Top 6 ISO 27001 and SOC 2 Auditor Pitfalls to Avoid

Plus Tips on How to Avoid Them

Whether you require an ISO 27001 audit or a SOC 2 audit, you will probably rely on your auditors to give you the best advice they can. But, to paraphrase George Orwell’s words in Animal Farm, “All audit practices are equal, but some are less equal than others.

What do we mean by this? Simply that you must be aware of the mistakes that auditors can make during your audit.

Here are the top five audit pitfalls you should avoid.

1.    The Auditor Who Doesn’t Present Evidence of Their Findings

If you are not in compliance with ISO 27001 or SOC 2, of course you want to know. But knowing isn’t enough. There must be evidence of the non-compliant practice. If there isn’t, how will you know what exactly is going wrong, the business context that surrounds the non-compliance, and what you must do to make the fix needed?

2.    The Audit Is a Tick Box Exercise

Checklists are great, aren’t they? Except that they only give an overview of the situation. There is no analysis of the shortfall in a compliance requirement, just a tick to say… what, exactly? That the issue has been identified? That the issue has been rectified? Something in between?

For example, some auditors failed to understand how to leverage business analysis into their audit plan. Big picture, you need to know what you need to focus on to succeed.

Rather than just checking boxes, a great place to start is to ensure that you have properly set the scope of the audit. Failure to create a laser-focused scope of the audit can result in auditors auditing too much, too little, or focusing in the wrong places.

For example, create a well-defined Business Impact analysis.  This helps you better define the critical business processes, the applications and systems that support them, the risks, and the risk tolerance for those processes.

A good auditor will use checklists to ensure that they have covered everything that is needed in an ISO 27001 or SOC 2 audit; but they won’t stop there. They will consider the bigger picture, share it with you, and put some ‘meat on the bones’ of their audit.

They will detail where you might make further improvements, or what behaviors and practices are unnecessary to remain in compliance. By doing this, the auditor ensures that you are fully informed and are doing what you must as effectively as possible.

3.    The Auditor Who Doesn’t Investigate

By the time you have an audit conducted, you should have done a lot of work to get to the stage of being compliant. But this doesn’t mean you are. You may have overlooked something, or misinterpreted regulations. Something that you are doing (or not doing) could make you non-compliant.

The pitfall to avoid here is that your auditor believes all your documentation. Just because you have installed a new business practice does not mean that your employees are following it. They could be taking shortcuts, and creating a non-compliant environment.

Make sure that your auditor is looking past your paperwork and into the real workings of your employees and your systems. Only by a deep forensic examination will shortcomings be observed.

4.    The Auditor Who Has a Point to Prove

Auditors usually find something wrong, but they shouldn’t work as though this is the sole purpose of their job. They should be fair and reasonable, and not find mistakes simply to prove a point. If this happens, the audit will deliver a long list of minor infractions and faults that are not valid.

The worst kind of auditors who fall into this category are usually new auditors. They want to stamp their authority on the audit as soon as possible, and so often find errors where there are none.

To combat this, make sure you work with your auditor. Provide the tools, space, and collaboration they need. Let them know that you take their findings seriously, and want to work with them to improve.

5.     The Auditor Who Uses the Audit to Upsell

By completing an audit, the auditor knows more about your company’s operations than most in your company. This gives them a deep inside knowledge and a competitive edge. They know all the errors that you must rectify.

It’s tempting for you to switch into ‘repair mode’, and employ them off the bat to consult with you on putting right your shortcomings. But how do you know that you are getting value for money? How do you know they aren’t using you to generate revenue? Not all auditing firms are honest.

Our advice is to always seek an unbiased second opinion on whatever business the auditor is pitching for. This way you remove any potential conflict of interest that could damage your longer-term relationship. This may be someone internally, another person who undertakes audit work with the auditing firm, or another auditor.

6.     The Auditor Who Doesn’t Have a Plan

The overriding role of the auditor should be to help your business develop strategies, plans, and actions that mitigate the risks identified, for example, in a Business Impact Analysis. A talented auditor understands how to properly leverage this document to really hone in on the creation and implementation of their audit plan to link control deficiencies to business impacts.

Similarly, we believe it is important to perform an application or system-level risk assessment as an input exercise for any audit, and especially ISO or SOC. But if the auditor fails to leverage the output of such assessments when creating the audit plan, the audit plan is less likely to increase the focus on the controls around areas of greatest risk.

The Best Way to Audit Successfully? Be Audit Ready

By the time you come to your trial audit, you should be confident of passing. There may be one or two small areas of concern, but, on the whole, you should be ready. The longer you leave it to prepare, the more work you are likely to need to do to be compliant.

Rules and regulations are constantly changing, so it makes sense to keep your SOC 2 and ISO 27001 compliance under constant and continuous review by:

  • Using the same criteria during internal investigations as used by auditors
  • Being energetic with corrective action
  • Taking a preventative approach wherever and whenever possible
  • Developing a compliance culture
  • Ensuring that you have systems in place that alert you to all rule and regulation changes
  • Tapping into external expertise early
  • Performing an application or system-level risk assessment as an input exercise for any audit, but especially ISO or SOC

Are you ready to pass your ISO 27001 or SOC 2 audit?

Contact Tiro Security for the impartial expertise trusted by clients around the world.

Posted in