A recent Federal Computer Week article suggests that in the private sector audit findings are effective at driving action, and that reports from Inspector generals (IGs) and the GAO could be used in the same way by the federal government.
The point is valid, however this article misses two key factors that significantly impact audit dynamics in private enterprise.
Auditors issue findings that highlight systemic weaknesses. If these weaknesses have not already caused a problem, in private enterprises it’s understood that the problems need to be fixed before a problem is created.
There is also clear connection between business process ownership and responsibility and audit findings in the private sector. Since the Board does not want systemic weaknesses identified on their watch, and management does not want any operational ineffectiveness highlighted, there is a strong incentive in place to fix these findings as quickly as possible.
It’s also pretty clear that the business process owner will be looking for a new job if the same weakness is still an issue in the next audit. All in all, when the business pressures are aligned to correct weaknesses, they are very powerful.
If, on the other hand, the audit findings are not tightly linked to the business process owner, as in in the Federal audit process, it’s much easier for findings stay open for multiple audits. The business pressure to fix the problems is minimal because no one’s job is in jeopardy.
If the federal government could find a way to change this dynamic then audit findings would drive appropriate and timely action throughout every organization.
Another issue that complicates action on federal audits is the way compliance is viewed. Federal agencies and contractors tend to treat compliance as a checklist process as highlighted by Mr. Crane’s comments.
FISMA was the grandfather of this style of thinking and it has been difficult for agencies to shift away from this mentality toward a security and risk orientation. Most agencies just don’t see compliance as a key business process necessary to support the organization’s business objectives.
Instead, they view compliance as a necessary evil –this viewpoint makes it easy to view the whole effort as a giant checklist.
In the private sector an audit finding is connected to a business process that usually has financial or business implications—accounts payable, customer information management, intellectual property etc.
The financial implications mean that it gets plenty of attention from senior executives, board members and this visibility creates pressure to address the issues throughout the organization. This difference in outlook lends itself to a far different view of compliance in general and audit findings specifically.
If the federal government can find a way to begin overcoming these differences—the ‘audit sauce’ would not need to be secret anymore.
- Using the Top 20 Critical Security Controls to Get your CFO’s Attention
- NIST: It’s Time to Abandon Control Frameworks as We Know Them
- Enterprise Insurance Policies and the 20 Critical Security Controls
- NERC CIP Version 5: One Giant Leap
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock