Auditing auditors

The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors.  The latest case involved the laptop of the auditor for Wellsfargo Bank.

The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors.  The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees. 

 

Auditors provide a critical function. In many cases they are part of the security solution. But with the glare of public disclosure the practices around performing an audit need to be tightened up.

 

Here are some thoughts on things to do to help avoid participating in the next embarrassing data loss incident. 

 

  1. Require your outside auditor to use best practices regarding your data. These must include:  
    1. Any data resulting from the audit MUST reside in an encrypted folder on the auditor’s computer.
    2. The data will be encrypted whenever it is backed up to a CD, hard drive, DVD, memory stick, iPod, or tape.
    3. The auditor’s laptop MUST be locked with a strong password or token.

 

  1. These controls will be stated explicitly in your contract or Statement of Work with the auditor.
  2. Test the controls.  Require each member of the audit team to demonstrate that their laptops are locked, they encrypt all of your files, and that back-up data is also encrypted.
  3. The auditor must agree to being liable for any direct costs associated with data loss through their failure to protect it, such as notification costs, reparation costs, and credit report costs.

 

These are meant for your external auditor but it would be recommended for internal audit and contractors and consultants as well.  Your policies should include these practices and you should make best efforts to ascertain whether your government auditors are complying with them as well. It is hard to impose restrictions on FDIC, Federal Reserve, FFEIC, or IRS auditors, but it is worth a try!

The IT-Harvest Data Protection Weekly newsletter is published every Monday morning. Click below to subscribe.