After the high energy of the conferences last week it was always going to be a challenge coming back to the humdrum of day to day work. Reviewing someone else’s audit findings was never going to be the quickest way to get those energy levels up!
This was compounded somewhat by what I found myself reading of course; this was a audit report on an environment that had a very limited scope, i.e. type of work being carried out, type of data being handled, type of resources required to complete the task. The auditors however were coming in from a very strictly controlled, somewhat binary view of the world. The upshot of this was that there were a lot of findings along the lines of:
- Workstations have access to the internet.
- Physically secured environment within the office (of the same company) required.
- Firewall must separate development environment from the rest of the office.
On the face of it these findings are perfectly acceptable, but what they don’t do is take into account the bigger picture.
The group that was being audited did not have access to any sensitive information, PI or even intellectual property. They required access to the internet as they were a creative group that uses multiple types of resources from the web, and they were already on a secured VLAN.
Unfortunately they failed to understand what was in front of their faces throughout the entire audit and assessment process (in fact, they remind me of the type of auditor that Javvad recently showed us in his latest video) They didn’t observe their surroundings fully, understand the working environment, nor comprehend the true purpose of the audit, namely to reduce risk not squash the life out of some very expensive resources and make it difficult to do their job.
They did everything by the book.
There is always a time and a place for a slightly more maverick approach in my opinion. There are times when as an auditor you need to go with what your nose tells you is bad, or your gut tells you isn’t right. No kind of by-the-book approach will let this happen. Let’s elaborate on these two approaches a little more:
Using your nose
This is quite literally “smelling” out the findings. Just because a document has been presented and all seems in order, or just because an activity is shown to be in normal use doesn’t always mean everything is in order. I have spent many enjoyable hours discussing with colleagues the tricks and traps that people use to fool auditors and assessors (some of the simpler ones are in Javvad’s video!). I even heard one where freshly printed documents were deliberately given coffee stains to give the impression that they had been around for some time, or people being sent home for the day when the auditor was around. Smelling this out requires a slightly cynical nature and a “poacher-turned-gamekeeper” approach. You might see a name occur too often, or the same approval date on documents that were obviously written at different times and approved by different approvers, but they are all indicators that something may be amiss.
Using your gut
A “gut feeling” is a very difficult thing to define, and to be honest not always as reliable. i often think it is because you have observed something subconsciously that make it a gut feeling. Using your nose is based upon an observable phenomenon whereas using your gut is not. They can be very good indicators that something is not quite right and deserve to be investigated further; the real skill however is knowing when to stop. Burning up half of your audit time because of a gut feeling is unprofessional, a waste of time and is doing both you and the auditees a huge disservice. However it can pay off huge dividends when you get it right in what is uncovered.
I want to caveat the above however; I don’t want to come across as though auditing is some kind of cat and mouse arms race (or any other kind of mixed metaphor). Any good audit or assessment is always going to be open, collaborative and educational and this needs to be the goal from the outset. However, many auditees are placed under huge pressure to pass an audit and sometimes will feel a high risk, deceptive, strategy is the only way to retain their jobs. I myself was once told in no uncertain terms “do whatever it takes to pass the audit” (and of course did).
What I really want to see in the industry is a move away from the checkbox and clipboard approach to auditing and assessing as the natural conclusion of that is a deeply unpleasant homogenisation of controls and environments that stifles creativity, and ultimately reduces the ability of a business to deliver to its clients and to its shareholders.