Audit 101: Not All Audits Are the Same
You’ve been around long enough that there is no such thing as a free lunch. But what about a free audit?
There of plenty of companies willing to come into your financial institution, poke around, and let you know what they think of your cybersecurity program or another key area of risk. They promise to show you what’s wrong and offer ideas on how to fix it.
The price may be right, but I can promise you one thing. You’re not getting an audit.
What is an audit?
An audit is an independent and objective evaluation of a financial institution’s activities, controls, and information systems to ensure they are functioning as expected.
Audits can be used to evaluate both financial and non-financial areas of an institution, including:
Audits can be performed internally or externally by a third party, but the outcome should be the same: findings that detail problems and recommendations for corrective actions. Auditors will attest to (i.e. vouch for) their findings and the best ones are Certified Internal Auditors (CIA) that have proven their competency and professionalism.
Auditors go by the book. They might examine transactions, activity logs, and risk assessments to ensure accuracy, completeness, and timeliness. Financial and regulatory reports may be examined to determine if they were filed as required. Tests may be conducted to identify inaccurate, incomplete, or unauthorized actions. Control testing is used to identify whether the institution is operating appropriately and effectively.
Audits must have objective, clearly defined standards
Not just anyone can review materials at a financial institution and call themselves an auditor. A true audit follows clearly established standards to ensure an audit is thorough, ethical, and objective.
Some of the most well-known standards come from:
- The Auditing Standards Board of the American Institute of Certified Public Accountants (ASB of AICPA)
- The Institute of Internal Auditors (IIA)
- Public Company Accounting Oversight Board (PCOB)
- International Organization of Standardization (ISO)
For example, the ASB is responsible for “developing, updating and communicating comprehensive standards and practice guidance that enable practitioners to provide high-quality, objective audit and attestation services to non-issuers in an effective and efficient manner.” It maintains standards for SSAE 18 audits and the resulting SOC 1 and SOC 2 reports.
An audit that isn’t conducted using a systematic, independent, and clearly defined standard isn’t an audit.
Audits: You get what you pay for
Audits are both time consuming and expensive (whether in internal resources or paying a third party) because a thorough audit requires experience and time. It is detailed and methodical, not casual or rushed.
You’re also paying for objectivity. Auditors shouldn’t approach an audit with a specific outcome in mind. They shouldn’t care how many findings they uncover (though a good auditor will always find at least a few). They are there to let you know what went right, what went wrong, and offer suggestions on what you can do to improve your institution. They are paid whether or not you institute their recommendations.
Compare that with a “free” audit. Free audits aren’t thorough, aren’t conducted by credentialed auditors, and—worst of all—aren’t objective. It’s like when you bring your car into a dealership for servicing, and the dealership often includes a free “multi-point vehicle inspection.” It’s not out of the kindness of their hearts. The dealership is looking for opportunities to upsell you, and they almost always find something.
The same is true for free audits. A company that gives you a “free cyber audit” isn’t there to assess your program top to bottom from policies and procedures to employee training. It isn’t going to go through the full FFIEC Cybersecurity Assessment Tool (CAT) to provide an overall audit of your cyber maturity.
That company is looking for a specific type of cyber problem: ones where it can sell you a solution to fix the problem whether it’s for password management, data loss prevention, or fraud prevention.
It’s not an audit. It’s a sales pitch.
It’s also a solution in search of a problem.
The danger is that even if the information is accurate and you have a cyber weakness that needs to be corrected, the information is coming from a company that has a specific solution for solving the problem. It’s not going to talk about the weaknesses it can’t help you fix—even if it would be more efficient and cost effective to address all the problems together using a different company’s tool.
It’s not an audit. It is not independent, and it does not conform to any recognized standard.
It’s a limited review conducted by a biased party.
A sales pitch is not an audit
When a company offers a free audit, recognize it for what it is: a sales pitch.
While potential third-party vendors can offer valuable insights and ideas for making improvements, anyone offering an audit is selling you a bill of goods. At best, it’s a review. At worst, the vendor is providing a selective assessment of your institution that helps them set the agenda for a sales call—instead of letting your institution tell the vendor about your challenges and goals.
Don’t let a free audit give you false confidence in a solution or the needs of your institution. Leave the auditing to the professionals.
Hear directly from fellow professionals who are finding ways to successfully tackle today’s top internal audit challenges at their financial institutions in this on-demand webinar.
Topics: Risk & Compliance