The End of IT Audits for Financial Institutions

If you are responsible for cybersecurity at a financial institution, chances are you’ve had to participate in at least one annual IT Audit. There is a very high probability you didn’t particularly enjoy the event. Of the hundreds of people I’ve spoken to about audits in the last 20 years, not a single person has expressed any kind of joy about being audited. About the same number of people who enjoy going to the dentist, which is to say approximately zero.

What if I told you that you no longer need to suffer through an annual IT Audit?

If that idea is interesting to you, dear reader, you are in luck. This article explains why the dreaded annual IT Audit is a relic of the past, and how you can avoid them entirely.

Innovation is defined as making changes in something established by introducing new methods. The process of finding new methods begins with setting aside paradigms and asking the question ‘why?’ For example, Netflix asked why customers must stand in line at a brick and mortar Blockbuster store?

History of IT Audit

In 1999 the Gramm-Leach-Bliley Act (GLBA) was signed into law. GLBA dictates that all financial institutions (FI) must have an information security program in place to protect customer or member information. Part of the program has to include independent review of the effectiveness of the security controls in place. Enter the American Institute of Certified Public Accountants (AICPA).

20 years ago the information security (aka cybersecurity) field was in its infancy. There was no standard format for providing independent review of security controls to meet GLBA requirements. But the AICPA did have a standard method and format for performing audits, the SAS 70. The AICPA was founded in 1887 and had been facilitating financial audits for many decades. It made sense at the time to start with something that existed already and had been proven in the field for years.

Side note: yes, you are reading this correctly. Our industry’s current IT Audit model was borrowed from an accounting organization founded well over 100 years ago. Don’t get me wrong, the AICPA is a much needed, highly regarded organization. Just not for the cybersecurity industry.

It makes sense to audit annually after the books have been reconciled and closed out for the year. But corporate financial books and cybersecurity are very, very different. What doesn’t make sense is auditing cybersecurity controls, in bulk, once a year when most controls—especially those of a technical nature like firewall rules and antivirus software—are changing almost constantly, and operate in technology environments that are changing constantly.

The problem is that after the adoption of the SAS 70 audit format, and as the cybersecurity field grew in maturity, nobody stopped to ask the question: why? Why do we audit ever changing cybersecurity controls one time per year? Why do we rely on a model that might have made sense in 1887 long before modern information technology was even a possibility? Why do we continue doing IT Audits to meet the independent review requirement of FFIEC regulations?

As an information security manager at a financial institution I never enjoyed being audited. When I started Rivial in 2010 to take care of clients better, improve FI cybersecurity using advanced risk management techniques, and make people’s lives easier, I didn’t even want to offer IT Audits as a service. We were pulled into doing audits to help clients who wanted us to handle all of their security needs, not just an IT risk assessment. So, although Rivial performs very high quality audits in a friendly, cooperative way, I was the perfect person to ask: why do we torture our clients with an annual IT Audit, and is there a better way to provide independent review that meets FFIEC and GLBA regulations?

A Better Approach to Independent Review

The requirement for independent review according to the FFIEC is FI’s must ensure there are no conflicts of interest on the auditor’s part, and no relationship compromises independence. The auditor should be free to make his or her own decisions, not influenced by the organization being audited. This is typically handled by moving the audit function outside of the organization so they report directly to the Board of Directors, and therefore are less likely to be influenced by the people being audited. For smaller FI’s where it doesn’t make financial sense to hire a full-time IT Auditor, most organizations hire an outside vendor to provide audit independence.

But nowhere in the regulations or best practices does it say the independent review of cybersecurity controls must occur once per year, in an uncomfortable interrogation-style format. A much better way of performing independent review of cybersecurity controls is to remind employees about the security controls they need to operate/perform/etc, remind them how to do it, and ask for evidence when the control is being performed.

This model accomplishes three amazing goals simultaneously:

1. Better Security - by performing cybersecurity controls, collecting evidence, and auditing evidence throughout the year, problems are identified in days or weeks rather than waiting for the annual IT Audit.
2. Better Experience - the ongoing nature of continuous compliance removes the need for a yearly, week-long interrogation by an audit team. Much like going to the dentist, the ongoing collection of evidence is like brushing your teeth daily so the yearly cleaning isn’t so bad. (the FDIC and NCUA are the dentists in this scenario)
3. Lower Cost - by not having to send a team of IT Auditors or Cybersecurity Analysts onsite, the cost of continuous compliance is actually lower in most cases.

For most IT audit firms, performing an ongoing, continuous audit would be logistically impossible. Or at least very costly to implement. Sending a team of auditors onsite once per year is easy for IT audit firms. Perhaps this is the main reason nobody asked ‘why’ sooner. A former client and close friend of mine and I asked the question about 3 years ago, and developed an alternative to crummy IT Audits.

When I took the Strengths Finder survey many years ago, one of my strengths was Futurist. Armed with that highly scientific description of my true talents (wink), I will make a bold prediction: in 10 years, the annual IT Audit will be mostly dead, having been replaced by continuous compliance models.

If you want the cybersecurity equivalent of renting movies in a Blockbuster store, give us a call, we still perform traditional IT Audits for clients who prefer that model. But if you want to join the evolution of independent review, let’s get you more information about how continuous compliance will improve your security and make your life easier. 

We offer free demo's of our Continuous Compliance service because we want you to know just how revolutionary it is. Take advantage of this, there are no strings attached.