when relevant content is
added and updated.
External auditing happen almost in all organization. It is probably a legal requirement under company act. But then is it possible to audit an external company auditing your organization. Obviously external auditors are the kings. They can ask and demand any information, data, and user rights. In case of physical information too, they can seek files and documents to any extent. Logically, when such audits happen, it is an audit of your practices, proedures, and policies. Basically, it is a check of what you say and what you do. These ideas came into my mind when i came across this question on ITKE. The title of the question is External IT company auditing security and policies.
The question is – We have an external IT company auditing our security and policies. What kind of access should we give them? Should we be worried about auditing the auditors? In the nutshell, is it possible to audit an external company auditing your organization? I think, in an organized scenario, it is very much possible. There is a written agreement between the two parties – auditor and auditee. Everything is being taken care in that agreement. There is no need to audit the auditors. But you just need to ensure that you record every requirement from them in black and white along with the reason for which it is required. In any case, when you give them admin user/password you always have audit trail for all your critical data and actions.
Is it possible to audit an external company
Moreover, as the maturity level increase, the auditors inform you the key areas they would be looking into. Also, in most of the cases, they list down the information they would be seeking. This information might include an access to your key business application. They might like to access the application with differnt role level to check if the authorizations and alerts are working correctly of there are any gaps.