by Jeff Kirsch
In my 13 years of experience as an auditor, I have found that the people I audit do not tell the truth.
That’s right; they tell me what they think I want to hear, they encourage me to believe they are honest, and then when I investigate further I always discover it’s all lies. So I’ve come to the conclusion that the best thing to do when asked questions is to lie right back.
Auditing is not about making friends or helping improve the controls of a particular environment. Auditing is simply about finding out what people screwed up, and raking them over the coals until they cry out for mercy. Of course, the word “mercy” does not exist in the auditor’s dictionary, so instead you’ll need to humiliate the people who erred until they quit in shame.
Defensive Audit Techniques
Audits begin with a meeting between the auditor and those who are to be audited, otherwise known as auditees. This term is useful in depersonalizing your relationship with the auditee into a meaningless, unemotional concept. The first meeting is the perfect opportunity to set the auditee up for potential failure, or at a minimum to begin to establish trust by assuring them that they can tell you “the dirt” without fearing retribution. It is recommended you use phrases such as, “I am here to help you improve your environment.” Another of my personal favorites to lay on the auditee is,”We are not here to play ‘gotch’a”. Of course, make sure you say this with a thinly-veiled evil grin that you attempt to pass off as compassion and sympathy. Make sure you also throw around confusing audit term such as “compensating controls” and “scope creep” to throw them off.
Since you know that the auditee will not be honest, you must resort to established tactics to obtain accurate information. For example, if you need configurations from a system, request a meeting with the newest staff member under the guise of corroborating evidence. Since new staff members have not been jaded or burned by a previous audit, they are more willing to give you what you want without asking questions. If this is not an option, try stocking your request for information with several items you know will draw more attention than you really want. In their effort to vet the more complex stuff, auditees usually overlook a seemingly benign request for configurations.
Once you have the information, the auditee will want feedback as to your findings. This is a trap, especially when it happens early in the audit process. Telling them you found something wrong that is potentially significant, will immediately shut off access to more information that you might need. In these situations it is best to use phrases such as, “I am not sure if that is a problem, I need to talk with my manager.” This accomplishes two goals. The most obvious is that it shifts the blame to some unseen, and probably non-existent, person. Shifting blame is crucial to keeping the thin veil of trust pulled over the auditee’s eyes. Secondly, you postpone your potentially career-ending findings until after you have all the information you need. Dropping failures on the auditee at the last minute minimizes their chance for survival.
The final act of finesse is delivering the report. You are going to have an ongoing relationship with the auditee, usually not by their choice, which means you need to eliminate any chance that the people you are humiliating will be around for the next audit. Approach the meeting with an expression of deep concern for the environment, and stress that what you found isn’t personal. “You are working with what little resources you have, and it is difficult maintaining a control environment under those conditions,” always lets the people who will still be around know you understand their plight. Making the auditee’s who remain believe that you just saved their careers will greatly increase your chances to play “gotcha” in future audits.
Retrospective
In my 13 years as an auditor I have found that people are afraid of what they don’t understand. Auditors have gained a reputation, either justly or not, as people who are out simply to find every flaw they can. Auditors test to ensure controls are in place and operating effectively, but need to report when they find controls that fail. An audit is intended to help strengthen controls and give the company assurance that the controls you have work. We can move through our day thinking that what we say happened is what actually happened. But what happens to your credibility, and the reputation of your company, when you suddenly realize you were wrong? Having a good relationship with your auditor does not mean you have to be friends, but it does mean you need to find common ground to share trust. As an auditor I cannot ignore a failure in the control environment, but I can work with the auditee to make sure my understanding of the control environment is accurate. After having a conversation about findings, the auditor may find there are other controls mitigating the impact of a failure.
My satirical portrayal of the “evil auditor” was an effort to evoke emotions you may have during an audit. It is there to help you consider what type of relationship you and your auditor have, and give a push to start a dialogue. Working together with your auditor is not always fun, especially after eight-hour interrogations, but in can be a process that helps your organization and you achieve better results. But the next time an auditor knocks on your door, wait until after they leave to curl up under your desk – seeing that tends to inflate their egos.
About Jeff Kirsch
I’ve been audited by some pretty competent auditors – the kind that can SQL inject an app and rootkit a server, so I’ve been part of some pretty intense audits. I’ve always treated the audit as a learning experience (for me) and an opportunity to nudge upper management in a positive direction.
If I’ve got a weak area, I’ll admit it. If I’ve got stuff that works pretty good, I’ll let them know. But I figure it doesn’t pay to BS them. If they are good, they’ll know, and if they are incompetent, I will not learn anything from the audit. Learning from *good* auditors is a good thing.
The stakes are high though. In my case, the findings are public and if they are bad, they’ll make the local news.
–Mike
I’m not sure how much to read into this, but I think you may have lost some perspective. Yes, people will certainly be less-than-honest and not as forthcoming as you would like. But as an auditor, it is your job to focus on the evidence and verifiable facts. Are you serious when you say:
“So I’ve come to the conclusion that the best thing to do when asked questions is to lie right back.”
I really hope that was satirical. The profession needs to maintain credibility with auditees if the process is to be beneficial for both parties.
I am left with the feeling that perhaps I didn’t get the underlying message of the post, because I can’t imagine this would really be the way you conduct yourself.
I agree with you that auditors do look for where people screwed up and not help improve controls.
But I dont think that is how it should be. We have worked ourselves into this compliance box
where real security doesnt matter.
With the attitude of just looking for screw up’s, then your not really helping them, or the security world.
We need to be thinking about how to make things better. By looking for flaws without concern for helping, that is only breeding more and more compliance based thinking. And it is hindering true security based thinking.
Most of us can realize just because its in a regulation, does not mean its good for security. It’s usually
just good for the vendors that fill that void by making the regulation solutions based.
Just wanted to throw my 2 cents in.
I am glad to see some discussion around this topic. To answer the question of if this was a satire, the simple answer is yes, I indicated this in the closing paragraph. As I attempted to layout in the Retrospective portion of this article, I do not believe people lie to me nor do I utilize “defensive auditing” techniques. I completely agree with you, Micheal Starks, that credibility is a cornerstone to being an effective auditor. To maintain that credibility we need to act in a professional manner, but we also need to explain our intentions and value to those we audit. I think Micheal Janke makes a good point about both sides learning from the other. The transfer of knowledge between both sides improves the quality of future audits and gives the auditee a better understanding of the overall control environment.
Chris, I believe you have misunderstood my position. I do not feel auditor’s perform their testing simply to find what is wrong, instead I feel an auditor tries to meet the objectives of their engagement. In the process of conducting procedures to ensure controls are in place and operating effectively an auditor may find the controls do not meet the control objectives. After performing their due diligence in determining if a control failure effects the overall effectiveness of a system, they must report their findings.
After throwing out all that technical analysis I would say this, both parties to an audit should openly discuss what the objectives are and keep communications open throughout. Hopefully this helps build value for all parties involved.