No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

What Matters in Audits — Alleged Independence or True Transparency?

Depth of datasets means independence isn’t the mark of a trustworthy security audit anymore

by Justin Beals
January 4, 2023
in Cybersecurity, Internal Audit
audit transparency

In decades past, independence (a flawed measure even in good times) was considered the gold standard of audit. But Strike Graph’s Justin Beals argues that it’s well past time to catch up with technology and instead rely on transparency as a marker for security audit.

Security compliance is a necessity for doing business in today’s world. Buyers and investors demand it, and regulatory bodies require it. Despite the fast evolution of the cybersecurity landscape, companies are still largely using traditional “independent” audits to prove compliance and build trust. That method is stressful, slow and fundamentally flawed because of the unavoidable financial relationship between auditor and auditee. We need a new standard for audit excellence — transparency.

‘Independence’ is an antiquated measure

In the past, auditing firms have used indicators like company size, name recognition and ostensible independence from the companies they audit to create the sensation of trust.

The reality, though, is that neither a firm’s size nor its celebrity necessarily make its work trustworthy. The third indicator, independence, is even less reliable. There is no such thing as true independence between an auditing firm and those it audits because of the financial relationship between the two. 

Auditing firms are financially motivated to keep the auditees who pay them happy with a passing audit. This becomes even more true when large firms both audit and provide consulting prep to the same company, often with only a flimsy departmental divide to disguise an innate conflict of interest. 

The foreseeable outcome of these faulty motivators is situations like the Enron-Arthur Andersen debacle of 2001-02. Arthur Andersen had been charging Enron $1 million per week for auditing and consultation, and the annual performance goal for the firm’s lead auditor included an increase in sales. In June 2002, Arthur Andersen was found guilty of shredding Enron audit documents. This behavior was clearly unethical but not surprising given that, as both Enron’s consultant and its auditor, Arthur Andersen had set itself up to be reliant on Enron’s unquestioned success.

Scandals like this may have inspired some structural changes, but traditional audit firms continue to offer additional services to the same companies they audit. The foundational conflict of interest remains. Even the AICPA, which governs SOC 2 requirements, acknowledges, “It is impossible to enumerate all relationships or circumstances in which the appearance of independence might be questioned.” 

joining forces

Why ESG Programs Should Make Internal Audit an Ally

by Kapish Vanvaria
November 30, 2022

Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals are tracked and monitored. EY’s Kapish Vanvaria argues that ESG leaders should make friends with their internal audit colleagues — for everyone’s sake.

Transparency: A modern perspective on integrity and trust

If independence and name recognition can’t be counted on, what can be? Transparency. 

New technology has paved the way for radical visibility into the inner workings of security compliance. Instead of an auditor sampling 10% of a company’s financial transactions, technology will allow every single transaction to be analyzed for compliance. And, even more important, that data can now be accessed in a way that anyone, regardless of their auditing or security compliance expertise, can understand. 

Traditional sampling methods for testing massive or distributed datasets depend on a human auditor devising a sampling methodology they believe will accurately represent the whole dataset, and then selecting a small percentage of inventory, transactions or security events and measuring them against standards. 

This process leaves the door wide open for error. You probably remember how many polls were wrong about the results of the 2016 and 2020 U.S. presidential elections. How did that happen? Sampling margin of error — in other words, the inherent inaccuracy of making big predictions based on a small sample of a large dataset. 

Problem is, you don’t know you have a sampling error until your sample-based predictions turn out to be a mismatch for reality — a situation that could be devastating for a business if the issue at hand is cybersecurity. In the past, this was the best we could do, so that’s how we audited. But it isn’t any longer. 

New technology allows real-time tracking and analysis of every piece of inventory, every transaction and every security event. Instead of random sampling and hoping for consistency, we are able to achieve verifiable, constant compliance.

And modern compliance software translates this vast amount of data into a format anyone can understand. You don’t have to be able to code, or speak security jargon, or even remember when compliance deadlines are coming due anymore. Everyone can participate, which means everyone is responsible and empowered — from the HR manager handling employee records to the CEO sending an attestation to investors.  

The result of these advances is that companies needn’t be beholden any longer to lumbering audit firms whose practices and motivations are opaque. When anyone can see exactly — in any given moment — how a company is complying with security regulations and standards at a glance, that company doesn’t need some big name to create the perception of trustworthiness. 

This democratization of security compliance is similar to how the music industry changed with the advent of the internet. Record companies — the gatekeepers of album production — paid radio stations — the gatekeepers of the airwaves — to play their music. Then, came the internet and online music platforms. They redistributed power to individual listeners, who suddenly were able to make their own decisions about which music deserved attention. 

dirty words
Cybersecurity

For Cybersecurity Teams, ‘Audit’ Doesn’t Have to Be a Dirty Word.

by Troy Fine
December 7, 2022

Read moreDetails

The evolution of security compliance

All systems change as technology evolves, and security compliance is no different. The old system puts large, legacy audit firms on a pedestal and measures them against a false metric of independence. And it depends on outdated methods for testing the evidence of compliance. Within this structure, trust is more easily broken and audits are less accurate. 

A system based on transparency acknowledges that true integrity stems from universal access. The compliance process is democratized. Anyone can see a full, up-to-the-second assessment of a company’s security posture — giving stakeholders the confidence of greater accuracy and verifiable trust.


Previous Post

Software Company Swiss GRC Lands Triple ISO Certification

Next Post

Will 2023 Bring More ‘Permacrisis’ Culture?

Justin Beals

Justin Beals

Justin Beals is the CEO and co-founder of Seattle-based Strike Graph, a compliance automation provider. He is a serial entrepreneur with expertise in AI, cybersecurity and governance who started Strike Graph to eliminate the confusion related to cybersecurity audit and certification processes.  

Related Posts

You are now registered!

Webinar: What Employee Experience Reveals About Your E&C Program

by Corporate Compliance Insights
May 16, 2025

11 a.m. - 12 p.m. ET Tuesday, June 3 Are your ethics and compliance metrics capturing what really matters? Programs...

LRN 2025 Program Maturity Global Study

2025 Global Study on Ethics & Compliance Program Maturity

by Corporate Compliance Insights
May 16, 2025

How does your ethics and compliance program measure up? Global study Ethics & Compliance Program Maturity What’s in this global...

check engine light

What Gets Measured Gets Managed, but What Actually Matters in Compliance?

by Keshonda Walker
May 16, 2025

Looking beyond standard measurements to identify the quiet signals that help compliance teams address issues before they become crises

call center mentor and caller

Telemarketing Rule Update Demands Faster Action on Consumer Opt-Outs

by Paul St. Clair
May 16, 2025

New requirements reduce opt-out processing time from 30 to 10 days and expand what qualifies as a "reasonable" consumer revocation...

Next Post
uvalde crosses

Will 2023 Bring More ‘Permacrisis’ Culture?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights