Audits Vs. Assessments: What's the Difference and Which Is Right For You? With Jim Goldman and Ben Phillips

Jara Rowe: Gather around as we spill The Tea on Cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Audits, assessments, these are terms that are typically used interchangeably, but I recently learned that they are not the same thing. However, I am still a little unsure of what the difference between these two words are. And during this episode of The Tea on Cybersecurity, I have not one, but two experts that are going to help me understand this topic a little better. And I hope you, as well. I would like to welcome Jim Goldman and Ben Phillips to this episode. Hello gentlemen.

Jim Goldman: Good morning, Jara.

Jara Rowe: Good morning.

Ben Phillips: Good morning.

Jara Rowe: All right, so Jim, I know you're like a seasoned guest with me now, so I'm going to skip your intro and go to Ben. So Ben, since this is your first episode, can you please introduce yourself to the listeners?

Ben Phillips: So my name is Ben Phillips. I'm a director here in Indianapolis at KSM CPAs and advisors are Katz, Sapper& Miller. I'd been in public accounting my entire career, I actually went to school starting in accounting. And then in 2012, I was working up in Minneapolis and got introduced to this thing called SOC Reports. I was involved in doing financial statement operating for insurance and financial services companies, and had an opportunity to do this thing that I knew nothing about. And since then, in the landscape, and we'll unpack it during the show. It's interesting who performs audits, who performs attestations. And those are things that certified public accounting firms tend to have been doing over time. So yeah, so I lead a team here. Love being back in Indianapolis. Yeah, I got a dog named Frida, got a wife, I love to golf, lose more golf balls than I should. And in my spare time and real time, I audit a lot and so does my team.

Jara Rowe: That's awesome. All right, so first official question, Ben, I'm throwing to you. In a previous episode, Jim and I actually talked about and defined cyber risk assessments. So I have a pretty clear understanding of what those are, but still not really clear on audits. So what is a cybersecurity audit?

Ben Phillips: Sure. Yeah, and that's a pretty good broad term, because depending on what someone's experiencing, the answer changes. So there's a SOC 2 Report that one can get. That's an attestation. There's an ISO 27001, that's a certification. You can get a HITRUST Assessment, you can get a HITRUST Certification. Again, that's a certification. So really an audit, in its own self, like the full purpose of an audit is to have an external independent third party that has nothing to do with anything operationally, organizing and operating these controls. To come in and issue or provide some sort of an opinion over the adequacy, design and operating effectiveness of the scope of controls in which the audit, attestation, examination, whatever you want to call it, is intended to hit. Auditors are looking at... they define what the scope is. Because companies have a wide net of technology and endpoints and things that touch data. When you look at different types of... we'll call it audit for this webinar. But when you look at those different things, the HITRUST, a SOC report, an ISO, those are actually just covering a very small subset of the overall technology stack in business that the company's even using. And it's really focused on who's going to be looking at the result... who cares about the result of these procedures performed by a third party firm. And it's really supposed to be the mission- critical or data centric information that's relevant to the stakeholders. So a client that would get a security audit or a SOC 2, as part of their SOC 2, we'd really cover the customer facing applications that allowed our client to meet the expected commitments with their customers through their contracts. We would not cover a general ledger system or other things that are business related, ancillary to what they're actually doing for their client and how they're solving the problem with data.

Jara Rowe: Yeah, super helpful. So you mentioned that the answer really depended on what people are experiencing. Which one of those triggers or is there a trigger that typically lets people know that they should conduct an audit?

Ben Phillips: Yeah, sure. So whenever someone comes to us and say, we have to get a SOC 2, we have to get a HITRUST. Usually the first thing I say is, I'm sorry. But also congratulations because that means, one, they're about to spend a lot of... depending on what they've done in their career, they may not know what they're getting into. Or some people have done it quite a few times and they know the drill, what's expected. The congratulations part usually goes to, you have a customer that cares enough about what you do and you're important enough to their business to where they really are not just letting you answer a questionnaire and call it a day. They really want you to prove that you're doing what is expected. And a lot of it is contractual, what have they contractually required you to do? And what have you agreed to do? Motivation is, for the most part when we see it, I would say 99% of the time is 100% customer driven.

Jim Goldman: And the only other thing I would add is in some cases it's regulatory. Depending what business you're in, there are other certifications where a government entity says thou shalt.

Ben Phillips: Yep, 100% right.

Jim Goldman: Not to say the customers still don't want to see it, but the initiation of the requirement comes from regulation. So that's really the only two sources, is regulatory or business. Which is customer or customer prospect driven.

Jara Rowe: Awesome. So in the end, either way, it's really going to help your business be able to grow down the line.

Jim Goldman: Well, to Ben's point, it's almost a rite of passage or a graduation. If you're being required or asked to do this, you're at a certain tier of maturity. So I agree with Ben, that congratulations are in order.

Jara Rowe: What is the main difference between an audit and assessment?

Jim Goldman: So what we tell our customers, and again, you can split hairs of the definitions. But in order to keep it fairly simple, when we use the term audit, we imply the need to bring in external auditors like Ben and his company. So this is not an examination of evidence that can be done by just anybody. Ben can go into it, just because he's a CPA, that doesn't automatically make him qualified to do a SOC 2 audit. In other words, the CPA firms that are doing this have to pass rigorous certification standards of their own in order to do SOC 2 audits, ISO audits, et cetera. So it's not just like Joe off the street with an accounting degree can suddenly say, " Oh, I can do your SOC 2 audit for you." There are standards bodies that own those standards that want to assure that the people and the organizations that are doing the audits are doing them properly. There's a lot of layers of oversight in the whole thing. So with that said, the audit is done by what we call, from Trava's standpoint, third parties. All right. Now, an assessment, the way we talk about it is somewhat less formal. So Trava will do assessments. Trava's intimately familiar with the requirements of the standard, the controls that need to be in place. But we're clear that what we're doing is not an audit, it's an assessment. We assure inaudible we say, " Okay, this is good, this is not so good. You need some work here. Here's your prioritization. If you leave it as it is, here's the risks that you have." That kind of thing. That's an assessment.

Jara Rowe: Cool. How can businesses determine whether they need an audit or an assessment or both?

Jim Goldman: So what I would say is my short answer would be both. And I'll tell you why, I'll give you an example. It's a journey to get certified to SOC 2 or ISO. It's not easy. It's not impossible, but you do need some patience. And so on that journey, a good interim step, almost like a checkpoint to say, how are we doing? Is what we call an assessment. Now, what's required in a SOC 2 or an ISO is something called an internal audit. Internal audit means bringing in external auditors like Ben and his company, there is a function within your company or from a company like Trava. That will look at all your controls and say, " Okay, evidence looks good here, you're missing some evidence there, et cetera." And so that's almost like that first check to say, everything looks good, let's move on to external audit. Or you got some things to fix first. So that's that assessment stage, even though I know it's tricky, and we called it internal audit. It really is just an assessment because it's a company like Trava. Or in a larger company, they'll have a department called internal audit. And so you always want to do that first. Then if that looks good and you're ready to go to the external audit... and you know what, Jara, another point is, some of our customers, for instance, want to be SOC 2 or ISO compliant. I'm using that word purposefully there because they know it's the right thing to do. Right now they're not getting particular pressure from prospective customers or existing customers to have that certification. And so they're saying that assessment or that internal audit is good enough, and that way we know when the time comes and we do have that big prospective customer that wants that certification, we know we'll be in relatively good shape to bring in the external auditors at that point. So that's kind of that, you can do both. And I'd be interested to hear what Ben says.

