We live in a world where assurance is a precious commodity. People with bad intentions are getting smarter every day as evidenced by the recent compromise of nearly 40 million credit and debit card records at Target. Assuming that your information is secure and only accessible to those individuals with a need to know may not be advisable. As the saying goes, inspect what you expect.
In light of numerous security breaches that appear almost daily, it is easy to understand why clients, management, and boards of directors need additional assurance on the reliability and security of the information they report to stakeholders, customers, partners, and management. So how do these stakeholders gain the confidence in their systems? In short, formal independent third-party audits of key systems and controls are a step in the right direction.
Federal and state governments also recognize the need for companies to strengthen their systems of internal controls. We see this with various state-specific privacy regulations and national regulations impacting financial reporting and healthcare (e.g. the Sarbanes-Oxley Act and HIPAA/HITECH respectively). Industry is also incented to improve assurance as shown by the PCI DSS Standard as well as the participation of multiple “critical sector” organizations with the forthcoming NIST Cybersecurity standard.
By conducting external audits, in conjunction with on-going internal reviews, Executive Management can increase its confidence in the security and availability of critical systems. External audits bring a standards-based approach to the review of internal controls. These standards range from well-known ISO disciplines such as ISO 9000, ISO 20000, and ISO 27001 to control assessments based on guidelines from the COSO and COBIT. These audits are expensive and require significant time commitments from internal staff.
As a case in point, my company spends well over 6-figures annually with external auditors and invests significant internal resources to support on-going review of our systems and security (we have three full-time employees dedicated to an internal audit function). These resources are focused on ensuring that our various audits and standards reviews are successful including our Statement of Standards for Attestation Engagements (SSAE) 16 SOC 1 and SOC 2 as well as multiple ISO audits. As a multi-national corporation, my company also goes through the International Standard for Assurance Engagements (ISAE) No. 3402 audits.
Here are four reasons why audits matter:
1. Your own clients want to know.
We can set our watches by when our clients ask us to send them our latest audit reports. Financial services firms will make such requests at the beginning of each year. Healthcare groups inquire for their audit reports later in the year for their own auditors. Plus, we get similar scattered requests throughout the months when our clients are getting set to onboard a new business customer. It adds up to hundreds each year. Our audit reports can be the catalyst for our clients’ ability to land a new deal and we take that to heart. We know we’re providing a direct benefit to their sales and productivity.
2. Organizations want peace of mind.
Good Managed Services Providers (MSPs) can be as much of a strategic advisor as they are an IT vendor. Such firms desiring to gain the trust and confidence of clients will leverage successful independent audits of their systems to do that. The certifications can authenticate the ability for MSPs to offer expert insight in addition to providing the safety and security that can increase productivity and revenue potential while also mitigating risk.
3. Audits validate a Managed Services Provider’s security processes.
Most reputable providers desire independent verification on their security and data custody processes to make sure nothing is missed, for several reasons. For starters, it ensures the MSP is operating at its peak efficiency. That means it’s generating the most profits for its efforts. Secondly, it prevents any small issue from becoming bigger and ensures the highest state of readiness. Lastly, conducting audits is also a way to uncover new ideas and implement best practices that keep up with the latest business and technology trends. Leading MSPs are in a constant state of learning, and audits are key components of that effort.
4. Many certifications are now mandatory.
A lot of audits used to be recommended, but not required. That’s becoming less and less frequent for a wide range of industries looking to mitigate the number of attacks and security breaches by organizations that service their market. Failure to get certified means an MSP is out of compliance for your specific needs, and may not be an option for you. This trend will only continue in the coming years.
However, there’s another aspect to this. For companies that are in the process of evaluating an MSP, being told that an audit by a credible third party was recently conducted is not enough. Your business data is on the line, so be sure to request a copy of the audit, ask questions about the findings and look favorably on audits that are “unqualified with no exceptions.” There is no such thing as a dumb question and MSPs should be ready and willing to answer any inquiries. Those that take pride in their work appreciate clients who want to understand their business.