Learning to love regulatory compliance auditors

Companies working to achieve passing grades in their regulatory compliance audits can greatly improve their ability to meet the requirements if they can somehow bridge the cultural gap that commonly exists between IT workers and those hired to apply the tests, according to a panel of industry leaders.

Taking the stage at the ongoing Security Standard Conference in Chicago, the collection of seasoned compliance and auditing specialists called for an end to the turf war that tends to materialize when internal and external auditors begin running their reports.

By fostering a more cordial relationship between IT departments and auditors, and pushing the groups the engage in more comprehensive exchange of ideas, businesses may be able to lessen the pain typically associated with allowing for the systems assessments.

Minimizing the pain

While the concept may sound corny or even far-fetched to many corporate technology workers and auditors, the experts said the best way to improve the efficacy of compliance programs and minimize the pain of the work is to do whatever it takes to get the teams on the same page.

"The perspective [of IT workers] is that audit is always out to get them. But once you get over that hurdle things improve," said Lane H. Boyd, director of IT audits at fast food giant McDonald's. "It really comes down to communication. You need to meet frequently and be honest."

Boyd said it's particularly crucial for companies to make an extra effort to encourage interaction between IT workers and third-party auditors, as the outsiders tend to come into the testing process expecting friction with internal teams.

"The security teams are most often responsible for managing outside auditors, and the perception is most often that [auditors] only come bearing bad news," he said. "Even internally we try to work closely, but [internal IT] is typically not too happy to see us; but as this whole process matures, I expect that this [interaction] will improve."

Aligning goals

The closer that IT management and auditing teams can become, said Boyd, the greater the likelihood the different groups can align goals, with those doing the assessments providing a "point in the right direction" of how they will look to test various systems for compliance.

In addition to helping internal teams better understand the thrust of the auditors' work, bridging the two groups will make it easier for the assessors to tailor their work to suit the operational demands of each business, said Rick Boren, a partner with New York-based consultants PricewaterhouseCoopers.

Any level of trust that can be established will also encourage auditors to ensure they handle with discretion any sensitive corporate information they encounter, the consultant contends.

"The same level of trust is needed for external auditors as with internal. They have to know the process for protecting clients' information assets," Boren said. "These auditors are being put in a position of trust and this type of relationship needs to be there for everyone to work together effectively."