2010
11.17

So your audit report has been issued. Sure you may have received some issues, findings, or control weaknesses in either a letter to management or in the audit report itself, but the auditors are gone. Well don’t celebrate to much to fast. If your audit gave you a clean bill of health you can throw the party, but remember you must remain diligent on your controls. After all, the auditors may be done for now but they will come back. If you did have items noted to your management or in your report you have more work to accomplish. You may or may not agree with your auditors but when the next audit comes around one thing is certain, prior audit findings will be scrutinized.

Depending on your environment or the type of audit, audit findings may trigger some ongoing monitoring by the auditors. Other times you are left to adjust your environment while the auditors are absent. Regardless, simply disagreeing with your auditors and taking no actions at all will be disastrous. You may recall in a previous post I talked about tone at the top as a control. This is one of those areas auditors look at critically, because if you just leave audit findings in a report, tucked away in a drawer they will have little confidence you have a well controlled environment. How then do you approach addressing you auditors concerns?

The first and best advice I could give is start right away. If your auditors were good and alerted you early to what they found you could even begin to address the issues before your auditors leave. When things are fresh in your mind you are better equipped to tackle them. Waiting for a week, a month, or a few months down the road could be the difference between getting repeat issues or an off the record “Atta boy” from the next auditors. This means you need to really understand what your auditors meant in their findings. One caveat, auditors can not tell you how to do something (unless they are regulators) as their independence could be compromised. They can however tell you generally what they would expect to see for the issues be resolved. This is important to understand because if you miss the mark, you will have done the work in vain.

Next, take the time to re-evaluate your entire control environment. You are wondering why I would recommend you do that, after all the auditors told you where to look. Depending on the type of finding you either had a catastrophic failure of multiple controls and the single one identified by the auditors was just the tip of the iceberg. On the other hand you may find just one control failed and you didn’t have any other controls to prevent a complete failure. Either way, looking at the overall environment may be critical in solving the problem. Lets look at a catastrophic failure. Was the control failure caused by a series of events that could not have been foreseen, something that only occurs once every hundred years? If that is the case the cost/benefit of correcting the failure may not be worth the effort. What if the catastrophic failure occurred because those people performing the controls don’t understand their responsibilities. That is an entirely different story, one which may play out audit after audit. Each of these should addressed very differently.

In the case of a single control failure, why did you only have one control? There may be a rational and completely justifiable reason, or you may have overlooked the possibility the control may fail due to the design of the control. I remember auditing a the payroll at a small city which had a small finance department staff. There was a payroll control which indicated any staff member submitting for overtime needed to have approval from payroll officer, but that a lack of approval did not prevent the pay from being distributed. I think we can all see the flaw here, and may even question whether this is a control since it doesn’t prevent an action. Regardless, the payroll officer went on vacation and a water main broke requiring several employees to work overtime. With my luck as an auditor I happened to pick a payroll transaction during this time period and discovered the complete failure of the control. In response to the audit finding, the control was modified to add a back up to the payroll officer but the pay still could be distributed without the signature.

Whether a catastrophic failure of many controls, or a failure of a single point control, understanding how the entire control environment is critical. Not only can you correct issues the auditors found, you may find potential areas of future weakness and correct them before they fail. There is an art to getting through an audit, but sometimes the masterpiece isn’t completed until you clean up all the paint drips.

2010
11.12

It is fall here in my neck of the woods, which means the leaves are changing and falling off the trees. It makes for a great time driving with all the bright colors. Driving in to work a few days ago I passed an place where all the leaves had fallen off the trees and I was able to see a house set back that is normally not visible. This reminded me of a house I had seen years back.

While doing an audit of a small township I would regularly pass a drive with a gate and fence that vanished into a dense forest. One year I was performing the audit after the leaves had fallen. As I passed the secured drive I notice the fence went into the trees about 100 feet on either side and then stopped. I had never noticed this before because the trees had obscured my view. It struck me as odd that someone would go to the expense of putting up an elaborate gate and very nice fence, only to have it end not to far after it started. In retrospect it doesn’t seem as odd.

We always hear about security through obscurity. The idea is you gain some level of security by obscuring what you have or what you are doing. A great example of this is when you remove any identifying information from an error message on a website so that a person doesn’t know your operating system or applications your are using. Of course a determined attacker can fingerprint your system to figure it out, but you make them go the extra step. Now back to my illustration. The trees, for at least half the year, provide the illusion that the security fence surrounds the home that wants protection. This will likely deter most people who would want to get in, but a determined person would follow the fence and find the point of weakness. Has the resident achieved¬† a higher level of security? It all depends on perspective.

You could argue that reducing the number of threats has increase security. However, I would suggest the same “obscurity” that is providing security to the home owner actually provides security to the threat. When you talk about physical security, visibility is critical. If you can’t see the threat how do you protect against it. The forest gives the threat cover to hide, while the resident feels they are secure. Now I will assume someone who goes to the expense of putting up a sophisticated fence likely has a security alarm system on the house itself. That said, the threat has all the time in the world to get as close as possible without being detected and search for vulnerabilities. Also, in the event the home is breached there is cover provided for a getaway and if the home alarm system doesn’t exist or fails there is no fear of being seen by neighbors or people passing by. In essence the obscurity relied on by the home owner provides more security to threat than to themselves.

The question we need to ask ourselves as security professionals is a simple one. Do we provide cover to a potential threat by allowing ourselves to believe obscurity gives us security. Obscurity can reduce the frequency of common threats and allow us to focus on the determined and targeted attackers. However, if we put to much faith in the security it provides we increase the risk rather than decrease it. Take the time to understand all the effects obscuring yourself has and consider if the obscurity benefits a determined attacker. If we don’t, we may find the front door open and all our valuables gone.

2010
11.09

Right about now you are saying “You have brought us this far, we are so close.” I didn’t mean to make you wait like the auditors do, but sometimes patience is what gets your through the audit. When last we spoke the auditors had gathered all your information and were off testing. Hopefully during this process if anything came to their attention they brought it to yours. Doing so benefits both you and your auditor, after all who wants a misunderstanding blowing up in either persons face. Regardless, the next phase of the auditor is like a negotiation.

Your auditor spent time digging through your records and configurations, possibly finding something that doesn’t match up to their expectations. They will then determine, based on their understanding, the impact a weakness or failure of controls will have. Once this determination has been made you will receive some form of “draft” issues or findings. If you push the panic button at this point and batten down the hatches, you may find it difficult to convince your auditors they may have it wrong. I would say many auditor’s I know or knew are reasonable people and understand they may have overlooked something. However, if you come out swinging and do something irrational like call them incompetent they are less likely to see their own errors. First take your time and read what they have sent you, then read it again. Now you have read it twice, but read it for a third time without thinking the comments are directed at you.

Now that your eyes are uncrossed and the color in your face has resumed a normal hue make a list of questions to ask your auditor. It is important you know all the questions you want to ask and they are worded in neutral tone. It is important to know auditors should have documentation backing up their conclusions and simply declaring they didn’t look at the right thing will just be empty words. Once you have your list of questions, request a meeting to discuss the items. If need be ask details about what exactly failed and if possible which records they reviewed. The auditors work should not be a secret from you as the auditee since it is your documentation. Don’t expect to walk away from one meeting having answered all the right questions either. As most negotiations go, it can take multiple times to come to a resolution.

One important thing to understand, your auditors have to maintain an “air of independence.” This means in the end if they are not convinced your controls are operating as described, they will place those items in your report. However, if you have a compelling argument either on why the control didn’t fail, why the risk is mitigated with another control, or why the risk isn’t as severe as they anticipated you should see their results change. It is natural to make audit findings personal, after all you are the one running the show or performing the control, but personalizing the results only harms you as the auditee in the end. Just think about the defendant on the witness stand we see on television or in movies declaring “I am not guilty,” but never providing evidence to the contrary. No an audit is not a trial, but having support behind your argument and keeping a level head are what will make the end result of your audit that much more meaningful. This also means you will have a better grasp on how to address the issues in the next phase of your audit.