In my experience, being an external auditor is kind of like being a parent. Due to being completely centered around compliance, there are a lot of rules that you must enforce and policies that must be adhered to. If you’re good at your job, there is a good chance your clients secretly (or outright openly) hate you.
You also get asked “why?” all too frequently, i.e. “Why is this an exception?” “Why is this a high risk?” “Why does it matter if XYZ control failed twice in the last 365 days?”. Except as an auditor your response to these questions cannot be “Because I said so!”.
As an auditor, you have to determine which areas or systems need to be tested in the current year. You also need to determine how bad the bad things are when testing does not go perfectly. In order to do so, you must categorize risks as high, medium, or low. And if there is not a persuasive enough reason to consider the risk to be low, it better be high. Better to be safe than sorry.
So, really, based on the methods utilized to determine the risk ratings and areas to test, your honest answer to those questions is “Because I said so!”. But it does not have to be.
Nobody wants to be the “bad guy” when it comes to parenting, and it is the same with audit. You want to be able to confidently tell your client exactly why their risk is or is not acceptable and even have data to back it up. When I left my career as an external auditor to become a Risk Consultant, I learned there is a way to do exactly that: The Factor Analysis of Information Risk (FAIR) model.
The FAIR model allows you to define and measure risk in objective, quantifiable terms that everybody understands (dollars and cents). Using this method, the risks can be compared “apples to apples” to determine which are the highest concern and as such, can be categorized and evaluated appropriately.
In addition, rather than having only three buckets to categorize risk in, which ultimately lead to a large portion of risks determined as “high”, FAIR allows for a higher degree of precision in risk measurement. Meaning that management and the board no longer need to determine which high is the highest high and which remediation to tackle first.
Further, the risk can be communicated effectively across all stakeholders – the audit team, management, and the board. By adding rigor and objectivity to your risk ratings, you can now confidently answer all of those “why” questions in financial terms, utilizing a data driven, rigorous, and defensible model.
Read this next: How to Explain FAIR to Auditors
RiskLens is the only cyber risk management software purpose-built on FAIR, the only international standard quantitative model for cyber security and operational risk. The influential Gartner IT consultancy just named risk quantification as a “critical capability of integrated risk management.” Thirty percent of the Fortune 100 companies use FAIR analysis; the FAIR Institute has 3,000 practicing members, including many IT risk auditors.