Understanding Some Common Misconceptions about IT Audits and Regulatory Exams

One of the most common discussions our Information Security experts have with our clients has to do with the widely held belief of top management that their IT audits and regulatory exams are a sufficient measurement for the effectiveness of their information security efforts. In reality, an IT audit generally covers about 60% of an organization’s information security posture, and a regulatory exam generally covers about 15-25% of an organization’s information security health, leaving major gaps and a misconception the organization is in good shape.  

This common disparity in understanding can lead to a false sense of confidence. Many organizations we work with initially rely on IT for their security work. As good as most IT departments are, they are always short-staffed, busy fire-fighting technical problems, replacing equipment, and, hopefully, introducing new technologies. Rarely is IT empowered to step back and take an objective and comprehensive view of the full information security landscape.

Cybersecurity and Information Security: Is IT the Same Thing?

To get an even perspective on this dilemma, let’s first define cybersecurity and information security. There’s an ongoing debate in the industry regarding the two concepts. Generally speaking, Cybersecurity is what IT is typically charged with. Information Security, on the other hand, is usually assigned to someone; however, when the topic comes up, no one really knows who that individual is. Sound familiar?

For the purposes of today's discussion, let’s define the two concepts:

Cybersecurity: The practice of protecting systems, networks, devices, programs, and data from digital attacks, unauthorized access, damage, or theft. It involves implementing technologies, processes, and controls designed to safeguard an organization's digital assets, ensuring the confidentiality, integrity, and availability of information.

Information Security: The practice of protecting information from unauthorized access, disclosure, alteration, destruction, or disruption. It involves implementing a set of policies, procedures, and technical measures designed to safeguard the confidentiality, integrity, and availability of data, whether it's in storage, processing, transit, digital, or in print form.

Now think of these two concepts relative to audits and regulatory exams. In reality, audits are generally limited in scope. They are designed to examine a sampling of controls by drilling into a few select areas, typically born out of a theme of emerging topics or “flavor of the day” directives in the industry.

Annual audits and regulatory exams are not intended to be a comprehensive review of controls or validations of people, process, and technology. They are frequently thematic exercises where particular areas of the exam receive a concentrated focus. For instance, privileged account management may be a focus area for regulatory exams. However, the auditors usually select a small sample to review. Moreover, in my experience, responses are generally crafted to satisfy only the questions asked, and do not truly demonstrate how effective an organization is in that particular area. It is a bit like a game of cat and mouse between the auditor and the organization.

A Real-Life Example of How the Audit Passed, but the Security Assessment Failed

During a recent assessment our team conducted, we reviewed a copy of the client’s most recent audits, an IT audit, and a regulatory exam report. The auditor requested the policy regarding privileged accounts. According to the policy, a Service Desk ticket was to be opened for adds, moves, and changes to accounts that required supervisor approval. A sampling of 10 recent privileged account changes was requested. The auditor randomly selected 3 to review and validate that the appropriate persons approved the changes. The IT audit passed.

Nonetheless, we discovered that while the IT audit passed, the information security assessment failed. What happened? When we performed our information security assessment, we discovered that some privileged account changes may have taken place without Service Desk tickets. We compared log data and Service Desk tickets for privileged accounts and found disparities. It appeared that privileged accounts had been adjusted without tickets and account modifications had taken place outside of the Service Desk. Even worse, we also discovered accounts of terminated employees were still active and being used because HR hadn’t had time to open IT tickets.

The auditor was focused on the narrow scope: a supervisor/business owner had approved the change and so the audit was considered successful. The auditor didn’t do anything wrong, they followed procedure. Never mind that additional permissions were granted to the accounts of two terminated employees. Even worse, the terminated employee accounts still possessed remote access to the system that could have allowed transactions to be carried out remotely.

Effective Communication Is as Crucial as Technology

The bottom line is, regulatory agencies do not have the resources to conduct thorough exams, Thus, during audits they generally don’t have the luxury to take the time to look at everything. The problem in this particular case was that Human Resources was not communicating with IT effectively. As a result, it took an unacceptable amount of time, a few months, for HR, IT, Service Desk, and management to align. Yet, the IT audit and regulatory exam passed at the first try.

IT makes up about 60% of an organization’s information security. The other 40% may not be getting the attention it needs, because HR, management and IT may not be effectively communicating and may unintentionally be leaving the organization exposed. In the example above, IT followed the right process and disabled the accounts when they were notified.

However, the malfunction, which could have been critical, was due to the time gap between when the employees were terminated and when HR notified IT. For an extensive period of time, IT had no idea the employees accounts should have been disabled. Management, on the other hand, knew the staff left the organization and had assumed everything was operating according to procedure. In this case, the disconnect was not technology but communication failure.

IT Audits: Only One Aspect of a Comprehensive and Effective Information Security Strategy

The rule of thumb has always been that audits (and I’m including regulatory exams here, as well) should be conducted on an annual basis. Following up my discussion above, I’d like to play the devil’s advocate here and state the following. In my opinion, relying solely on annual IT or regulatory audits to build your information security strategy or your cybersecurity program isn’t enough.

Here are some reasons why:

1. Reactive Rather than Proactive

A reactive approach to information security is inherently limited because it deals with issues after the discovery of a gap or possibly after the damage has been done. This results in higher costs, greater operational disruption, and damage to reputation and customer trust. In contrast, a proactive approach to information security is far more effective because it focuses on prevention, early detection, and continuous improvement. By being proactive, organizations can mitigate risks before they materialize, maintain business continuity, and build a robust security culture that adapts to evolving threats. 

2. Limited Scope and Depth

In addition to being reactive rather than proactive, regulatory and annual audits are limited in scope. They typically focus on compliance within specific regulations or standard instead of providing a comprehensive view of an organization’s overall information security health. While compliance is important, and serves an important purpose, it leaves undiscovered gaps and a false narrative that your organization is protected against all potential threats. Audits may overlook nuanced or evolving risks that don’t fall within the audit’s narrow scope.

3. Lack of Continuous Improvement

An information security strategy needs to be dynamic, with continuous monitoring, assessment, and improvement. This is especially true in this day and age when technology is changing and evolving faster than ever before. While process and consistency have many positives, organizations need to be aware of the downsides, as well. Complacency in what you know and what has always worked can quickly backfire, especially as AI-enabled cybercrime continues to move faster and faster. Thus, solely relying on annual audits can create a false sense of security and lead to carelessness. Without a persistent and ongoing evaluation, your organization will miss opportunities to strengthen defenses or fail to address new vulnerabilities in a timely manner. Adopting a mindset of continuous process improvement, on the other hand, will put your business on a different, more successful trajectory.

4. Slow Response to Incidents

If your organization only relies on annual audits, you will be slow to detect and respond to incidents. Effective incident management requires real-time monitoring and rapid response capabilities. By the time an audit identifies a problem, significant damage is likely to have already occurred, like in the example above.

5. Gaps in Employee Awareness and Training

Employee awareness and training are critical components of a strong security posture that often remain overlooked in an organization's overall information security strategy. One of the reasons for these deficiencies is the excessive reliance on annual audits as the primary venue to improve employees’ cybersecurity literacy. In fact, annual audits are not the best or most adequate format to tackle the need for ongoing education and behavioral reinforcement.  Without on-going regular Social engineering training and awareness programs alongside both positive and negative behavioral reinforcements, employees are highly likely to revert back to bad habits and risky practices. This, in turn, exponentially increases the likelihood of successful attacks, such as phishing, or other social engineering tactics that are constantly changing and becoming harder to detect.

6. Changing Compliance Requirements

Another important fact that needs highlighting is that regulatory requirements and industry standards often evolve faster than annual audit cycles. For example, when NIST CSF 2.0 was released in August of 2023, most Information Security practitioners were likely already incorporating the addition of the Governance function in their strategies because they knew of the importance of governance in an Information Security Strategy. If you rely solely on annual audits, your organization runs the risk of falling out of compliance between audits. The potential consequences can be severe and costly, leading to fines, penalties, and reputational damage. A robust Information Security Strategy and implementation program includes continuous compliance monitoring that provides organizations with the agility to adapt to regulatory changes between the annually scheduled audits.

7. Increased Complexity and Attack Surface

In the language of Information Security, an attack surface is defined as the entire area of an establishment's people, processes, and technologies that is susceptible to attack. It's made up of all the points of entry that an attacker could leverage to create chaos, misinformation, enter a system, including servers, ports, applications, websites, and contains vulnerabilities relating to exposed APIs, DNS configurations, digital certificate management, weak passwords, poorly maintained software, insecure coding, process timing gaps like the HR example mentioned above, uneducated persons, etc. Once inside your network or during a diversionary attack to cause damage or fraud elsewhere. As your organization grows and adopts new technologies, leverages cloud, generates more visibility to itself, the organization's attack surface expands, and information security becomes more complex.

Annual audits will not keep pace with these changes, leaving critical gaps in your defenses. A continuously evolving and proactive Information Security Strategy ensures that your strategy evolves with your entire organization, proactively addressing new risks before they arise.  A proactive Information Security Strategy does not rely entirely on IT, it incorporates the entire attack surface, including the immense array of threats introduced in the new gig economy and the expanding use of Cloud and outsourced services.

Audits Are Necessary but NOT Sufficient

In summary, while annual audits, and some IT audits are an important component of some Cybersecurity plans, they only address one aspect of an overall Information Security Strategy. A comprehensive and ongoing Information Security Strategy requires a solid Cybersecurity plan that includes continuous monitoring, proactive risk management, and ongoing employee engagement to stay ahead of evolving threats and protect your organization effectively, but a comprehensive and ongoing Information Security Strategy is better positioned to address the entire threat landscape of an organization.