Ben Phillips: Yeah, 100%. When you're doing a SOC 2 or really any type of a information security related attestation. At the very basics, an information security internal risk assessment is required to do that. And part of what Jim was alluding to is just the internal record checking of, are we doing what we say that we're going to be doing? The internal audit step. That's probably a step further from actually starting out and what you covered in a previous podcast of defining what your internal risks are. So when a company is doing an assessment of any sort, it's expected to be done when you're doing a SOC 2 or an audit of any nature. And then, I think, as a company is growing and scaling, they always need to be looking at the next step. And the more that they... I would totally agree with you, a lot of companies are not ready to do it because they may have not had... maybe they don't have the resources, maybe they don't have the budget, maybe they don't have the management buy- in yet. But they do know on maybe the sales side or their competitive side, other customers are talking about this kind of stuff and they wish they could be too. When a client asks me, " Hey Ben, what do I say?" Let's say they're getting ready to do their first SOC 2. They have a security program, but they've never done anything yet. What do I tell our customers when I get asked for my SOC 2 report? They don't have one. What I recommend they do is they focus on the good things. Focus on what you're doing and discuss what your plan is to get there. Because as Jim did say, it is a journey and it's not like in 14 days you can have a SOC 2. In 14 days, you can't even sign an engagement letter. So you just need to think about what that looks like. And as long as you can convey that to your customer that's asking, and you have a polished response as we haven't had our SOC 2 yet, it's slated for Q1 of 2024, we're building up to it. And by the way, these are all the controls that we're going to have audited. And these are the things that we're doing and this is the scope of what our SOC 2 is going to be. That conversation in itself is way more meaningful than we haven't done it yet, let me go check. Shows that the company's been asked before and they're actually thinking about that because they're trying to put an investment into... but then also behind it is, when there's management buy- in is really, really important. And when there's budget and when there's enough customer demand to allow the benefit to outweigh the cost of it. Because again, developing a security program generally isn't cheap and depending on where the company is, if they're just starting out or if they're mature, different level of change management instills for a 250 person company versus a 22 person company.

Jim Goldman: Ben's exactly right. And actually one of the things we've started doing for our customers is once they're engaged is build them a customized security and compliance roadmap. I mean, it's graphic. And it starts with this month and then it goes out 18 months, let's say. And then for every quarter, we add another quarter kind of into the future. And what happens is it's like, here's what we've done, here's what we're working on now, here's what we're going to be working on over the next three quarters. There's something legitimizing about having one of our customers be able to share that picture. It's the old saying, a picture's worth 1000 words. Share that picture of we're not just making this up, we're serious. We've got a roadmap and here it is, and we're willing to share it.

Jara Rowe: Yeah. So it's just really showing their customer that they're taking initiatives and they're being serious about their security and things like that. As a business, like a company leader, we have finished our audit, we have finished our assessment, we have all of this information, our risks and all of those things. Now what? What's next?

Jim Goldman: Well, you usually throw a party. I mean, it's a very interesting question because literally at Trava, we just went through this. We literally just got our ISO 27001 certificate. And it's a tremendous feeling, it really is. It was a lot of work on a lot of people's part to get there, but there's just this huge sense of accomplishment when you actually see your name on the certificate. ISO was an international standard, so you've got the UK registration number on there and the United States registration number on there. It's a pretty big deal. The one thing that we probably ought to state outright, so there's no miscommunication is there's an expiration date on that certificate. And so once you get that first one, you're never done. You have to keep your controls well- designed, well implemented, you have to be gathering your evidence at whatever cadence each control says you have to gather that evidence. Now it becomes a steady state. There's the big bubble of work the first time, and then hopefully it becomes smooth. But you literally are never done because the certification is only good for a certain amount of time and it varies from one certification to another. But you need to plan on being ready for that next audit.

Ben Phillips: Yeah. Yeah, and I think that goes just generally into a company's never done having an information security program. If they're in the business of solving a problem with data, that the attestation or the audit at the end of the day is just a story of what they did in the past year.

Jim Goldman: At a point in time.

Ben Phillips: At a point, yeah. But what they're responsible and contrasts you're required to do for their customers never stops. So I mean, that's the difference between compliance and security is you really got to... compliance is evaluating the security and showing the results of those activities. Whereas, just because triathletes are done with an intensive event, that doesn't mean they quit training and stop doing things and keeping their body in tiptop shape for the next one.

Jim Goldman: That's actually a pretty good analogy because the thing about security also is the threats are always changing. You can't just keep doing what you've been doing and think you're going to be fine. You have to adapt with the changing threat landscape.

Ben Phillips: And also, businesses change. So people are having... companies inaudible that we see clients, hey, we just acquired this entity and we're going to be getting into this space. Or hey, we actually got a good market fit on this complimentary product that we already needed to do, so we're going to do that as well. Well that kind of changes the people, process and data that they have, that maybe their customers would care about in the future. And if you never, as Jim you said, take time to reassess what are we doing here? What is our business risk? What are the cyber risk blame to that business risk? What type of contracts we sign with our customers? You could be caught flat- footed. And when you're moving up market with your enterprise clients, that's not a place you want to be. Generally what we do as advisors to our clients is we try and unpack what went well, what didn't go well, and what was hard. Because what was hard ends up being either there was some type of a miscommunication or folks were just learning about... we're learning about their business or they're learning about... they're going to their first type of one of these. They're trying to say, " Well, I didn't know what that." We go back and forth on a population of a certain thing and we need to get directly to the source of record. So when we ask a client like, hey, what's your... one control that's very common in pretty much everything is controls around logical access security of new, modified or changed or removed users. So in doing our attestation to have a quality audit, quality test result, we have to make sure that we have a quality population of things that we pick from. So when a client... we ask like, " Hey, can you give me a listing of all your new hired individuals from X date to X date?" We're always learning both the client and us once we're done because we're always trying to improve and make the process make more sense. And then from a findings perspective or what have you, the way this should work is, but it really should be somewhat of an open book test. Our client... like we're not coming out there to trick them. We're not asking them about new controls that they never said they were doing before. These are predefined things that have been in place and kind of planned for for over 12 months. So when we're asking clients about provide evidence of X, it's because six months ago they said that they wanted to do X. So if there's a finding, it's because they didn't do X. In the audit report, that we try and focus on the positive, but also give good feedback on what are they doing. A lot of clients, their controls, they don't always stay the same year over year. See a company that let's say they change their change management process or let's say they're changing... the biggest one we're seeing now is companies changing the way they do vulnerability management. Companies are going from a quarterly type older process to more of an active scanning process. This changes the way the auditor would test the control. So from an auditor's perspective, you're taking a sample of quarters, you're evaluating what those different things are and you're sampling those and you're checking to make sure that they said what they were going to do. They have track resolution or risk acceptance. With the daily example, it's a totally different control, totally different process. Just because a company's doing something better, doesn't mean that it negatively affects you. The one thing I would say is just make sure that as you're doing that plan, if you know someone else is going to be having to look at this stuff, make sure that the table of contents and the story and the timelines right, so we don't end up having to play catch up down the reno in October. Like, oh, you changed it here. Well that inaudible happens. And that's just more thinking about your clients and just a very good relationship of we don't only talk to our clients when we're doing the audit. We try and talk to them throughout the year to check in and make sure everything's okay. That way we can also make sure that they're feeling confident in going through this whole exercise.

Jara Rowe: Awesome. So Ben, you were just talking about timing a little bit. So when it comes to an audit, what are the factors of how frequency and audit should happen? Or is there typically an ongoing time that audits occur?

Ben Phillips: We generally see clients doing them once a year. So there's a type one and a type two of a SOC 2. So a type one is when controls are designed, we're not testing the operating effectiveness of controls. A type two is over a period of time. Sometimes, let's say it's June 6th and let's say management of this company says, " Hey, we have a contractual requirement that we have to have a SOC 2 type two by the end of the year." In that circumstance, if they need it by 12/ 31, they're probably not going to do a six- month type two. They're probably going to do a shorter period. And the timing, I guess, adapts by customer or regulatory demand from the very first question. We would probably recommend a client do a type one first because we probably audit a little bit harder where we want to see everything in place because we don't want a client to go through their type two and have a hiccup. When we would rather have the opportunity during the readiness phase to allow them to say, " Hey, you gave us this evidence and this is what worked." And then four months down the road and the evidence looks different, I could say, " Hey, remember this? This is what was good and now we have this. This is different." And it's not hitting all the same facts. So the question, when would you recommend simply, whatever cadence meets internal management goals, and whatever satisfies external communication or assurance requirements via regulatory or customer driven. But from a budget perspective, it's totally normal to do it once a year. And I would highly recommend customers getting in on that because what also can happen, you can have audit fatigue. Where you're just audit too much. I have it, but clients aren't used to it.

