In Standard (Snake) Oil, I complained about companies that don’t audit according to standards because some treat control owner statements as pure gold, don’t insist evidence be tied back to actual systems, and don’t ask all the appropriate questions.
Here’s a few more questionable practices that I’ve challenged all too recently.
First, auditors who rely on policy and procedure documents that haven’t been reviewed or reapproved in two or more years. Especially when the document is used as evidence that a certain situation continues to exist, such as the inability of an application to log changes to critical configuration files (policies themselves are not controls). Perhaps an upgrade was applied that provides the ability to log these changes, but the document was never updated and the logging facility was never configured. But the auditor never asked, and the old document continues to provide cover.
Second, how about evidential matter that never seems to change, has no date on it, and contains the same typos and misspellings from previous years? Some control owners even embed screenshots and directory/file listings right in the documents, as part of the documentation of the security configuration and procedure.
I’ve found that if you challenge these sacred texts, the anger of the control gods descend upon you. Rather than challenge all of the evidence, I merely pick one screenshot or one directory listing and ask them to rerun it. Once you identify one difference between the data in the sacred text and the fresh evidence, it’s much easier and less dangerous to ask the control owner about the discrepancy. It’s easier to ask whether all the data initially provided was captured for the current audit. Rarely will control owners lead you astray at this point, and a request to “rerun” all of the evidence is usually quickly honored.
Third, and my absolute favorite work-around, is the system that has poor controls and/or the controls are merely poorly performed. After all, they say, the system is being replaced in 6 months, so why spend the time and effort on the controls or auditing it? Even if your audit director buys this farce, the problem is that schedules often fall behind, and some projects need 2 or more iterations of “6 months” before they are ready to run in production.
The best way to gauge if the team is serious about the replacement or upgrade is to request and review the project plan and SDLC documents completed so far. Usually, it is obvious whether the project has been thoroughly vetted, approved, funded, and managed.
If the documents are lacking, usually the project is also. If there is no plan or it is not provided, you may now have more serious risks to investigate.
When dealing with snakes, always try charming first. Ask innocent questions that gently lead control owners in the proper direction so that you can do your job. If that fails, tell your objectors that all you’re trying to do is ensure that the audit is “conducted in accordance with the standards.”
Just make sure you have a copy of the standards handy.