Here Come the Auditors: Judgment Calls

Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.

What's more, he adds, proactive cooperation (as opposed to begrudging compliance) is a smart move in terms of minimizing the adverse impact of any security demerit that Audit identifies. There's always a question of how much information to volunteer, says Pomerantz. "We've always found that the best policy is to be open and honest. These guys aren't dumband if you've got an exposure, they are going to find it. The relationship is going to get much more adversarial if they write it up as a problem that they've found and that you've denied, and that now you're going to have to fix it."Strategy No. 2: Document EverythingAuditors love paperwork, and CSOs must acquire the taste too.

"In the Sarbanes-Oxley environment, it's more important than ever before for CSOs to pay attention to detail and to document that detail," says Pierini.

In other words, the audit function can't audit something that is in people's heads, or something that people say they would do in a specific set of circumstances; instead, they want to audit plans and procedures.

"If, for example, there's a threat to the company, or to an employee, it's important to document both the threat and the responseand to use the response to develop and build upon contingency plans," Pierini advises. "If someone is threatening a branch [office], make sure that you have a documented set of policies and procedures to cover every eventuality, together with set escalation points."

Don't forget, too, that audit can be used after the event, as well as before it. So if you have plans and procedures, it's important to follow them and to make sure that others follow them. "If something happened and audit said, Why did you call in an unarmed security guard rather than an armed security guard?' then you need to be able to answer that question."Strategy No. 3: Trust But VerifyFor the security-audit relationship to work properly, there needs to be cooperation and trust. But CSOs also need to exercise an essential element of judgment. It's one thing for audit to identify an issue; it's quite another for there to be a significant or unacceptable risk attached to the issue.

"Security decisions should be made on the basis of probabilities and risks, and investments made to minimize those risks," says Heim, of McKesson. "But meeting compliance requirements also involves making investments. And those investments may not map onto where the biggest risks lie." E-mail encryption is a case in point, he says. "There really aren't examples of people intercepting e-mail on the Internet, but huge amounts of money are still being spent guarding against it."