Policy, Compliance, Critical infrastructure

The auditor’s case for continuous compliance

October 29, 2014

If offered the choice between taking a pill once a week or undergoing invasive surgery once per year, many of us would reach for the pills. Preventive medicine is a simple concept and one that we all recognize and value when it comes to our health.

Yet when it comes to information security, many companies operate with the annual surgery model, also known as an audit. Whether it's for PCI compliance, SOC reporting, HIPAA assessments or something else, they follow the conventional model of point-in-time certification accompanied by a costly and painful annual review and correction process.

Worst of all, many information security professionals believe this approach is in the best business interests of the auditor – an inefficient system that benefits the CPA firm or consulting group. It isn't true. As a Qualified Security Assessor (QSR) and frequent partner to CPAs and professional auditors of every stripe, I can tell you that the system is broken for us as well.

In fact, there is a growing movement among auditing professionals towards continuous compliance, an ongoing process of proactive risk management that delivers predictable, transparent and cost-effective results to meet information security goals.

New technology has made it easier than ever for companies to review their performance – on any given day – against compliance standards. Armed with better tools, they can partner with auditing agencies to review rule interpretations and applicable standards at sensible intervals and turn the audit into a schedulable, predictable and downright simple event. In other words, an outpatient procedure instead of a trip to the operating room.  

Here, in three simple points, is the auditor's case for continuous compliance:

1. Predictability: An auditor's business runs like any other – we make assumptions that inform the way we staff, invest in infrastructure and maintain a balance between overhead and profit. When projects run long, require extra people or are rushed because of impossible-to-achieve deadlines, it becomes a liability for both parties.

2. Transparency: If a problem is discovered six months prior to the audit through an easily accessible information portal, your auditor can help you develop a smart solution to correct it. If that same problem is discovered in a pile of paperwork just six days before an audit deadline, we can't do our best work. There simply isn't time. Transparency between company and auditor is the key and in the long run, leads to better service.

3. Cost-effectiveness: It's true that the audited company bears the financial burden for last-minute fixes and accreditation delays. But it's also true that auditors face cost control challenges when projects spiral out of control. Moreover, it strains the relationship with our client and creates disincentives for future projects. Our businesses run better when our clients' businesses avoid significant unforeseen expenses.

Continuous compliance obviously doesn't allow anyone to avoid a necessary audit. And it does come with costs of its own for technology, consultation and internal management. But the lifetime benefits of ongoing monitoring, reporting and collaboration far outweigh those costs, both for the client company and the auditor that serves them.

The movement towards preventative medicine in information security is well underway. Most of the dialogue driving that movement, quite naturally, is in the voices of the companies seeking and maintaining accreditation. It's time for the auditors – the CPAs, the consultants and more – to weigh in.
prestitial ad