The Six Most Common Compliance Audit Failures
INTRODUCTION
Financial institutions are regularly faced with audits, including SSAE 16/18 (SOC1 and SOC2), Sarbanes Oxley, and PCI DSS. Unfortunately, it is all too common for these organizations to experience audit failures. But there’s good news: there are a handful of commonalities of failed audits from which other companies can learn.
R I S K # 1
Poor Prioritization from the Top
WHAT IS IT?
If management hasn’t bought into the importance of compliance, then the people implementing and working on the controls won’t either. Management attitude establishes priority for the entire organization, which drives resources and participation.
WHY DOES IT MATTER?
Management attention gives teeth to a policy, which makes controls stick and reduces the chance it’ll be ignored. Take security awareness training, for example. A company with poor compliance priorities can miss its deadline for security awareness training with the employees who think they’re exempt, like executives or road warriors.
SOAR BENEFITS
R I S K # 2
Lack of Documentation
WHAT IS IT?
Without documentation on a control or records regarding the performance of that control, auditors must rely on inquiry alone. However, inquiry is considered the weakest form of audit evidence, and under many compliance frameworks, isn’t alone sufficient.
WHY DOES IT MATTER?
Most of the findings auditors identify stem from documentation failures. Luckily, this is easy to correct: companies should document what they’re doing in written policies, ensure everyone is trained in the proper procedures, and create a paper trail of the performance of the controls.
Document Policies
Implement Procedural Training
Monitor Performance Controls
R I S K # 3
Human Error Compounded by Manual Processes
WHAT IS IT?
When manual processes are involved, there’s no way to completely eliminate human error. To that point, when you automate systems such as user authentication, human resources, and payroll, the result is a less error-prone process.
WHY DOES IT MATTER?
Manual errors will occur without automation, like leaving a terminated account live. These types of mistakes are a significant audit finding as well as a security risk.
R I S K # 4
Weak or Missing Risk Assessment
WHAT IS IT?
Most audit standards require a risk-based approach so that controls are focused on reducing the highest risks. Without investing the time and money required to produce a proper risk assessment, organizations will waste resources on controls that don’t address highest risk.
WHY DOES IT MATTER?
Missing or skimping on vital controls, that result from not doing a proper risk assessment, can turn into unwanted compliance audit process findings or create unnecessary exposure for your organization.
R I S K # 5
Internal Assessment is Too Self-Congratulatory
WHAT IS IT?
People will naturally try to see themselves and others in the best light—it’s human nature. In the business world, this often means internal assessors overlook important shortcomings.
WHY DOES IT MATTER?
A poor internal assessment trips up many organizations going into an external audit for the first time and can result in unfavorable audit findings.
PRO TIP
Develop a proper independent internal audit program—one that has a different reporting structure than the security and IT teams - or hire an independent assessor. Even a contracted consultant can fulfill this role, as long as he or she is segregated from the implementation of the controls.
R I S K # 6
Misunderstanding That Some Audits are Ongoing
WHAT IS IT?
Many audit standards, like SSAE 16/18 and Sarbanes-Oxley, cover a period of time during which controls need to operate consistently during that entire timeframe.
WHY DOES IT MATTER?
If an organization is only focused on making the auditor happy when he or she shows up, they are ignoring the point of security: managing the risk. Controls implemented to reduce risk should never be point-in-time affairs.