Posted by: David Schneier
assessment, assessments, Audit, bcp, business continuity planning, controls, framework, general controls, GLBA, IT General Controls, NCUA, Regulatory Compliance, Security, security awareness, Vendor Management
I’ve often surprised people when it comes to conducting audit/assessment work or developing compliance programs. Generally speaking I’m a reasonable person who typically exhibits an abundance of flexibility in my day-to-day life. However when it comes to my career, I tend to be much more of a hard-liner, someone who shuns gray areas and instead tries to view everything in a binary fashion: You’re either compliant or not, you’re either following your rules or you’re not. I’m the guy who hates to take findings out of an audit report in order to appease the client or accept excuses (legitimate or otherwise) as to why things aren’t being done according to the rules.
But every now and again I find a situation that makes me think that maybe, just maybe, an exception can be made.
In working with a client on implementing a compliance program, it became apparent that by adhering to the exact letter of the law specified within the documentation, they’d immediately be out of compliance on day one in a very large, obvious way. Typically when dealing with such a situation, I advise the client to develop a schedule indicating the dates by which they expect to get all their work done and be fully compliant. For vendor management, I usually recommend twelve months, for Red Flags it’s usually six months and for security awareness it’s three months. As long as the plan and related schedule is documented and you can prove that you’re adhering to it, examiners and auditors alike will usually give you a free pass until the next time around.
Even so, in this instance nearly half of all the in-scope work would be displayed as overdue right up front. No one wants to see that on a screen or in a report, no one wants to risk having senior management see that information and absolutely no one ever wants to explain to an examiner/auditor why they have so much work still to do (even with a solid explanation and plan).
And so I blinked. I considered in this instance a way to introduce a new rule that would allow the client to theoretically use my approach of scheduling all the work to be completed within a set time frame (twelve months in this case) but wouldn’t have to show anything as being overdue. It didn’t seem so much like the right thing as much as the kind thing to do. I even went so far as to scope out my idea in writing and share it with my fellow compliance experts in our practice.
As it turns out, I apparently have had an influence in how all of us view such matters because the first question I was asked was what would I do if I was managing the program. I wouldn’t come up with any special rules to avoid being accurate and honest, that’s for certain; it is what it is. I was then asked if I was willing to bend the rules in other projects, say like an audit for example. Well considering I’ve excused myself from audits in the past because management (at previous companies) elected to remove findings or soften them in order to keep the clients happy I knew the answer was a resounding “no.” So I was asked why I was looking to bend the rules now. Good point.
What audit and compliance practitioners have to do is often unpopular and sometimes very difficult. We’re often perceived as inflexible or unreasonable. But the truth is that your compliance and/or controls framework is only as effective as its weakest link; if you start making exceptions in one area it quickly becomes expected in others. Once one control is weakened in exchange for making things easier or more palatable, the integrity of the whole enchilada suffers.
Compliance requires hard decisions, thick skin and consistency. If you’re more inclined to be affected by acceptance rather than respect, it may not be the right line of work for you. Or as I’m fond of saying, it requires that you’d rather be right than popular.