Two weeks ago, I commented on the changing role of the risk management professional, and thought it would be worthwhile to spend a few moments discussing the auditor as well.
In a contest of which job is likely to see more change in the next two years, I would expect a photo finish.
Over on the Institute of Internal Auditors (IIA) site, Norman Marks started an interesting discussion about continued fallout from the Heartland data breach. In a Q&A interview with CSO Online, an understandably defensive CEO Robert Carr states that the company’s Qualified Security Assessors (PCI auditors) were worthless and gave them false reports for the previous six years suggesting that their security systems were just fine. I don’t think we need to dwell on the concept that compliance with security standards does not equal total security, however this does bring up a more interesting debate about the role of the auditors.
As expectations for greater corporate accountability and disclosure continue to mount (some would say more slowly than expected) audit reports are going to be set under the most finely tuned of microscopes to be examined for accuracy and thoroughness. Two of the most important questions auditors will have to answer will be:
- What is the scope of the audit? This must include what is evaluated and what is not as well as what justification exists for including or excluding specific elements.
- What are the auditors assessing specifically? This must spell out very clearly the purpose for the audit (e.g. We are evaluating whether or not these systems are compliance with PCI, no other opinions should be inferred from this report).
If this information is not clear, both sides are left exposed. Would an auditor be demonstrating additional value and good faith by calling out other possible issues outside of their official report? Yes. However, it would be unfair to expect them to volunteer information that is beyond their defined scope... there is more than enough pressure as it is to get that right.