Learning to love regulatory compliance auditors

Companies working to achieve passing grades in their regulatory compliance audits can greatly improve their ability to meet the requirements if they can somehow bridge the cultural gap that commonly exists between IT workers and those hired to apply the tests, according to a panel of industry leaders.

Taking the stage at the ongoing Security Standard Conference in Chicago, the collection of seasoned compliance and auditing specialists called for an end to the turf war that tends to materialize when internal and external auditors begin running their reports.

By fostering a more cordial relationship between IT departments and auditors, and pushing the groups the engage in more comprehensive exchange of ideas, businesses may be able to lessen the pain typically associated with allowing for the systems assessments.

Minimizing the pain

While the concept may sound corny or even far-fetched to many corporate technology workers and auditors, the experts said the best way to improve the efficacy of compliance programs and minimize the pain of the work is to do whatever it takes to get the teams on the same page.

“The perspective [of IT workers] is that audit is always out to get them. But once you get over that hurdle things improve,” said Lane H. Boyd, director of IT audits at fast food giant McDonald’s. “It really comes down to communication. You need to meet frequently and be honest.”

Boyd said it’s particularly crucial for companies to make an extra effort to encourage interaction between IT workers and third-party auditors, as the outsiders tend to come into the testing process expecting friction with internal teams.

“The security teams are most often responsible for managing outside auditors, and the perception is most often that [auditors] only come bearing bad news,” he said. “Even internally we try to work closely, but [internal IT] is typically not too happy to see us; but as this whole process matures, I expect that this [interaction] will improve.”

Aligning goals

The closer that IT management and auditing teams can become, said Boyd, the greater the likelihood the different groups can align goals, with those doing the assessments providing a “point in the right direction” of how they will look to test various systems for compliance.

In addition to helping internal teams better understand the thrust of the auditors’ work, bridging the two groups will make it easier for the assessors to tailor their work to suit the operational demands of each business, said Rick Boren, a partner with New York-based consultants PricewaterhouseCoopers.

Any level of trust that can be established will also encourage auditors to ensure they handle with discretion any sensitive corporate information they encounter, the consultant contends.

“The same level of trust is needed for external auditors as with internal. They have to know the process for protecting clients’ information assets,” Boren said. “These auditors are being put in a position of trust and this type of relationship needs to be there for everyone to work together effectively.”

The process of building a relationship between IT and auditors will also give the internal technology managers more confidence that the assessors won’t commit mistakes, such as crashing crucial business systems during their testing — a perception that often stifles interaction between such groups, according to Boren.

Communicating with business execs

Another vitally important element of improving compliance efforts internally is to seek out wider support of the auditing process from senior business executives, the experts agreed.

Many business leaders still question why they are spending so much time and money trying to appease each aspect of the regulatory requirements, said Michael Garber, director of IT assurance management in Motorola’s Information Protection Services group.

As with many other areas of IT, finding a way to illustrate the challenges and demands of the compliance audit process to non-technical business audiences is extremely vital, the panel of experts said.

The tendency for those working in assessment to defer to industry jargon when attempting to explain issues to senior management will only make it harder for everyone involved in the decision-making process to understand how to prioritize support and spending, they said.

“It’s important to communicate to the right audience in the right language,” said Boren. “IT and security teams tend to be technical; many executives may not understand and sometimes the auditors themselves aren’t technical enough. If you can improve the understanding between these groups, you can improve everyone’s view dramatically.”

Lack of communication

Conference attendees agreed that a lack of communication among business workers, IT departments, and auditors remains one of their biggest challenges in achieving compliance, with the lack of trust between administrators and assessors proving very hard to overcome, at least one end-user representative said. 

“The biggest challenge for us is distrust, with auditors consistently viewed as someone out to get IT workers,” said William Helgren, applications development lead at Premier Farnell, an electronics distributor which has its headquarters in Leeds, U.K.

“The perception is that external auditors are getting paid to find something wrong and that they will keep testing until they find something,” Helgren said. “There must be a balance of trust with both internal and external auditors, but that’s not there yet in many cases.”