Jim Goldman: Totally agree.

Jara Rowe: Fantastic. So how can a business ensure that their audit and/ or assessment is being conducted thoroughly and accurately?

Ben Phillips: So unfortunately they can't assure it.

Jara Rowe: Okay.

Ben Phillips: They could hope and plan for it. But I would say at the very beginning... I mean it's hard. I sit on the other side of the table where companies come to us, a lot of them are current clients, some of them are new clients or referrals or whatever. And they're going through this thing that they've never had to go through before and it's not cheap. And they know nothing about it and it's like trying to buy a spaceship. You never had to go through that before, you don't know what the good... I mean, it's not like there's a good quality things. So what are you looking for? You're looking for consistency in your team. How long have they been in business? Customer recommendation? You're looking for just like what about helping a company get through their 18- month road. As a inaudible, I would like to be asked, " Hey SM, can you walk us through the project plan and the timeline?" Because if you don't do that, there's a high probability of inaudible staying on track. If the auditor doesn't communicate their expectations with the client to get the artifacts, get the information, get the time, and also help them, being the customer, understand the level of time involved in going through this exercise to be successful. That's an important factor. Making sure that it goes well. The other thing, you get out what you put into it. A lot of times when companies are doing this, I mean we see more than not, most of our clients have individuals that have been brought on or been there for a while that have inherited the role of information security. You have to have someone that really understands business risk, information security, risk technology, and the business, and the contracts, and the vendors, and everything else that kind of goes in into the overall. But if you don't, make sure that as a management team, when you are setting someone and your company up on the path to go, " Hey, you're going to do SOC or you're going to go do X certification." You're responsible for that from a project perspective. Make sure that they have the background and the support to do a good job. I see a lot of folks that are just over, they don't know what they're looking at. They don't know what they... if I have to explain what an information security risk assessment is to a client, they're not a good client for us. And I think that's important just in making inaudible aside of technology, there's GRC, there's tools, there's worksheets, there's however you do it. The people in process in a security program are the meat and bones thing. So making sure that you have that people in processing your information security are what's inaudible help make sure that you're inaudible the best that you can.

Jara Rowe: So from talking to the two of you today, I can clearly see the difference between an audit and assessment now. But why do you guys think that people do get these terms confused? Because they are clearly different.

Jim Goldman: Well, I'll take a stab at it. From the perspective of, let's call it the uninitiated, they both can feel the same. In other words, both of them involve these so- called outsiders asking questions, asking to see evidence. Do you know what I mean? So in that sense, they don't feel any different. Now, who those individuals asking the questions are, what they do with the evidence, what you get as a deliverable or a feedback or a certificate or whatever, as an outcome of that process. That's really where the difference happens. But if you're the person being assessed or being audited, they really don't feel a lot different. You're being asked to provide evidence. To the previous question, the one thing I wanted to add to Ben's answer is, I think setting expectations between the auditor and the customer is crucial. Especially if this is the first time that customer has ever gone through an audit. Because it can feel like you're being violated, for lack of a better term. I mean, if you're not used to having outsiders come in and say, " Well, let me see this. Well, let me see that. Well, that's not enough, I want to see this detail." If you don't have the right attitude, you can quickly sort of start getting on the defensive and feel like, I'm not comfortable here. And so I've always felt like really setting the expectations of, here's what they're going to do, here's what they're going to ask for, here's how they're going to ask for it, here's the form it needs to be in, here's why they're asking for this, here's why they have to do this this way. I feel like the more time you spend upfront on that, the better the audit's going to go.

Jara Rowe: Yeah. That would be super helpful to have clear expectations, for sure.

