Experts share advice on finding the right IT auditor for your institution’s needs
In the world of banking, where institutions are governed by regulations and information security is of utmost importance, IT audits and penetration tests play a significant role in assuring an institution’s practices are aligned with business objectives and the letter of the law. Selecting the right auditor can play a significant part in maintaining the overall health of your IT controls and preparing your bank or credit union for its next regulatory examination.
Bankers are in the business of banking, and the IT professionals who support them are in the business of keeping networks, communications systems and workstations running. Because an IT audit is a deep dive into the nuts and bolts of the network infrastructure, it might sound like a scary proposition that consumes a lot of time and only exists to tell you what you’re doing wrong. But in reality, it is part of an ongoing process that serves to help banks and credit unions continually improve their controls and better understand – and correct – weaknesses. Selecting the right auditor is particularly important for smaller institutions that don’t have the budget or the staff to dedicate personnel to this role full-time.
At this point we should distinguish between and internal and external audit. Some (mostly larger) institutions support their own internal audit departments. Those that don’t have the size or complexity outsource the internal audit function. In both cases the objectives are the same; to compare your IT management process to an accepted standard (FFIEC, ISO, COBIT, AICPA, etc.) and help you identify deviations from that standard. If you support an internal audit department, you should periodically have an external (outside) audit firm attest to their process and findings. If you outsource the internal audit function, there is no need for an external auditor.
“A financial institution should consider various factors when selecting a professional services firm to perform reviews, assessments and audits,” says Eric Gomez, managing director at Miramar, Fla.-based TruSec Consulting. “Some critical considerations should include independence, industry knowledge and overall business acumen.”
Independence helps ensure bias is not introduced in findings. Further, Gomez explains financial institutions should seek firms that are familiar with the industry, as well as its operational, business and regulatory challenges. Finally, the IT security assessor or auditor should be both well-versed in IT and physical security issues, have strong communication skills and be able to make sound recommendations based on the available information.
“Probably the biggest issue that I run into is the misconception that all they need to do is go out there and get an audit without first assessing where the risk lies and what scope of testing is necessary,” says Matt Jones, a partner at Dublin, Ga.-based IS Audits and Consulting, LLC, a division of TJS Deemer Dana LLP. “And they view it as a commodity as opposed to what it is, which is: an extension of their own internal audit process.”
Selecting an auditor is more than simply checking a box. Jones warns against seeking an auditor as a reaction to an examiner’s write-up. “When you look at it from that viewpoint as a customer, you aren’t determining on the front end what your needs are, what your risks are, where they really need testing.”
According to the experts, here are three keys to finding the right auditor for your institution.
Do Your Research
Finding an auditor isn’t a matter of selecting the firm that’s closest to your bank or that offers the best price. Each firm is different, not only in cost and convenience, but also in their level of expertise and how they document findings.
“When you get a proposal from 10 different companies, they are all going to be totally different in terms of what they do, to what degree they do it, their experience level, their quality level and their price,” Jones explains. “If you go into it looking at the audit as a commodity, then the overbearing factor is going to be the price.”
Jones acknowledges that cost is always a consideration, but also cautions bankers to consider what they’re getting in return. Before selecting an auditor, the institution should first conduct an internal risk assessment process to determine what needs to be done, which areas need to be tested and what high risk areas exist. A basic understanding of your own institution’s needs help you better select the appropriate services from an outside firm.
“In the industry the terms audit, review, assessment, penetration test – they get thrown around a lot and the lines get blurred,” Jones says. “You really have to dig in and look at the product and ask ‘is this what I’m looking for – is this testing the areas that I need tested.’”
When it comes to identifying candidates, ask around. Call peers at other banks, particularly those with similar size and complexity, to find out which auditors they’ve used and about their experiences. Ask trade associations for recommendations, or even your consultant or IT services provider. And when you do find an auditor, ask them.
“References should be obtained and consulted,” Gomez says. “Although [financial institutions] like to work with local providers, geographic location should not be a limiting factor, especially if talent is scarce locally.”
He also recommends that you ask to see deliverables from the auditor, and not just an outline – pay close attention to the auditor’s reporting structure and their flexibility to customize services to your institution. Remember, the report needs to satisfy the needs of multiple stakeholders.
“You are going to have different target audiences reading that report,” Jones says. “They may be board members who want a 50,000 foot view of what’s wrong and how to fix it – they don’t care about the nuts and bolts. Then you have the IT guy who’s tasked with fixing it that wants much more detail in terms of why a recommendation is a recommendation, and how you can fix it. You’ll also have regulators and other auditors who come in and read this report – they will base some of their own findings and recommendations on what is being said in this report too.”
It’s Not a Study Session
An audit might be something that’s done in advance of a regulatory exam, but experts warn against thinking of it as a last-minute study session. It’s just one part of a much larger IT program.
“’Preparing’ for an audit or a penetration test is the equivalent to going to the gym only in January because of a New Year’s resolution,” Gomez says. “Both tasks will make you feel better temporarily, but none are effective. IT security should not be treated as a transaction—it is a never-ending cycle that should improve with time.”
Auditors and assessors don’t thrive on finding issues, Gomez adds. The more they find, the more reporting they ultimately have to do.
“A good assessor will prepare you to attain and, more importantly, maintain high levels of security by providing sound guidance and recommendations,” Gomez says. “He or she should work with you to improve an ineffective patch management process and not simply provide you a list of missing patches.”
Indeed, a small number of institutions see the auditor as an adversarial relationship, Jones agrees. But having a vulnerability exposed through this process beats the alternative.
“You would rather have somebody that you’re paying to find it, giving you the chance to fix it before a regulator comes in and makes the same discovery,” Jones says. “Or in the case of a vulnerability assessment or a penetration test, you would rather these security vulnerabilities or potentials for a breach, you would rather have your assessor find it than a hacker in Russia.”
They Won’t Push Product
Independence and objectivity are the currency in which an auditor stakes his or her reputation. As such, their role is to provide an unbiased assessment that serves the institution’s best interest in maintaining secure, compliant IT operations.
“Auditors and assessors should carry out their work freely and in an objective manner,” Gomez says. “Aside from the engagement fees, there should be no financial interest or any benefits obtained from the findings and recommendations provided by the assessor or auditor.”
In any audit, the No. 1 rule of the game is independence, Jones adds. The auditor has to be 100% independent of the subject he or she is testing, and have no skin in the game on selling name brand products or service providers.
“Any vendor that performs administrative, management, or monitoring functions is likely not independent of the subject matter being tested. I would also shy away from any vendor that their whole m.o. when making a recommendation is to turn around and try to sell something to you,” Jones says. “The whole point of the audit is to try to identify control weaknesses and potentially offer suggestions for remediating the problem. The process is polluted if you’ve got an auditor that comes in and has an ulterior motive to actually profit on the back end from the remediation.”
That said, it’s not uncommon for an auditor to recommend speaking with peers at other institutions about their solutions and service providers, or even name some of the IT companies out there. As many community banks, credit unions and other financial institutions are out there, it can still feel like a small world. As Jones explains, it’s not unusual for the financial institutions he works with know each other, whether it’s through another service provider, a state bankers association, the Community Bankers Association or even technology user groups. Often, if he gets questions on technology or a specific issue, he’ll refer them to a common acquaintance.
“That’s being a part of the community,” Jones adds. “By putting clients in touch with one another, I don’t think that we’re necessarily influencing a decision or making any sort of management call that would be an independence issue. I’ll even do the same thing with vendors.”
And according to the CAMELS composite ratings, your ability to work effectively with your auditor to promptly identify and resolve issues can make the difference between a composite score of 1 or 2, or something worse. Simply stated—proactively engaging a trusted advisor to help you discover potential weaknesses and vulnerabilities is a sign of diligent management and great leadership.
“When the opinion of an examiner or the compromise of your information systems becomes the trigger for action, you are not only perceived as a weak manager but can potentially become the scapegoat,” Gomez says.