Two weeks ago, I commented on the changing role of the risk management professional, and thought it would be worthwhile to spend a few moments discussing the auditor as well. In a contest of which job is likely to see more change in the next two years, I would expect a photo finish.Over on the Institute of Internal Auditors (IIA) site, Norman Marks started an interesting discussion about continued fallout from the Heartland data breach. In a Q&A interview with CSO Online, an understandably defensive CEO Robert Carr states that the company’s Qualified Security Assessors (PCI auditors) were worthless and gave them false reports for the previous six years suggesting that their security systems were just fine. I don’t think we need to dwell on the concept that compliance with security standards does not equal total security, however this does bring up a more interesting debate about the role of the auditors.As expectations for greater corporate accountability and disclosure continue to mount (some would say more slowly than expected) audit reports are going to be set under the most finely tuned of microscopes to be examined for accuracy and thoroughness. Two of the most important questions auditors will have to answer will be: What is the scope of the audit? This must include what is evaluated and what is not as well as what justification exists for including or excluding specific elements. What are the auditors assessing specifically? This must spell out very clearly the purpose for the audit (e.g. We are evaluating whether or not these systems are compliance with PCI, no other opinions should be inferred from this report). If this information is not clear, both sides are left exposed. Would an auditor be demonstrating additional value and good faith by calling out other possible issues outside of their official report? Yes. However, it would be unfair to expect them to volunteer information that is beyond their defined scope… there is more than enough pressure as it is to get that right. Related content opinion Just Let Me Fling Birds At Pigs Already! Thoughts On The Snowden / Angry Birds Revelations By Tyler Shields By Forrester Research Jan 28, 2014 4 mins Mobile Security IT Leadership opinion LG Is Learning An Embarrassing Privacy Lesson In The Age Of The Customer By Rick Holland By Forrester Research Nov 22, 2013 3 mins IT Leadership opinion Rise Of The Second Mobile App War By Tyler Shields By Forrester Research Sep 04, 2013 3 mins Application Security opinion Point Solutions Must Die By Forrester Research Aug 19, 2013 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe