Auditing is a two-way process

I know the idea of being audited is not a fun one. I always joke with clients that they should not feel too bad as we, as auditors, get audited ourselves (on workpapers, reports, etc.).  When it comes to the auditing process, however, communication is key. If there is one thing auditors do not like it is being ignored, or not responding to them after countless emails.  Many times if I email a client, I am not trying to hound them. Everyone is busy and the last thing I (or any good auditor) wants to do is waste anyone’s time. However, when a client fails to respond to a quick status email, that’s when the process, which should be straightforward, becomes complicated.

Often times clients are just unsure of where some things are or are reluctant to ask the auditor a question, or just hope the report will be passed without any further input. As hard as this might be to believe, most auditors want to see you pass. We enjoy seeing your hard work of configuring systems securely, gathering evidence, and going through any remediation pay off.  PCI, HIPAA, or any compliance assessment/audit is not an easy process. However, without proper communication, it is nearly impossible. We as auditors are unable to help you if you are not transparent with us. If you are unsure about something, ask. If you know something will fail, tell us, and we might be able to help depending on the issue.

I cannot tell you how many times I have gone into a new assessment and have felt the tension in the room before a word was said. People have had bad experiences in the past with auditors, so I don’t take it personally. That’s why I always try to level with any client and explain that this is a team effort. You want to pass, and I want to see you pass.

For more information, or if you are in need of assistance with a GAP assessment, please contact us at info@silentstormesecurity.com

Author: R. Scott Pierangelo
Silent Storm Security | Founding Partner MSCS, QSA, PMP, CISSP, CISA, CISM, CRISC, CGEIT, PCIP