Posted on by Ben

Convenience Vs Security

Photo credits: www.dreamstime.com

Can you imagine entering a store like the Apple Store, but instead of seeing the nicely dressed Apple employees, you see some bouncers, bodyguards, and military officers with guns? You try to walk away but one of them tells you to stop so he could make sure you did not steal anything from the store. You are about to leave after a thorough body search, then you hear one of the gunmen say: “please come back again”. I believe you would most likely not return to that store. Their security might be at its best, but the customer’s shopping experience was obviously at its worst.  

                I remember my grandma telling me about a time when someone could leave a store unattended to; a customer might come in to make a purchase while you are away, and the customer would leave the money there for you. The funny thing is there was no closed-circuit television (CCTV) at that time; people were trustworthy and would not steal from you. Good news: those days are coming back. I mean you might be able to leave your store open without the need of a cashier and the customers could make their purchase without your presence while you would still get paid. I saw an ad about a prototype of this system. The company had invested so much into artificial intelligence and adopted a lot of other security measures to allow customers the luxury of a cashless system. With the use of an App on the customer’s phone, the customer could make purchases without the need for any cashier or attendant. This is a great combination of security and convenience. Aside from the fact that some customers like physical interactions, most customers may love this kind of system for the convenience it offers. 

As auditors, we are concerned with the security of information systems and data and our job description clearly defines that we are responsible for ensuring that the controls around our organization’s systems are designed appropriately and operating effectively. How can we ensure that the stakeholders enjoy some level of convenience while we attempt to maintain the security of our organization’s assets? The question is, “how can we add value to our organization through our projects without appearing to be policing the stakeholders”?

Here are some tips to help foster convenience around IT audit processes while we achieve our audit goals: 

  • Determine your stakeholders: It is very easy to know who your stakeholders are. Who do you interact with during the audit processes? Who do you report the findings to?  On an external audit, you may work with different clients at different times, depending on your organization’s structure and how your audits are laid out. It is important that you list the stakeholders that would be involved in your audit during your audit planning phase. Asides from your direct contact person, you should learn about the other people that would affect your work process during your project. The list could span from the IT team or process owner you are auditing to the management you report to. The audit team should have a training session on how to facilitate a good working relationship with these stakeholders. The audit planning phase should address the need to send an email to the stakeholders that have been identified to inform them about the audit scope and the part being played by these stakeholders. It is very important to communicate with the stakeholders directly and not just send the engagement letter to the management while you ignore the other important stakeholder; remember you would most likely deal with these stakeholders even more than your deal with management during your projects.  
  • Design the audit processes to be convenient for the stakeholders as well:  While it is important to follow your regular audit plan for the year, it is also important to remember that the stakeholders have their different plans for the year as well. They would appreciate it if they could spend more time on their core duties and not just use hours answering your questions and getting documents for you. For example, you could make the work of a system administrator more convenient by reviewing the company’s IT security policy covering privilege access if you would be auditing privileged access. After your review, you can go ahead and email your questions to the system administrator before you have a walkthrough meeting with him/her to discuss the questions around the controls that are in scope. Since most people don’t like surprises, seeing the questions ahead of the meeting could give him/her some time to prepare ahead. Maybe a response email from the system administrator might even reduce the amount of time you need to spend with him/her at the walkthrough meeting. The focus of your audit process should be to assess the controls but do it in such a way as to avoid adding additional stress to the normal workload of the stakeholders.  
  • The PBC List (Prepared/provided by client): This list includes the items such as documentation and evidence that the auditor would need from the client to perform the audit. It is best practice to send the PBC request at least 3 weeks ahead of the audit, but this should also be determined based on the experience of the audit team with the clients. If based on past experience, the client was not able to provide the necessary documentation when needed, it is better to send the PBC request list much earlier. The benefit of doing this is also to help you keep up with your audit timeline as well as allow the client ample time to get all the documents requested at their own pace.  
  • The Executive status tracker:  This tracker is used to communicate the status of the audit with the client. The tracker would list scheduled meetings between the audit team and the client. These meetings could be weekly status meetings with the client to discuss progress, delays, other needs, or might also involve validation of issues or potential audit findings. Just as it would be helpful to send the PBC request list earlier in a situation where the client had some challenges providing the necessary document in view of past experiences, it would also be very helpful to send the executive status tracker to the client as early as seen necessary or update the execute tracker as seen necessary based on the need. 

 These modifications to the audit process would help the stakeholders to adjust their schedule as needed, making it more convenient for them to work with you and you would still be able to achieve your audit goals. The clients and all stakeholders would most likely be happier when they know that you are not just adding value to the organization by your audit, but you also respect their time and other responsibilities, shown by how you make the process convenient for them while enhancing security.