Ostendio Blog

Security Audit: An Auditor's View

Written by Miranda Duff | Jun 16, 2021 2:59:29 PM
[4 min read]

Security Audits can improve your organizational efficiency and data security

When it comes to conducting audits there are multiple benefits to an organization.  We discussed this, and more, with Dale Dresch, Director of IT Services at Maloney+Novotny, on our recent webinar. Dale spoke to our Founder and CEO, Grant Elliott, about the benefits of driving a cultural change in an organization by performing a security audit using the Ostendio MyVCM platform. Done the right way, security audits can improve how your organization operates and help you win business.

In case you missed it, here are some of the top issues covered:

The role of an auditor 

You might be unsure about the role an auditor plays in a security audit, such as a SOC 2.  Dresch explained that an auditor is responsible for evaluating the processes used by a company to meet their select standard or regulation. His job is to find out if the company is doing in practice, what it says it is doing in the written process. Dresch explained that with his background as an engineer he has undergone many audits as a client, which gives him unique insight into the relationship between assessor and client.

The common mistakes made by clients

The biggest mistake Dresch sees is that clients need to learn to guide the audit, rather than letting the audit guide them. Defining the scope of your audit is important. Dresch suggests, “Do not approach an audit looking for perfection. The whole process is to make your organization better. Let it make you better. Don’t be afraid to make a mistake, have an exception, and explain the way you handle those exceptions.”

An audit should be about building a sustainable process

Grant Elliott explained that by preparing for an audit, organizations benefit by building an effective ongoing security program. The most successful companies leverage compliance to increase security. Dresch added that in his view, an audit is more than a check the box process. Consider how often you have been asked by customers for an audit report. Companies who use an audit wisely can improve compliance and leverage it to invest back into their security program too.

The drivers for organizations completing an audit

For Ostendio, Elliott explained that the main driver for clients completing a security audit was a customer request. In his experience, many clients want to complete a SOC 2 or HITRUST audit but it can be a lot of work and tends to be side-stepped until a customer demands it.  Dresch agreed and said that in his experience 9 times out of 10 it is a customer driving the request. It is often a requirement in a contract. In a perfect world, Dresch says it would take 12-18 months to prepare for SOC 1 and SOC 2.

How to prepare for an audit

Often companies believe their first step to prepare for an audit is to contact an auditor, says Elliott, but the auditor cannot do the preparation work for them and they often need the support of a company like Ostendio. Dresch agreed and said that as a CPA he could not complete the preparation work for an audit. Dresch explained that auditors need separation and need to be independent. Auditors can help clients understand what is required and point them in the right direction but auditors can’t implement controls on a client’s behalf. “If you think about it, it makes sense that I don’t audit my own work,” added Dresch. 

MyVCM Auditor Connect helps both the auditor and client

Each client and auditor has their own instance on the MyVCM platform. Elliott explained that it is much more than a place to drop documents or store documents. Key features of the platform show when a document or policy is complete or still being updated. It also allows auditors to lock a section of the audit when it is ready. Dresch explained that CPAs can be steeped in tradition and very Excel-driven. “MyVCM gave me a way to modernize that approach,” said Dresch. He explained an instance where a client did not understand why he was looking for specific data and by using MyVCM it was clear to the client what processes were linked with specific questions in an audit. Dresch explains how MyVCM simplifies the audit process, “There’s so much information required and it is hard to succinctly know what is needed. But MyVCM has modernized the way we are requesting information and managing the audit.”

MyVCM benefit clients

By using Ostendio MyVCM for an audit, clients find it easier to exchange information with their auditor. Dresch believes this increased communication exchange puts the client in touch with what is being audited. They understand the scope of the audit better and can have a laser focus on what they should be spending their time on. 

Using MyVCM CrossWalk

According to Dresch, “SOC 2 is a great audit to start with and it is easily mappable to many other frameworks.” Dresch said that in the past he had to map the controls manually to additional frameworks whereas now, using MyVCM, it is almost automatic. Dresch sees this as a major benefit to his business because he can help customers even more by helping them with additional frameworks.

The Ostendio MyVCM platform is the first marketplace where companies can search for, and contract with, an experienced security audit firm. Ostendio Professional Services helps clients prepare for audits such as SOC 2, FedRAMP, and HITRUST. Learn more about how Ostendio MyVCM and the Auditor Connect feature can help your organization with your next security audit.