Jim Goldman: And also in regards to that, what Ben was saying, you need an expert on this, you need an expert on that, you need an expert on this other thing. Everybody that could possibly be called in on the audit needs to be informed in advance. Because the audits that I've seen go the worst is when someone gets blindsided, they're busy doing their thing. They're saying, " Hey, come here, you need to talk to these auditors right now." And that's their introduction to audit. And that's when things can really go south in a hurry.

Ben Phillips: I totally agree, Jim.

Jara Rowe: All right. So as we wrap up this episode, is there anything else that either one of you would like to really drive home?

Jim Goldman: I just think whether it's an assessment or an audit, having a qualified, independent third party look at what you're doing in terms of security or privacy. It's a smart thing to do. It's the right thing to do.

Ben Phillips: Yeah. And what I would probably say is, let's say management is committed to getting a SOC 2 report in the next 12 months or 18 months, making sure you're planning for that. And you're providing your team the resources to succeed and not just doing a fire drill in five months and saying, " Hey, we need this." Because that's just going to be a bandaid. So I would just say, if you're going to go through this, congratulations. And second, make sure you're using a very well- thought- out plan, just like you would if you were changing a critical system in your business. You're changing policy, procedure, expectations on how you're dealing with all your critical systems in your business and your people. So it's just really important to plan and making sure you have all the resources and the management buy- in. Because if you have those, then everything generally will fall into place.

Jara Rowe: Fantastic. Well, I learned a lot from you two about audits and assessments. And that wraps up another episode of The Tea on Cybersecurity.

Jim Goldman: Thanks, Jara.

Jara Rowe: Thank you.

Ben Phillips: Thank you.

Jara Rowe: Now that we've spilled the tea on audits versus assessments, it's time to go over the receipts. I have quite a few things that I took away from this episode. I learned so much from Ben and Jim both. One of the first things that I didn't even ask and Ben answered, and I'm so glad that he talked about it, is who actually performs audits. So our people like Ben definitely perform audits like CPAs, which those are external auditing partners. And CPA stands for Certified Public Accountants. Never thought about an accountant being an auditor for things like cybersecurity. Another thing I took away is, what is the motivation behind an audit? And then even, an assessment. And Ben and Jim both talked about that there are typically two parts that motivate a company. One of those being it's customer driven, like you as a company is trying to bring on a new customer and they may ask for things like SOC 2, that we hear a lot about. We learn a lot about SOC 2 on The tea on Cybersecurity. And then ISO. So those are potential people that want to see if you have these certifications. So one, customer driven. Or two, regulatory. So those regulatory agencies and government entities that want to make sure you are hitting a certain standard like SOC 2 or ISO or GDPR. Another receipt that I have is understanding why people actually confuse audits and assessments. And Jim talked about how they seem extremely similar. You're going in, you're looking at things. And for someone that's never been through the process, like me, they definitely seem like they are the same. But there are a little differences here and there. And those differences are audits typically are driven by external auditors. Like at Trava we call those third party auditors. And then an assessment is a little less formal. So at Trava we can go in and assess things like that, like your risk, your vulnerabilities, and all of those things. But an audit is more formal and it is typically conducted by an outside party. Another receipt that I have is to help you along an audit or assessment project or process. One thing that would definitely help you is to have clear expectations. So especially if you're a business leader and this is your first time going through an audit or an assessment, make sure you talk to your auditor or the expert that is conducting the assessment about having clear expectations of what you should be looking for, what you should understand, and things along those lines. Because it could be a daunting task. So if you understand everything clearly, you won't feel so terrified during the process. And the final thing I took away is when it comes to an audit and/ or an assessment, is that these things are never done. Especially once you attain the certification that you're going after, like SOC 2, those certifications typically expire. Like Jim mentioned, you're never done so after so long, you want to conduct one again. Ben also talked about wanting to do them yearly just because even if it's not regulatory or no one's asking for it, you should want to conduct your audit and assessments at least yearly to make sure that things are still up- to- date. As we know, technology continually changes. And that wraps up another episode of The Tea on Cybersecurity, thanks for listening. And that's The Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over Trava Security. Follow wherever you get your podcasts.