Why you must manage Audits

While this lesson is described as audit management, we are really referring to the audit or assessment of security controls throughout the organization and those assessments might manifest in any number of ways. Audits may be required to by specific compliance obligations to demonstrate compliance, or may be something an organization pursues to measure security controls following a breach or prior to undertaking a new compliance path. Whether we’re discussing an audit, assessment, examination, or other that is what this lesson describes.

As a quick note, there are historical differences between certain terms for audit.

Audit really means: An evaluation of whether processes and procedures are operating as expected

Assessment really means: An evaluation of whether processes and procedures are aligned with industry standards.

There are also other terms like examination or attestation, but it is not uncommon to hear these terms used somewhat interchangeably --- especially in Security GRC circles. This is likely due to the large number of GRC professionals that come from traditional security operations roles and don’t have a strict audit or accounting background.

Regardless as to what assessments or audits may be called, they are often associated with compliance activities. The reason is that many compliance obligations require that organizations certify their compliance --- even if that certification is not performed by a 3rd party with special credentials to certify organizations against a compliance obligation like an accounting firm, for instance.

Certain compliance obligations require outside certification by an independent 3rd party like PCI-DSS or SOC2 assessments. Other compliance obligations like customer-based or self-assessments may not require 3rd party certification but are still recognized as part of the compliance lifecycle. Each is important because complying with and certifying that your organization complies with various obligations can help it gain customers or permit it to take part in regulated activities.

There are some audits, however, that are not necessarily part of compliance like post-breach / incident audits. While you may be required through certain obligations to perform an independent audit following a breach, these assessments are not typically part of compliance with a given standard. They also operate a bit differently than a compliance audit. Compliance audits aim to ensure that an organization is following a certain standard. Post-breach audits aim to uncover as many security flaws as possible.

While there are many ways that audits or assessments manifest themselves, the goal of any audit or assessment should be that fruitful, meaningful results should come from every audit. The role of the GRC professional is to ensure that happens by setting the organization up for success. If assessors are presented with poor quality information, it could result in company rework where internal stakeholders must:

• Review audit findings
• Work together to validate the findings
• Review the information originally provided to assessors
• Make corrections and provide revised information to assessors to revise audit reports

This can be a lengthy process so it's important that GRC professionals facilitate audits appropriately.