In decades past, independence (a flawed measure even in good times) was considered the gold standard of audit. But Strike Graph’s Justin Beals argues that it’s well past time to catch up with technology and instead rely on transparency as a marker for security audit.
Security compliance is a necessity for doing business in today’s world. Buyers and investors demand it, and regulatory bodies require it. Despite the fast evolution of the cybersecurity landscape, companies are still largely using traditional “independent” audits to prove compliance and build trust. That method is stressful, slow and fundamentally flawed because of the unavoidable financial relationship between auditor and auditee. We need a new standard for audit excellence — transparency.
‘Independence’ is an antiquated measure
In the past, auditing firms have used indicators like company size, name recognition and ostensible independence from the companies they audit to create the sensation of trust.
The reality, though, is that neither a firm’s size nor its celebrity necessarily make its work trustworthy. The third indicator, independence, is even less reliable. There is no such thing as true independence between an auditing firm and those it audits because of the financial relationship between the two.
Auditing firms are financially motivated to keep the auditees who pay them happy with a passing audit. This becomes even more true when large firms both audit and provide consulting prep to the same company, often with only a flimsy departmental divide to disguise an innate conflict of interest.
The foreseeable outcome of these faulty motivators is situations like the Enron-Arthur Andersen debacle of 2001-02. Arthur Andersen had been charging Enron $1 million per week for auditing and consultation, and the annual performance goal for the firm’s lead auditor included an increase in sales. In June 2002, Arthur Andersen was found guilty of shredding Enron audit documents. This behavior was clearly unethical but not surprising given that, as both Enron’s consultant and its auditor, Arthur Andersen had set itself up to be reliant on Enron’s unquestioned success.
Scandals like this may have inspired some structural changes, but traditional audit firms continue to offer additional services to the same companies they audit. The foundational conflict of interest remains. Even the AICPA, which governs SOC 2 requirements, acknowledges, “It is impossible to enumerate all relationships or circumstances in which the appearance of independence might be questioned.”
Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals are tracked and monitored. EY’s Kapish Vanvaria argues that ESG leaders should make friends with their internal audit colleagues — for everyone’s sake.
Transparency: A modern perspective on integrity and trust
If independence and name recognition can’t be counted on, what can be? Transparency.
New technology has paved the way for radical visibility into the inner workings of security compliance. Instead of an auditor sampling 10% of a company’s financial transactions, technology will allow every single transaction to be analyzed for compliance. And, even more important, that data can now be accessed in a way that anyone, regardless of their auditing or security compliance expertise, can understand.
Traditional sampling methods for testing massive or distributed datasets depend on a human auditor devising a sampling methodology they believe will accurately represent the whole dataset, and then selecting a small percentage of inventory, transactions or security events and measuring them against standards.
This process leaves the door wide open for error. You probably remember how many polls were wrong about the results of the 2016 and 2020 U.S. presidential elections. How did that happen? Sampling margin of error — in other words, the inherent inaccuracy of making big predictions based on a small sample of a large dataset.
Problem is, you don’t know you have a sampling error until your sample-based predictions turn out to be a mismatch for reality — a situation that could be devastating for a business if the issue at hand is cybersecurity. In the past, this was the best we could do, so that’s how we audited. But it isn’t any longer.
New technology allows real-time tracking and analysis of every piece of inventory, every transaction and every security event. Instead of random sampling and hoping for consistency, we are able to achieve verifiable, constant compliance.
And modern compliance software translates this vast amount of data into a format anyone can understand. You don’t have to be able to code, or speak security jargon, or even remember when compliance deadlines are coming due anymore. Everyone can participate, which means everyone is responsible and empowered — from the HR manager handling employee records to the CEO sending an attestation to investors.
The result of these advances is that companies needn’t be beholden any longer to lumbering audit firms whose practices and motivations are opaque. When anyone can see exactly — in any given moment — how a company is complying with security regulations and standards at a glance, that company doesn’t need some big name to create the perception of trustworthiness.
This democratization of security compliance is similar to how the music industry changed with the advent of the internet. Record companies — the gatekeepers of album production — paid radio stations — the gatekeepers of the airwaves — to play their music. Then, came the internet and online music platforms. They redistributed power to individual listeners, who suddenly were able to make their own decisions about which music deserved attention.
The evolution of security compliance
All systems change as technology evolves, and security compliance is no different. The old system puts large, legacy audit firms on a pedestal and measures them against a false metric of independence. And it depends on outdated methods for testing the evidence of compliance. Within this structure, trust is more easily broken and audits are less accurate.
A system based on transparency acknowledges that true integrity stems from universal access. The compliance process is democratized. Anyone can see a full, up-to-the-second assessment of a company’s security posture — giving stakeholders the confidence of greater accuracy and verifiable trust.