know the language. But then management may be confused as to who to believe."

Not only does the baloney terminology and technical vagueness show the auditor there could be something the team is hiding, but it is also just plain insulting. Assuming the auditors don't have the technical mojo to keep up is a surefire way to hack them off.

"My biggest pet peeve as an IT auditor is when network administrators, developers, or any other positions that are more technical in nature attempt to undermine my technical knowledge. Because the developer assumes that I am technically inept, they think that they can give me a low-level answer [to] confuse me to believing that they know what they are talking about," says Andrew Weidenhamer, audit and compliance practice lead at SecureState. "Unfortunately for the developer, I used to be a penetration tester and used these types of vulnerabilities to break into organizations, which, in the end, simply makes the developer look silly."

2. Providing Poor Documentation
Auditing work is fueled by written information and paper trails. When an organization fails to document its activities or provide any sort of written proof of its claims, that's a guaranteed irritant.

"Lack of documentation is the biggest issue. When it comes to the auditors and when I see their reports, the biggest pet peeve they'll have is that the company had all of its policies, but it is stuck in Ed's head somewhere in the finance department or wherever," says Bob Gaines, security and compliance manager for All Covered. "The policy isn't written down anywhere."

[Security professionals need to consider these best practices and new compliance requirements as they ring in a new year. See 2012 Compliance Checklist.]

Similarly, the auditors don't want to have to fight you every step of the way to get the information they need. According to Jim Hurley, managing director of Symantec's IT Policy Compliance Group, "arguing with auditors about whether they really need the information they requested" will surely tick them off.

"This red-flag tells auditors there may be something hidden under the rocks, and auditors just love to turn over rocks," Hurley says.

3. Lying Or Misdirecting
Whether it is lying, remaining intentionally vague, or misdirecting, a lack of forthcoming attitude really sticks in the craw of any auditor in the field. As Weidenhamer puts it, it only delays the audit as the auditor starts to dig deeper for information.

"What the organization doesn’t understand is that any good auditor is going to do what is necessary to uncover what is needed for the audit. This is true even if this means talking to six more individuals or collecting 35 more pieces of evidence," he says. "Not being forthcoming can not only cost the organization more in the long run, but also further inconvenience organizational personnel as no one likes to be audited."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/6/2012 | 11:15:13 PM
re: Three Surefire Ways To Tick Off An Auditor
@ readers: ever catch someone trying to cheat an audit? What were they doing and what was their excuse?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
TheRat
50%
50%
TheRat,
User Rank: Apprentice
1/18/2012 | 3:52:21 PM
re: Three Surefire Ways To Tick Off An Auditor
While the auditor cited in comment #1 may be technically proficient, many are not. I am an auditor and consultant, and was previously a SA who was audited regularly. The majority of auditors I have encountered (almost always from the Big Four) have a limited understanding of "how the things work," and rely on generic checklists created by others who have never been operational.

Documentation, as stated in the article, is the key.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...