Showing results for 
Search instead for 
Did you mean: 
Create Post

Top 3 Reasons Why Compliance Audits are Required

Level 11

With the continuous increase in the number of security breaches every year, it would we critical for you to take a closer look at the few things that you can do from an IT security standpoint, to minimize the risks.  One of the key steps towards this complying with industry specific regulations like SOX and HIPAA/HITECH and having third-party organizations to conduct audits for key systems and controls.

Why do audits matter?

Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences. This involves identifying and prioritizing the strategic objectives and managing the business across people, processes, information and technology to realize those objectives. It also impacts day-to-day operations, which in turn affects troubleshooting and system availability.

Being in line with IT compliance regulations such as PCI DSS, GLBA, SOX, NERC CIP, and HIPAA require businesses to protect, track, and control access to and usage of sensitive information. Let us have a look at some of the top reasons as why to audit:


You may be working with clientele spread across industries and these audit reports really matter to them. For example, financial services organizations these tend to request these reports at the beginning of every year, whereas healthcare groups would need their audit reports later in the year for their own auditing purposes. These reports have a direct impact on their productivity, sales and reputation.


Let us consider HIPAA compliance for example. The core focus of HIPAA compliance is to protect the confidentiality, integrity, and availability of electronic protected health information or “ePHI.”  Failure to comply with HIPAA’s regulations carries serious consequences for any business that interacts with ePHI, including criminal sanctions, civil sanctions, fines and even possible prison sentences. The guidelines on violations include up to $1.5 million in penalties for breaches.


You need to have visibility over security & compliance, and protection of your data. To ensure this, you need to collect and consolidate log data across the IT environment and correlate events from multiple devices and respond to them in real-time. Conducting audits in a way sets up a benchmark to implement best practices and also ensures that your organization is in line with the latest technology trends.

As an interesting statistic, it is expected that the number of targeted attacks is likely to increase in 2014 and this forecast is based on the continuously growing number of DDoS attacks over the last couple of years. Hackers might move away from high-volume advanced malware because the chances of it being detected are high. Still, the lower-volume targeted attacks are expected to increase, especially with the intent of accessing financial information and stealing identities or business data.

With all these set to happen, it is advisable that you ensure more visibility on the devices on your network as a part of your information security measure. Compliance and compliance audit will definitely come in handy as you head further into 2014.

Stay secure my friends!!


Level 15

Good posting.  Thanks for the information.

Level 16

If you are a retailer you can look at your PCI audit as a measure similar to your credit score. The percentage the banks are going to charge you per credit card transaction is directly related to the risk they

determine based on your audit results. If you have a bad audit your fees can increase.

Level 17

Good Points! Especially for someone getting into the game!

We audit regularly through outside non-associated third-party contracted solutions, plus continually internally with a specialty application that finds and reports weak passwords, insufficient patch levels, security vulnerabilities--all in addition to NCM's Compliance Reports.

Level 20

NCM helped us replace two products both kiwi for config backups and another 3rd party compliance product.


Agreed, good points here !

Level 14

It's always so difficult to put a cash value on a product or audit, but fees rising because of a score drop is a great milestone.

Did you know there are no standards for PCI auditors and their audits?  There are guidelines, but if you hire an auditor and you don't like their advice or the results of the audit, you can hire a different auditor and get completely different results.

This was a surprise to me when I discovered this, and I've seen three PCI auditors provide services to the same company, and each auditor gave very different ratings.

It appears a company can shop for a softer auditor if they wish, and get the PCI Compliance Scores they want without having to change their internal processes significantly.

This seems to be a hole in the bucket of PCI compliance auditing.  The hard auditors get a reputation and don't get hired through word of mouth.  The easier auditors get the business.  This seems to create a downward spiral in the quality of PCI compliance, and I think there needs to be a hard stop to it.  Gray areas abound, interpretation of terminology and enforcement of a company's PCI Compliance Policy varies widely, and there can easily be a significant amount of non-compliance present since an auditor doesn't get down with a magnifying glass and do a physical inspection to verify compliance policies are actually being used in any given company.

The auditing process could be better, could have teeth.  But don't look for it to improve when folks vote for lower taxes (and corresponding decreases in services), and when a company has incentive to pass an audit without paying for it in the details of actually complying.

Level 16

There are certifications the auditors must have to be able to sign off on an audit and there is a published set of standards.

If the auditor is following the certification process I don't see how any one can be easier than the next?

It's the company's compliance officers job to verify. The auditor is only supposed to make observations, document and file the report.

Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Cre...

Apparently much is subject to interpretation and personal integrity and aggressiveness of any given auditor.  I was surprised when I heard from several professionals that the poorly-kept-secret about passing a PCI audit is finding an auditor who is willing to:

  • Be flexible about interpretations of phrases in a corporate PCI Compliance Policy
  • Not personally inspect at least a representative percentage of actual network/server/security implementations that impact PCI compliance
  • Do what it takes to earn their fee, even if it means their work is not consistent.

Apparently the PCI industry is no different than any other that is responsible for any kind of enforcement / compliant.  It's people being subject to the vagaries of being people, and "Quis custodiet ipsos custodes?"


I guess it also depends what the origin of the audit is and the intent.

If its a request for an audit you choose the softer auditors, but if there is only a DEMAND for an audit then the more stringent companies get chosen.

Level 20

It's like that in the defense industry too... it all depends on who you get.  It may be tear everything apart and check everything under the sun and you can't fix anything... or could be a little spot check here and there and you're good.  If they find something wrong may let you fix it on the spot.  For better or worse this is just the differences of human nature I think.  The worse ones we can get are called no notice and they just show up without any warning with an entire team!  If you don't score well enough they'll shut you down on the spot.

That makes sense to me.

I'd still like all audits & auditors, no matter the system instigating the audit, to be consistent, and stringent, and thorough.


Auditors are your friends...they help you to be sure you are compliant with various policies, requirements,etc.

Granted most people see them as the enemy.  In many cases, a number of the auditors I have dealt with don't truly understand the tools and technology.

There are times where they want to wiggle down into things that are outside of the scope of their audit....

Level 16

Up until the series of breaches that happened beginning with Target, a lot of IT Security departments focused a lot on the network aspect as well as ID management but did little on the rest.

In my experience it was the auditors that were the first ones bringing to everyone's attention the need for encryption, secure coding, patching, etc... up until that time people were still using telnet, ftp, system accounts, drive shares, etc and not giving a thought about securing the systems they were responsible for.

So I have to give the auditors some credit.... If we didn't have them, we would never have hired a compliance officer and team to verify that both the IT and Security departments were doing their jobs effectively.

I often find that security is improved because of audits, not because security needs to be improved.


Well written with very valid points. We can push back against audits or we can use it as a chance to improve.