External IT company auditing security and policies

Audit and compliance
Network security
Network Security Management
Security audits
Security policies
We have an external IT company auditing our security and policies. What kind of access should we give them? Should we be worried about auditing the auditors?

Answer Wiki

Thanks. We'll let you know when a new response is added.

I don’t know that I would necessarily be TOO worried. Who brought them in? If they were brought in by IT mgmt., then it is most likely to identify & address weaknesses in current procedures & how things can be done more efficiently. However, if they’re being brought in by upper mgmt., it COULD be (& this could just be me being paranoid) that they’re looking to make changes in IT World… possibly looking outside. I only say this because I’ve seen it happen before.

I would say give them access only to what you have to. Don’t give them more than they need. It’s better that they have to ask you for something than that you’ve given them more than they have to have (i.e. passwords, etc.).

Discuss This Question: 8  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TomLiotta
    It depends on what brought the auditors in and why they're there. Is this simply a contracted service whereby you want to learn weaknesses that some auditor might find? Or is this a required audit due to regulatory or other compliance factors? If this is simply a choice that's intended purely to improve your business practices, then you give access to whatever you feel giving access to. But if this is a regulatory or similar audit, give access to everything your lawyer says to give access to. Should we be worried about auditing the auditors? If you didn't verify their professional qualifications first, then yes. Tom
    125,585 pointsBadges:
  • TomLiotta
    Though I believe my response was correct, it was also terse. I was expecting a few other comments to show up. The auditing of (or oversight of) auditors is a serious issue. However, there are distinct differences between two general categories of auditors -- internal and external. A review of the Wikipedia article on External auditors can give useful background. One conceptual difference might be thought about in terms of "To whom does the auditor report?" Professional responsibility is generally thought to accrue to the client or, perhaps in other words, whomever pays the bills. So... 'auditing the auditors'... There might be a couple ways to view that proposal. Perhaps fraudulent activities are discovered by an auditor. To whom should the discovered activity be reported? What if it isn't? Perhaps proprietary business information is learned by an auditor? How is it protected? What assurances exist? Or perhaps there are incompetencies that result in a flawed audit. Do you automatically change your business practices based on some bozo's report? Why should you rely on what the assessment says? How such questions are answered can be tied to the relationship with the auditor -- to whom is auditor responsible? Is this 'internal' or 'external'? What is the objective of the engagement? A qualified external auditor should be a CPA at the very least, or working under the direct supervision and responsibility of a CPA. Therefore, the general ethics of a CPA should govern behavior. You would 'audit a CPA' in the same manner you would 'audit an external auditor'. An internal auditor, though, might or might not be bound under similar professional assurances. The Institute of Internal Auditors (IIA) does provide certification for Certified Internal Auditor® (CIA®). There's no evidence that someone simply employed as an 'internal' auditor is always required to have such certification. You can download their Standards and choose how to interpret them. Naturally, you can always request evidence of certification, and the IIA should always be receptive to reports of misconduct. I hope that helps to round out some edges. I'd certainly be interested in whatever comments anyone else might add. It's really not my area of expertise though I do have reason to look into audit practices from time to time. Tom
    125,585 pointsBadges:
  • batye
    it more like who will be watching gatekeeper? if gatekeeper watches everyone
    3,080 pointsBadges:
  • jinteik
    I agree that if the auditor is not that up that level, then you will have something to be worried about. as i have been audited so many times in my job, i am not worried when ever any auditor comes as each auditor will see things differently and will propose new things to further improve / improvise you current processes.... the most important thing is always to think before answering any auditors and don't be too over kind to them
    18,995 pointsBadges:
  • 0scorpion0
    If your organisation has hired an external auditor, their contract may have required the auditors to provide references to prove ability and experience in this field. 

    In addition, your contract would have had to specify a 'scope,' which defines how far they can go, and what they can expect to be provided with.

    There will also be a clause stating that any information they come upon should be seen as being owned by your organisation.

    Last, but not least, the vendor may have to sign a non-disclosure agreement (NDA), to ensure they don't divulge anything they find.
    280 pointsBadges:
  • ToddN2000
    Hopefully you have a well researched company. Don't just go with the cheapest as you may open your self to problems. Check out review site for the company maybe even BBB.org. See if the company has any complaints filed. Also you need to check what guarantees they offer.
    136,460 pointsBadges:
  • Kevin Beaver
    I understand your concerns. Do you trust doctors and their staff to give you the right meds and services? Do you trust your lawyer to review everything and give you the proper advice? What about your auto mechanic and home builder?

    It's perfectly okay to ask questions and even monitor behaviors of third parties while they're on your network. Still, at some point, you're going to have to trust the person or company you hire to do what's right.

    If you're not careful, this can lead to the classic case of the fox guarding the henhouse leading to an impure reflection of your security posture. I just wrote an article about this that may be beneficial:

    Why Security Assessments are Often not a True Reflection of Reality
    27,550 pointsBadges:
  • Jaideep Khanduja
    There is a written agreement between the two parties - auditor and auditee. Everything is being taken care in that agreement. There is no need to audit the auditors. But you just need to ensure that you record every requirement from them in black and white along with the reason for which it is required. In any case, when you give them admin user/password you always have audit trail for all your critical data and actions.
    19,810 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: