“All warfare is based on deception.” – Sun TzuAccording to the ISACA, an auditor’s role is to “provide independent assessments and opinions on company operations and controls.” In some organizations, the auditor is embraced as a positive role in IT governance. Unfortunately, there are those who view auditors in a negative light. This attitude if often manifested in poor auditee-audit relationships that must be managed carefully. Unfortunately, there are instances where an auditee will try to deceive the auditor. A cross-industry survey of 150 IT managers and technical staff showed that 20% of that population either admitted to cheating on an IT audit or knew someone that did. Ruvi Kitov, CEO of Tufin Technologies, noted that the rate of auditor deception is likely higher than the survey suggests. Andy Bokor, COO of Trustwave, added that some IT professional respond to compliance pressures by describing their environments in a positive, yet false, light.The RMA Journal suggests some tactics that auditors should employ to recognize attempts at deception. Due DiligenceThe auditor must confirm that what he/she is told conforms with the system or business reality. Information provided by an auditee should not be taken as gospel. The auditor must ensure that all audit artifacts are accurate and true.Review existing controlsA strong control environment makes deception more difficult. By the same token, a lack of controls increases the chance that deception will succeed. The auditor must ensure that controls such as proper oversight, segragation of duties,and access controls are in place. If they are not, the auditor must be cognizant of the related risks.Corroborate all documents provided by the auditeeSkilled professional intent on deception are capable of fabricating convincing documents. An auditor must understand the process behind the creation of that document in order to validate it.Auditors must apply professional skepticism in their relationship with auditees. This mindset echoes Sun Tzu contention that one shoud not assume they will not be deceived by a potential opponent. Therefore, one must understand how to confirm all they are told. Related content opinion Positioning the Security Team Through Influence Part 1 Influence styles are a reflection of the influencers and, by extension, their team. Thus, they must understand the situations to which different styles are applicable. This series explores the common influence styles and their application. By Steven Fox Apr 21, 2012 3 mins Technology Industry IT Jobs opinion From Obstacle to Ally - Repositioning the Security Team Pt 1 By Steven Fox Apr 08, 2012 3 mins Technology Industry IT Strategy opinion Key Sessions at CISO Executive Summit 2011 By Steven Fox Dec 03, 2011 3 mins Business Continuity Data and Information Security Careers opinion Securing User Credentials On Mobile Devices By Steven Fox Nov 15, 2011 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe