Back in school, who was your favorite professor?
Everyone always adored the professors who gave pre-tests. Pre-tests are awesome because they create a better chance of doing well on the real thing the following week.
Pre-tests provide clarity. They identify the most important things to know about the subject. They help you become aware of the so-called “unknown unknowns”—those facts and figures you don’t even realize you don’t know. And it’s those unknown unknowns that are always the scariest aspect of any test. When you know you've got to study harder and more, you’ll do it. But getting caught off-guard is a recipe for disaster.
Pre-tests are the key to avoiding that nightmare scenario (which you may still dream about) in which you discover there’s a whole chapter you forgot to study or prepare for.
When it comes to InfoSec Compliance, internal audits are a lot like the pre-test before your company’s external audit. If done right, they help companies get to know themselves and their processes before the proverbial “big day.” They highlight gaps before these gaps become problematic. And they can even make external audits easier.
(Note that some frameworks, such as ISO 27001, require an internal audit before the independent external audit as a condition of certification. If you see that ISO 27001 certification would be an asset to your company in the future, starting internal audits even before they are required for certification is a step in the right direction.)
Here are some reasons you might want to get started with your own internal audit processes... and one (small, but important) reason you might not.
1. Instill an Atmosphere of Continuous Compliance
By conducting internal audits, your company is confirming that they insist on a mindset of constant Compliance—and you can be confident that your company will be ready for an external audit. In addition, when you have the assurance that your company’s processes are in line with its controls, you are readying your company to take on additional frameworks, such as SOC 2, that keep your company’s growth scaling. In that sense, internal audits are a prerequisite for hyper-growth.
2. Identify Potential Issues Early
You want to discover deficiencies in internal controls as soon as possible—before your external auditor does, before damage is done. An internal audit can determine if there are any failures to comply with internal controls—or whether internal controls are being met but need updating or reinforcement. For example, if your company’s internal controls over preventing or detecting a security breach have a hidden gap, recognizing that weakness in the context of an internal audit provides an opportunity to proactively fix the loophole before it becomes an issue in an external audit.
3. Create a Culture of Encouraging Stakeholders to Report Irregularities
Here’s a trick question: What do you do when you are alone on an elevator? Answer: Nothing you wouldn’t do in a crowd, because with today’s surveillance tech, you’re never really alone on an elevator. When you know you’re being watched, you’re on your best behavior, and you’re also more willing to notice and report violations.
Encouraging people to look out for irregularities and report them is behind the popularity of anti-phishing training (aka “phishing drills”), which have been shown to reduce employees’ susceptibility to phishing attack strategies. Similarly, by conducting internal audits, you encourage internal stakeholders to act on any suspicion of irregularity and think twice before attempting irregularities. So conducting internal audits creates a desirable culture of reporting within your company.
4. Help Identify Risk
An internal audit is a key part of your company’s risk management process. Specifically, internal audits require an understanding of how your company’s processes work, including the systems and stakeholders that contribute to those processes. This intensive review helps identify risks that may not have been clear when controls were first implemented or risks that have developed subsequently; this improves management’s awareness of gaps and of the types of improvements in risk management that are needed.
As indicated above, having regularly planned internal audits helps meet ISO 27001. Section 9.2 of the standard requires internal audits of a company’s information security management system (ISMS). Section 9.3 requires top management to review ISMS. Internal audits that meet the Section 9.2 requirement thus also help management meet their Section 9.3 requirement by enabling them to identify risk and better manage it.
5. Onboard New Tools Ahead of Time to Prevent Issues
Adopting new technologies is key to transforming manual, time-consuming Compliance activities into vehicles for growth. InfoSec teams in companies of all sizes are now seeing that by leveraging technology like automation, Compliance can become an ally, instead of a source of frustration. But no matter how potentially beneficial, implementing new tech can come with risk. Internal audits create a great opportunity to onboard new tools and solutions in a safe and less risky way. Teams can get to know the platforms, understand how they work, learn how they can be optimized, and find out what they need to account for before the main event.
Notwithstanding all the benefits, internal audits are not for every company at every stage and there’s one caveat; An internal audit that is set up incorrectly can create lots. More. Work. And it can also create major headaches for your team, considering all the extra Compliance activities that will be required.
This can be circumvented with Compliance automation. The right automated InfoSec Compliance solution crossmaps controls to different frameworks, to satisfy requirements for different audits more easily, reducing the time and resources spent on audit preparation.
Everyone in class wants to ace the test, right? But part of doing well is knowing what to study, and how to optimally study for it—and that requires being aware of what you don’t know...preferably, before the teacher says, “Pencils down” (or the digital equivalent). An internal audit is your company’s chance at a pre-test, a dry-run that shines a light on what needs to be done better.
With an internal audit done right, when your company is facing that final exam—otherwise known as an external audit—you’ll have all the right answers.