5 ways to combat audit fatigue

Cybersecurity audit fatigue has become a very real issue for organizations that are required to comply with multiple government, industry, and internal requirements.

In recent years, concerns over data breaches and privacy violations have spawned a bewildering array of regulations—all with similar goals but subtle differences in scope and in what they require organizations to do and provide by way of compliance evidence. The requirements have left security teams duplicating efforts and almost constantly engaged in audits rather than on their core functions.

A survey conducted by Telos last year found that, on average, organizations are required to comply with 13 different security or privacy regulations, including PCI DSS, HIPAA, Sarbanes-Oxley, GLBA and FedRAMP. Telos found that organizations are spending some $3.5 million annually and on average have 22 dedicated employees working on security and privacy audits.

“Audit fatigue is becoming a significant headwind for many companies’ IT security organizations,” says Jim Huguelet, principal at auditing and consulting firm The Huguelet Group. “These organizations are increasingly structuring their activities around various audits and assessments that must be completed, rather than their real mission of proactively addressing areas of greatest risk.”

Frustration over audit requirements is becoming an increasingly common problem. Business units and subject matter experts are getting asked the same questions repeatedly and perceive a lack of communication on the audit side, says Sean Goodwin, manager IT assurance and security at public accounting and business consulting firm Wolf & Company. “One of the worst implications of audit fatigue is people seeing audit purely as an annoying task to get through, rather than an opportunity to add value,” he says.

Addressing the problem is not easy, but there are ways to mitigate the impact of having to deal with far too many audits with overlapping requirements. Here are five of them:

1. Implement a baseline standard

When an organization has to meet multiple federal, industry and internal requirements, it is best to implement a set of baseline security controls using frameworks or standards like those available from the National Institute of Standards and Technology (NIST) say analysts. The controls and assessment procedures prescribed in these standards can be applied—or mapped—to the requirements of all the standards with which an organization might need to comply. So, in theory at least, by testing all the controls once, an organization would be able determine if they comply with all their regulatory and internal requirements.

Jeff Hall, senior consultant at Wesbey Associates, advocates that the information security or broader risk management group implement the NIST 800-53 framework and map the controls in them to all the regulations and internal requirements with which the organization might need to comply. NIST Special Publication (SP) 800-53 catalogs a broad set of security controls that organizations—both within government and the private sector—can use to secure their organization against application vulnerabilities, threats from social networks, cloud and mobile environments and other threats.

The standard was originally developed to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). It is now a broadly used standard for assessing organizational preparedness to deal with security threats in the private sector as well. “What I tell my clients is to look at NIST 800-53,” Hall says. “Compliance should flow if you implement controls to the level of detail in the standard and keep a good evidence record,” he says.

2. Have an internal audit team for cybersecurity

Having an internal audit team for cybersecurity can help organizations reduce some of the audit burden and associated audit fatigue. An internal group can help drive awareness of security standards, compliance requirements, and the documentation required to prove evidence that mandated controls are in place and working as they should.

Deloitte has described internal audit as a third line of defense for organizations after the information technology function and risk management group. “Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security,” according to Deloitte. This is especially true at a time when organizations face growing legal and financial liabilities for security incidents.

“The internal audit team collects evidence based on the various standards and compliance programs the organization needs to meet,” Hall says. It makes sure that required paperwork from all stakeholders is available and in order. If a particular piece of evidence is not correct or is incomplete, the team goes back to the source and gathers what they need so the problem is addressed before the audit even happens. So, the security team and others involved in the audit process only have to deal with the internal team on a regular basis and never the auditors themselves directly, Hall says.

Not all organizations have the resources required to stand up a formal internal audit team but having at least one dedicated resource who has expert-level knowledge of all application standards and audit requirements can make a difference, Huguelet says. This individual should be focused solely on audits and assessments, both in terms of leading them as well as performing the more challenging analytical work of mapping the underlying standards to one another.  

3. Consider a risk-based approach to audit requirements

Take a risk-based approach to assess organizational exposure to cyber risk and to prioritize the controls and processes needed to mitigate the risk. The approach gives organizations a way to customize their defenses for their specific exposures and to assess and validate the defenses are working as intended.

“Taking a risk-based approach to the types of audits being performed, and at what level each will dig into, is the best way to both avoid audit fatigue and address areas that may already be suffering from it,” Goodwin says.

The approach allows organizations to consider several factors, such as the regulatory environment, the inherent risks that specific business areas face, the effectiveness of existing controls, and issues that might warrant additional attention. “As with most risk assessment processes, there will likely be differences of opinion in the risk assessment results,” Goodwin says. “A formal methodology that uses a blend of qualitative and quantitative measures for each factor being considered will allow all parties involved to understand the thought process [behind the assessment].” 

4. Hire an external auditor that can do multiple assessments

When working with auditors, look for those who can perform multiple assessments at the same time to reduce duplicative effort. Having an audit partner that is accredited to assess all of the cybersecurity frameworks that you are subject to can be advantageous in multiple ways, says Dixon Wright, vice president SOC, ISO, and healthcare services at Coalfire. “This allows you to coordinate all of the audits during one [or] maybe two audit cycles and ensure that evidence is only requested once, data centers are visited once, and personnel are only interviewed once,” he says. “This can significantly reduce fatigue.”

Achieving such audit consolidation and coordination via one vendor can be challenging, though, and especially in the first year, Wright concedes. For example, a security operations center report might have an end-of-calendar-year report date, while a PCI report on compliance might have an end-of-June report date. “Therefore, you would need to conduct one audit early—[leading] to an additional expense—or push one audit back” and impact customer expectation, he says.

5. Be proactive

Security leaders can alleviate the situation by being proactive and getting involved with the enterprise audit department, Goodwin says. “Security will certainly benefit from helping audit understand the security point of view of the control environment [and] provide relevant context so audit can focus their efforts on higher risk areas,” he says.

A primary cause of audit fatigue is overlap in scope and duplication of effort, Goodwin says. Often business units are asked for the same evidence of controls multiple times a year through different audit objectives. As one example he points to access controls being separately tested as part of the organization’s internal audit, then again later in the year for an external audit, then for a third time as part of an attestation report.

Security leadership should work with audit to develop a schedule of review areas to ensure efficiency, Goodwin says. The security and audit groups should review all upcoming audit projects and implement a plan for addressing them, he notes. “If you know there are two or three different audit projects in the next year, security and audit can plan for testing of the overlapping areas to occur simultaneously to reduce duplication of meetings and interviews.”