Infosec and Internal Audit Working Together

Monday, July 11, 2011

Robb Reck


How’s Your Relationship with Internal Audit?

Want a quick and easy way to get an idea how well your organization’s risk management program works? Take a look at how the technical staff reacts to and interacts with the internal audit team.

The role of internal audit is to aggregate internal policies, regulatory requirements, and industry best practices and then observe the organization to see how the operational reality stacks up with those goals. This is the chance for us to see if we’re walking the walk or if all our risk management policies and systems are just for show.

When your team hears that the internal auditors are going to be coming, what is the response? No, not everyone will be thrilled to spend a day or week sitting with auditors discussing business practices, and showing proof of what they do. Schedules are tight, and fitting in audit work alongside a full schedule can be a challenge. But aside from scheduling, this should not be a gruesome task. If your employees are overly concerned about the audit process, it may be that they are not properly educated about the policies and procedures required to do their job.

In a well-functioning team the opportunity for a different set of eyes to evaluate and offer feedback is invaluable. They can show us where our documentation is lacking (because the people who do it every day can naturally fill in those gaps), where our separation of duties is inadequate, or where cross-training is needed. Joe might be the best firewall administrator in the world, but letting him do all of the firewall work means that when he finally goes on vacation or gets a new job, your organization will be scrambling to fill in his position.

The biggest key to creating a positive relationship with audit, and successfully undergoing audits, is remembering that internal audit and security risk management are on the same team. We are both looking to handle risks. Our job in security is to identify and implement effective mitigating controls, and audit’s job is to flag those risks which have not yet been properly mitigated, so that management is well aware of them, and can make appropriate business decisions. If they identify a finding in your area, it’s not the end of the world. It’s an opportunity for you to improve your environment and make things better.

Security and Audit should make each other better

Information Security and Internal Audit can be extremely effective partners. Chances are that the folks in the security team are more technically savvy and more intricately familiar with the details of the corporate information systems. As such, during an audit, security can provide assistance to internal audit in guiding through the technical-speak and confusing network diagrams to determine all kinds of great information. Including what data is sitting where, what it’s doing, and what protections are in place. By being a technical consultant, the security team can provide valuable assistance to audit and make the audit findings more detailed and impactful.

On the flip side, audit can be an important ally for security. How often does your security team find a risk, bring it up to technical leaders, and have that risk ignored because of time or money scarcity? It’s an ongoing balance to figure out which risks need to be addressed. Security’s concerns are usually heard, but often cannot be immediately implemented. But when an item is made an audit finding it gains significant weight. Those audit findings will make their way up the chain, to the desk of the president and the board itself. Senior leadership is directly responsible for addressing and implementing audit findings. Getting audit to include the risks that security identifies can be a great way that audit can assist security.

For the most part, the difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do.

If you haven’t already, go take an auditor out to lunch. Ask about what they do, and how you can help. It’s a relationship that you both will enjoy.

Cross-posted from Enterprise InfoSec Blog from Robb Reck.

Possibly Related Articles:
Information Security
Best Practices Security Audits Information Security Infosec Policies and Procedures Processes
Post Rating I Like this!
Lucian Andrei Very good article.

In a real world this should happen, but... for some companies the audit is a driver for the IT, and information security particularly. I saw cases where they bought new firewalls; they implemented SIEM and other things because “It was an audit finding”.

The biggest problem, in my opinion, is that most of the people don’t get THE WHY, and that some leaders are only managers, they don’t see the big picture.

I think that the root causes of these problems are:
- Lack of education
- Lack of motivation.

Sometimes education is a follow up of the motivation (in order to be better at... I have to study...); but, most of the employees are only doing the minimum not to be fired. For them I would implement compulsory training. For example: if you want a raise you have to pass X certification, or you have to go to school...

What about having bad/inexperienced auditor? Is he/she doing risk assessment before planning for an audit?

Maybe someone more experimented will write an article about education and motivation in infosec (or IT in general).
Robb Reck Lucian,

There are a normal of interesting points in your response. Thanks for taking the time to consider and respond.

One of the great benefits of having InfoSec work with audit is that those audit findings AREN'T simply a "checkbox" mentality... they have a holistic view into the organization, and the real risk. Rather than saying, "We need a SIEM!" audit should say, "We have a risk that we don't know what's happening in our environment quickly enough" and then it's InfoSec and IT's job to translate that finding into a real implementation.

Of course you can have InfoSec professionals or audit professionals who don't care about their job, and there are some management techniques to combat that, but in general I have found that most people WANT to be good at their job, and that just getting the conversation going between the teams will improve their motivation, making them more effective.

I have written on some subjects about getting InfoSec buy-in, and would love to hear your thoughts on that as well:

Chris Dorr Excellent article.When you say "For the most part, the difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do.", you make an outstanding point.

As an auditor (who works extremely closely with the InfoSec group), i sometimes have a hard time delineating exactly what ARE the differences. certainly InfoSec does operational stuff, and we are required to remain out of operational activities, but in terms of our goals, objectives and analysis methods? It is sometimes difficult to see any difference at all.

Over the years, I have seen (in internal audit, in particular...far less so with the Big Four) a significant increase in technical expertise amongst IT Internal Auditors. We could (and mostly have) worked operationally in IT, and moved into audit, instead of having a finance background and moving into IT (as seems to happen at the Big Four). My old boss (who brought me into audit, and who had worked for years as a developer) said her philosophy was that it was far easier to teach a geek to audit than to teach an auditor to be a geek.

This kind of increasing skill set allows audit to work ever-more closely with InfoSec, greatly increasing the effectiveness of both.

At least in my organization, I have found that an intimate (while still maintaining independence, on the audit side) relationship between audit and InfoSec produces VASTLY better results, across the enterprise, than an adversarial relationship ever could.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.