Home > Audit, Compliance, Risk Management, Security > Enterprise Security: Cheating on Your IT Security Audits

Enterprise Security: Cheating on Your IT Security Audits

Image by Computer Science Geek via Flickr

I recently read a good article regarding IT Security Audits which I thought many readers would be interested in.   Cheating on IT Audits by IT staffs is not unheard of to most of us in the auditing business.   However, it is a taboo subject that rarely gets any media attention and few ever discuss in public.   When ever we Auditors perform an audit, all the information provided to us is accurate, never doctored, performed within the time frame or scope of the audit and properly authorized by management (if you believe this you may be on drugs).  Cheating on audits, on purpose or out of ignorance is common, and this is one of the reasons we have to verify the authenticity and relevancy of  the samples and evidence provided to us before we can accept them.

The article points out that 20% of the 151 IT Security professionals recently polled at a major InfoSecurity conference admitted to cheating on IT Security Audits of firewalls.   Although, this sounds like a high figure and I have never investigated this in any formal way, I will venture to say that in the “field” the number is probably higher than 20%.   Here is an excerpt from the eWeek Security Watch article, which you can read in its entirety by clicking the link at the bottom of the post:

“An audit isn’t worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.

The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies’ approach to firewall auditing and management.

What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.

Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all….”

To continue reading this interesting story, please click the link below:

What do you think.   Am I stretching it here by thinking that the real figure may be higher than 20% ?   Leave a comment (anonymously if you like).

Enhanced by Zemanta
  1. October 29, 2009 at 4:43 PM

    I don’t think you are stretching by stating you think the percentage is higher. You are a logical thinker. And logically:
    …there are more then 151 IT Security professionals today
    …and an IT Security Audit entails more then just firewall auditing.

    Makes one wonder how many of those polled were not truthful in their responses.

    “Ignorance of the law is no excuse.”
    Although I would consider both of the following instances cheating, I wonder many of those polled knowingly falsely report versus those that cut corners out of ignorance or inexperience…as in not conducting a full or proper audit. Do you see where I’m going with this? Your thoughts?


  2. October 29, 2009 at 6:28 PM


    You make me laugh. I could not resist asking the question because I have met many CIO’s and IT Managers who swear on the Bible that they have never, ever, met anyone who has cheated during an IT Audit. Even funnier is the fact that I’ve found evidence of cheating by these very persons who swear it does not happen!

    In terms of why it occurs. I think it ranges all the way from innocent ignorance (ignorance of the law as you point out) to malicious intent against the company and/or auditor. I have also found that those who do not have an understanding of what an audit is, why it has to be done and what it should achieve, are the ones who fight it the most. These folks take it personally and erroneously act as if some part of their “manhood” or “womanhood” is being challenged by the process and the auditor. You can imagine what a pain in the neck it is to deal with these folks, but this is part of what we have to do to get our jobs done.

    Then there are the paranoid Managers, who are paranoid because they are usually borderline incompetent, but have managed to conceal this fact because they work in groups where no one is looking very hard, or because they are someone’s favorite pet. These folks are genuinely terrified of audits, not from a SOX perspective, or an operational perspective, but because the auditors will uncover their incompetency and will bare it for all to see. These Managers are, from my experiences, dangerous and highly prone to cheating on all sorts of things, including audits. These are also the same folks who make the loudest accusations against auditors, usually claiming that the auditors don’t know what they are doing! It is amazing to realize that almost all large organizations have these types of managers, and how well they are compensated for their hooliganism.

    In places where the CIO and IT Managers are familiar with the IT Audit process, and the company culture tends to be forward looking and desires to learn from mistakes, so it can improve things, there is hardly a problem during the audit, and cheating is rare.

    In the end, the audit is a tool for improvement and a confirmation that IT Management is serious about how it conducts its business. We human beings are imperfect and sometimes do silly things. Cutting corners, forgetting, acting in anger, getting paid to do or not do something, or simply no caring, are part of the package. Those are some of the reasons why auditors have jobs, fraud examiners are busy and lawyers make so much money!

  3. Doc
    November 4, 2009 at 2:12 PM

    Joel, I think your notion that the number may be higher than 20% is spot on.
    I’m thinking more like in the 40-50% range, and even that might be wishful thinking. I think part of the problem is that much of upper management really doesn’t understand a lot of what their IT gurus do, how they do it, or sometimes even why. Most are probably (at least had better be) aware of the SOX requirements, but take it on blind faith.

  4. November 26, 2009 at 4:53 AM

    Nice post.

    I agree with the previous comments. As an experienced IT Auditor I can attest that cheating is rampant even at the highest levels. Most CIO’s consider IT Auditors as intruders and pests to be gotten rid of any way possible. For them, good IT Auditors are those who play the game, act stupid and only report convenient findings. To make things worse, this is not a secret in most places!


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: