When evaluating vendors to build and audit your information security (infosec) program, there are many important questions to ask: Who exactly will be handling your data? What are the team’s credentials and prior experience? Will the vendor be outsourcing services internationally, and if so, how will their control and oversight of the process be impacted?
Is the vendor claiming to be able to both build your infosec program AND conduct your official audit?
Some MSSPs and “compliance as a service” providers are now advertising that they can help organizations meet required controls and conduct their certification audit. In this article, we’ll go over the potential issues with this from a legal, reputational, and ethical perspective.
Let’s be clear about a few of the potential pitfalls of this approach right off the bat:
Potential Pitfalls Of Engaging “All In One” Vendors
Having the same entity create and assess your infosec controls introduces a blatant conflict of interest. This presents clear ethical issues, as it’s essentially like having a restaurant conduct its own health inspection.
They may not provide a fully objective assessment and could be inclined to overlook issues to hand you a more favorable report. Your audit may not hold up under scrutiny from stakeholders in the future, especially if you were to experience a security incident.
Another red flag is if an “all in one” vendor is claiming to be able to implement your security controls and conduct your audit at a suspiciously cheap price tag. Meeting requirements such as SOC 2, HIPAA, GDPR, and dozens of others can be fairly economically efficient and not break the bank. However, compliance isn’t incredibly cheap either. As in many cases in life, when something seems too good to be true, it probably is.
Meeting information security compliance requirements isn’t always an easy process. It often takes making many complex decisions involving business outcomes, processes, technologies, and acceptable risk. In other cases, it means fundamentally reworking a core business process to meet a requirement.
When done correctly, meeting requirements provides regulators and potential customers the assurance that your organization takes security seriously.
When done poorly, it can result in expensive boondoggles that cost your organization legal fees and valuable customer relationships. Engaging separate entities to develop and audit your infosec program is a safeguard against bias and helps you uphold the integrity of your compliance efforts.
So, what are the actual requirements and guidelines from which the robustness of your compliance can be judged?
Let’s take a look at what a few entities and guidelines have to say on audit independence:
Guidelines and Best Practices To Ensure Audit Independence
Sarbanes-Oxley (SOX) is a U.S. federal law aiming to protect investors by improving the reliability of corporate disclosures. Although it primarily applies to publicly traded companies, it can indirectly impact privately held SaaS companies, for example, that may plan to go public in the future or those that provide services to public companies.
For instance, a SaaS company that handles financial data or provides financial reporting services to public companies may need to make sure its controls align with SOX requirements.
Section 404 of Sarbanes-Oxley requires that companies have an independent audit of internal controls over financial reporting.
The Public Company Accounting and Oversight Board (PCAOB) states the following:
A registered public accounting firm and its associated persons must be independent of the firm’s audit client throughout the audit and professional engagement period.
Note 1: Under Rule 3520, a registered public accounting firm or associated person’s independence obligation with respect to an audit client encompasses not only an obligation to satisfy the independence criteria applicable to the engagement set out in the rules and standards of the PCAOB, but also an obligation to satisfy all other independence criteria applicable to the engagement, including the independence criteria set out in the rules and regulations of the Commission under the federal securities laws.
Note 2: Rule 3520 applies only to those associated persons of a registered public accounting firm required to be independent of the firm’s audit client by standards, rules or regulations of the Board or Commission or other applicable independence criteria.
Now that description is a bit heavy on jargon, so we can consult another source. SOC 2 is overseen by the American Institute of Certified Public Accountants (AICPA). AICPA has (fortunately for the non-accountants and lawyers among us) published a “Plain English Guide to Independence,” which provides the following guidance:
Independence of mind is the state of mind that permits a member to perform an attest service without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism.
Independence in appearance is the avoidance of circumstances that would cause a reasonable and informed third party, who has knowledge of all relevant information, including safeguards applied, to reasonably conclude that the integrity, objectivity or professional skepticism of a firm or member of the attest engagement team is compromised.
Image Source: AICPA
In even plainer English, AICPA is saying that auditors should avoid any conflicts of interest that could impair their objectivity. This includes scenarios where they might audit their own work or the work of close colleagues, which would naturally apply to building and then auditing the same infosec program.
The AICPA’s guidance, particularly under the SOC standards, prohibits organizations from auditing their own services, stating that:
“The auditor’s responsibility is to provide an independent assessment of the service organization’s controls that may affect user entities’ financial reporting.”
AICPA’s emphasis on independence effectively makes it clear that an organization both implementing security controls for compliance and conducting the audit would risk impairing the auditor’s independence and objectivity, thus not aligning with best practices. It’s clear from their guidance that auditors should avoid any conflicts of interest that could impair their objectivity.
Lastly, many standards and frameworks, such as ISO/IEC 27001 and NIST, emphasize the importance of independence in the auditing process. They recommend that audits be conducted by individuals who are not involved in the day-to-day operations or implementation of the security program.
Assessing Audit Independence and Quality
Now, let’s imagine a SOC 2 audit. Say you’ve hired an accounting firm with a security branch to help implement controls pursuant to SOC 2. Now imagine that the very same firm is going to audit your organization for compliance. Could a reasonable and informed observer conclude that the firm auditing the controls may be biased as a result of the fact that they were the ones who also implemented the controls?
To recall an earlier analogy, it’s as if a restaurant were to perform its own health inspection. What are the odds that they are going to find major violations? Probably pretty low. When the same person who designed and implemented the infosec program also audits it, there is a significant risk of bias. They may inadvertently overlook issues or be less critical of their own work.
Even if this “all in one firm” issues a SOC 2 report without findings, your organization could still be at substantial risk. Imagine you have a major cyber event in the future, and customers find out that your SOC 2 report wasn’t entirely accurate and that the firm you hired took shortcuts through the process. Information security isn’t just a legal risk; it’s a business and reputational risk.
A reputable information security compliance provider (whether an accounting firm or a managed security services provider) should do the following:
- Be able to provide reference customers, either publicly or privately, who have worked with the firm in the past to implement controls.
- Work with a reputable outside auditing firm that conducts independent audits of control implementation.
- Ensure that all employees adhere to industry standards, guidelines, and best practices such as those set by the AICPA.
Some firms, such as Rhymetec, have identified specific high-quality third-party firms that we often recommend to our clients to complete the audit process. But if clients prefer a different audit partner, that is okay too.
Information security compliance requirements shouldn’t be considered a burden to businesses. Implementing requirements such as SOC 2, GDPR, HIPAA, and others should help organizations be assured that they are meeting relevant legal and ethical requirements while taking adequate and appropriate measures to safeguard customer data.
When conducted by ethical providers, standards like SOC 2 can substantially enhance a business’s confidence and security protocols without disruption and without massive cost. Independent audits provide greater credibility to your stakeholders, including management, customers, and regulatory bodies. You can be confident that the audit findings are impartial and accurate.
About Rhymetec
Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We’ve worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while balancing security with budget. We enable our clients to outsource the complexity of security and focus on what really matters – their business.
Interested in reading more? Check out more content on our blog: