External IT company auditing security and policies

755 pts.
Tags:
Audit and compliance
Auditing
Network security
Network Security Management
Security Audit
Security Auditor
Security policies
We have an external IT company auditing our security and policies. What kind of access should we give them? Should we be worried about auditing the auditors?

Answer Wiki

Thanks. We'll let you know when a new response is added.

I don’t know that I would necessarily be TOO worried. Who brought them in? If they were brought in by IT mgmt., then it is most likely to identify & address weaknesses in current procedures & how things can be done more efficiently. However, if they’re being brought in by upper mgmt., it COULD be (& this could just be me being paranoid) that they’re looking to make changes in IT World… possibly looking outside. I only say this because I’ve seen it happen before.

I would say give them access only to what you have to. Don’t give them more than they need. It’s better that they have to ask you for something than that you’ve given them more than they have to have (i.e. passwords, etc.).

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    It depends on what brought the auditors in and why they're there. Is this simply a contracted service whereby you want to learn weaknesses that some auditor might find? Or is this a required audit due to regulatory or other compliance factors? If this is simply a choice that's intended purely to improve your business practices, then you give access to whatever you feel giving access to. But if this is a regulatory or similar audit, give access to everything your lawyer says to give access to. Should we be worried about auditing the auditors? If you didn't verify their professional qualifications first, then yes. Tom
    125,585 pointsBadges:
    report
  • TomLiotta
    Though I believe my response was correct, it was also terse. I was expecting a few other comments to show up. The auditing of (or oversight of) auditors is a serious issue. However, there are distinct differences between two general categories of auditors -- internal and external. A review of the Wikipedia article on External auditors can give useful background. One conceptual difference might be thought about in terms of "To whom does the auditor report?" Professional responsibility is generally thought to accrue to the client or, perhaps in other words, whomever pays the bills. So... 'auditing the auditors'... There might be a couple ways to view that proposal. Perhaps fraudulent activities are discovered by an auditor. To whom should the discovered activity be reported? What if it isn't? Perhaps proprietary business information is learned by an auditor? How is it protected? What assurances exist? Or perhaps there are incompetencies that result in a flawed audit. Do you automatically change your business practices based on some bozo's report? Why should you rely on what the assessment says? How such questions are answered can be tied to the relationship with the auditor -- to whom is auditor responsible? Is this 'internal' or 'external'? What is the objective of the engagement? A qualified external auditor should be a CPA at the very least, or working under the direct supervision and responsibility of a CPA. Therefore, the general ethics of a CPA should govern behavior. You would 'audit a CPA' in the same manner you would 'audit an external auditor'. An internal auditor, though, might or might not be bound under similar professional assurances. The Institute of Internal Auditors (IIA) does provide certification for Certified Internal Auditor® (CIA®). There's no evidence that someone simply employed as an 'internal' auditor is always required to have such certification. You can download their Standards and choose how to interpret them. Naturally, you can always request evidence of certification, and the IIA should always be receptive to reports of misconduct. I hope that helps to round out some edges. I'd certainly be interested in whatever comments anyone else might add. It's really not my area of expertise though I do have reason to look into audit practices from time to time. Tom
    125,585 pointsBadges:
    report
  • batye
    it more like who will be watching gatekeeper? if gatekeeper watches everyone
    3,080 pointsBadges:
    report
  • jinteik
    I agree that if the auditor is not that up that level, then you will have something to be worried about. as i have been audited so many times in my job, i am not worried when ever any auditor comes as each auditor will see things differently and will propose new things to further improve / improvise you current processes.... the most important thing is always to think before answering any auditors and don't be too over kind to them
    17,620 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following