• United States



Countering Auditor Deception

Jun 01, 20092 mins
CareersData and Information SecurityIT Leadership

“All warfare is based on deception.” – Sun Tzu

According to the ISACA, an auditor’s role is to “provide independent assessments and opinions on company operations and controls.”  In some organizations, the auditor is embraced as a positive role in IT governance.  Unfortunately, there are those who view auditors in a negative light.  This attitude if often manifested in poor auditee-audit relationships that must be managed carefully.  Unfortunately, there are instances where an auditee will try to deceive the auditor. 

A cross-industry survey of 150 IT managers and technical staff showed that 20% of that population either admitted to cheating on an IT audit or knew someone that did.  Ruvi Kitov, CEO of Tufin Technologies, noted that the rate of auditor deception is likely higher than the survey suggests.  Andy Bokor, COO of Trustwave, added that some IT professional respond to compliance pressures by describing their environments in a positive, yet false, light.

The RMA Journal suggests some tactics that auditors should employ to recognize attempts at deception.

Due Diligence

The auditor must confirm that what he/she is told conforms with the system or business reality.  Information provided by an auditee should not be taken as gospel.  The auditor must ensure that all audit artifacts are accurate and true.Review existing controlsA strong control environment makes deception more difficult.  By the same token, a lack of controls increases the chance that deception will succeed.  The auditor must ensure that controls such as proper oversight, segragation of duties,and access controls are in place.  If they are not, the auditor must be cognizant of the related risks.Corroborate all documents provided by the auditeeSkilled professional intent on deception are capable of fabricating convincing documents.  An auditor must understand the process behind the creation of that document in order to validate it.Auditors must apply professional skepticism in their relationship with auditees.  This mindset echoes Sun Tzu contention that one shoud not assume they will not be deceived by a potential opponent.  Therefore, one must understand how to confirm all they are told.


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -