An audit provides the opportunity to review your risk management program and to confirm that the program has correctly identified and addressed risk to your organization. The audit report that auditors create should recommend improvements or changes to the organization’s processes, infrastructure, or other controls as needed. Audits are necessary because of potential liability, negligence, and mandatory regulatory compliance. Audits can expose problems and provide assurance of compliance, and may be mandated by legislation, regulation, or contractual agreement.

Laws and regulations require some companies in a specific industry or that employ a certain number of employees to conduct both internal and external audits. Industries that must conduct these required audits include financial services organizations and any organization that handles personal medical records. Federal laws or vendor standards that require internal and external audits include the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that protects how organizations collect, use, or disclose personal information in e-commerce transactions. It also includes audit requirements.

An audit might find that an organization lacks sufficiently trained and skilled staff. It might show the company does not do enough to oversee security programs and manage assets. An audit might encourage an organization to provide better staff training. On the other hand, an audit might validate that an organization is meeting or exceeding its requirements.

Many new regulations make management personally responsible for fraud or mismanagement of corporate assets. In the past, corporations were mostly accountable for this; now, individuals are responsible. It is in the organization’s best interests to make every effort to be in compliance with all necessary requirements to protect itself and its people.

With so many businesses competing with one another, a valuable differentiator for customers is confidence. Businesses have an easier time attracting and keeping customers who trust the business. Customers who know that your business consistently audits its information systems for security may be more willing to share their sensitive information with you.

One way many business-to-business (B2B) service providers can build customer confidence is to employ auditing standards for conducting audits. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issued the Statement on Auditing Standards Number 70 (SAS 70) in 1993. This was the first standard of its kind and provided audit guidance for many service organizations. SAS 70 was developed for organizations such as insurance and medical claims processors, telecommunication service providers, managed services providers, and credit card transaction processing companies. There were two types of SAS 70 audits: Type I and Type II. An SAS 70 Type I audit encompasses the service auditor’s assessment of the service organization’s description and implementation of controls to achieve the environmental control objectives. An SAS 70 Type II audit includes the information in a Type I audit as well as the service auditor’s assessment of whether the identified controls were implemented and are operating effectively. Although SAS 70 was general in its scope, the standard did not address many of the emerging issues encountered in today’s service organizations. For example, SAS 70 does not address supporting colocation or providing cloud-based services. SAS 70 was officially retired in June 2011.

In 2011, the Statement of Standards for Attestation Engagements Number 16 (SSAE 16) superseded SAS 70. SSAE 16 expanded the scope of SAS 70 and is the predominant auditing and reporting standard for service organizations. SSAE 16 provides guidance to auditors when verifying controls and processes. It also requires that the reports include descriptions of the design and effectiveness of the audited controls. These reports provide details that describe the organization’s specific controls. For example, a company seeking to lease space in a data center might ask the data center to provide the results of an SSAE 16 or SAS 70 audit to get an independent assessment of the security controls in the data center.

Reliance on the results of SAS 70, and now SSAE 16, have increased across many organizations. The AICPA has recognized the increased complexities of service organizations and created three different levels of audit reporting for service organizations. The Service Organization Control (SOC) framework defines the scope and contents of three levels of audit reports. TABLE 13-1 lists the SOC reports and the characteristics of each.

SOC 1, SOC 2, and SOC 3 reports are important tools for an organization’s auditors. The SOC 1 report primarily focuses on internal controls over financial reporting (ICFR). This type of report is often used to prepare financial statements for the user organization and to implement proper controls to ensure the confidentiality, integrity, and availability of the data generated by the financial reporting requirements. SOC 2 and SOC 3 reports both address primarily security-related controls. The security-related controls in these reports are critical to the success of today’s technology service provider organizations. The primary difference between SOC 2 and SOC 3 reports is their audience. SOC 2 reports are created for internal and other authorized stakeholders. SOC 3 reports are intended for public consumption.

Remember that an audit is all about comparing the way your network is configured and operating to some trusted standard. It’s kind of like using a rubric to grade an assignment in school. The grade is based on how well the assignment meets the assignment requirements. With networks, a common approach is to acquire or establish a set of baselines to use for comparison. Each baseline contains metrics that describe the performance requirements of one aspect of your network. For example, a password management baseline could define settings for all computers and devices connected to your network that are related to password strength and use. Periodically, you would read the configuration settings of all connected computers and devices and compare those settings to your baseline. Any deviations would show up on the audit report. In such cases, each benchmark directs the main course of your audit. Benchmarks aren’t the only driver for audits. Another approach is for the auditor, with senior management’s approval, to decide how an audit is carried out.

Remember that the whole purpose of an audit is to assess how well (or poorly) existing system performance and configuration matches one or more standard benchmarks. Here are just a few of the most commonly used best practices for auditing or reviewing systems, business processes, or security controls:

• ISO 27002—ISO 27002 is a best-practices document that gives good guidelines for information security management. For an organization to claim compliance, it must perform an audit to verify that all provisions are satisfied. ISO 27002 is part of a growing suite of standards, the ISO 27000 series, that defines information security standards.
• NIST CSF—The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), first released in 2014, is a response to a U.S. Presidential Executive Order calling for increased cybersecurity. It focuses on critical infrastructure components but is applicable to many general systems. The roadmap provides a structured method to securing systems that can help auditors align business drivers and security requirements. NIST also publishes a series of Special Publications that cover many aspects of information systems. For example, NIST SP 800-37 is a standard that describes best practices, including auditing, for U.S. government information systems.
• ITIL—ITIL is the Information Technology Infrastructure Library. It is a set of concepts and policies for managing IT infrastructure, development, and operations. ITIL is published in a series of books, each covering a separate IT management topic. ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks, and procedures that any IT organization can tailor to its needs.

Other organizations, such as ISACA and the Institute of Internal Auditors, have developed commonly used audit frameworks. Your organization might develop a set of guidelines in-house or adopt and customize an audit framework developed elsewhere. Here are two examples of these types of frameworks:

• COBIT—The Control Objectives for Information and Related Technology (COBIT) is a set of best practices for IT management. It was created by the Information Systems Audit (ISA), ISACA, and the IT Governance Institute (ITGI) in 1996. COBIT gives managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices. You can use COBIT to help obtain the most benefit from the use of information technology and to develop appropriate IT governance and control in a company.
• COSO—The Committee of Sponsoring Organizations (COSO) of the Treadway Commission is a volunteer-run organization that gives guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model. Many companies and other organizations use it to assess their control systems.

Unless mandated by government regulation or contractual requirement, organizations are free to choose whatever audit methods fit their goals. You can use one of the options mentioned here, or you can use guidelines from another organization or trade group. You can even develop your own document. Whichever method fits your requirements best, ensure you have an audit method to follow before conducting your first audit.