Most auditors and security analysts have never performed a wastebasket audit. Why do a trashcan audit?
- Low cost (free)
- Quick & easy
- Easy to perform (even junior auditors can find this evidence)
- You always learn something (e.g., this payroll clerk really likes bananas)
- Most people are careless with data and secrets
- It’s a good way to take the pulse of a person, department, or company
Warning: Depending on your company, you should probably get permission (always the safest route). Is it covered tangentially in your audit charter? Do you have a GOOJ card (see item #3)?
Privacy Issue? Sneaky?
To those of you who think this is an invasion of privacy or underhanded (it’s actually under desk), don’t your company policies state that you should expect no privacy for anything stored online or company premises? If not, you should investigate why.
As for being underhanded, it is. So what? Do those committing fraud post a notice on the company intranet? Does the person in Marketing who is probing the web server embed his name in each malicious packet? If someone threw it away, doesn’t that tell you what she thought of the data? So you think you should protect what others carelessly discarded? Or should you protect the company?
Top Trashcans to Audit
Conference rooms – they are more “public” areas, location of many highly confidential meetings, and are visited by customers and vendors. [Safest area to audit, just close the door]
Lobby area – heavy visitor area, where people who are waiting toss previous drafts of presentations, clean out their briefcases, and–interestingly enough–it’s an employee’s last chance to throw something out as they leave the premises.
Print/copy room – Paper is laying around everywhere, in and out of the trashcan. Just put a few papers under yours, and walk back to your desk.
Areas or staff under audit – Immediately prior and during an audit, people tend to throw a lot of stuff out for some reason (hmmmm). I always start my wastebasket audit at least 2 weeks before the audit kickoff, and don’t end until 2 weeks after the final report is issued.
One nice thing about these types of audits is that you don’t have to tell anyone how you got the information (say “it was provided to me and my source is confidential”). If the original evidence is crumpled, smooth it out and make a copy. Put the focus on what the data reveals, not the source; that’s secondary.
Finally, whatever personal information you learn about employees, keep it confidential, and forget it as fast as you can.
One reader, Audit Monkey, stated that these audits are a waste of time (see his Comment and my reply). I realized that I neglected to note that I’m not suggesting formal audits of wastebaskets–just do them as you perform your other duties (e.g., as you use the print/copy room and on special occasions (which a future post will explain further)).
Update 2 — Recycle Bin
You might also be interested in Another One’s Treasure.