Generic audits, also referred to as bundled audits, platform-trained auditors, out-of-the-box or pre-built control sets, are an approach to audits where one standard checklist of items is followed.
We offer both types, while stressing the importance of our clients understanding the difference before deciding.
Generic audits have become more common with security and compliance platforms that automate some of the compliance monitoring activities. They benefit commercially the more audit firms can leverage their platform, and then work like a marketplace to sell those audits at reduced rates. They use a pre-set list of controls for those auditors to follow. For auditors that follow the generic approach, it can be offered in bundles. There’s no signs yet of those being reprimanded under auditor independence requirements of the AICPA, despite questions being raised across the industry.
We all love to automate things, especially compliance! But the important thing to consider is that security and compliance can’t be fully automated. Over 90% of security breaches have a human element, and compliance is more focused on organisational governance than it is on the technical practices that can be automated.
So what does the generic approach really mean in practice?
Depending on the platform or audit firm, there’s one list of 70, 80, or some other number of controls. And each business needs to prove they meet those controls. It’s generally designed to be a bare minimum, which leaves little wiggle room for deciding not to implement them, and audit firms that lower commercials for this approach generally don’t offer any flexibility.
Here are the pros and cons of a generic audit:
Pros:
- lower cost
- Fewer items to consider
- Less reliance on quality of auditor
- Some security and compliance activities are generic
Cons:
- Separation of compliance and actual business operation
- Security gaps that may surface in enterprise due diligence or security events
- Additional work aligning to generic req’s without leveraging other existing practices
- Harder to uplift later
- Lack of auditor understanding of the business
We’ll look at a few example areas to highlight these differences.
Employee security practices
Over 90% of security breaches have a human element; so this is a big and increasingly important area of focus for security and compliance. Security requirements and policies that apply to employees vary broadly. The paradox for modern, automation first companies, is that the automated approach here is more restrictive than the manual, behavioural focused way. So it’s important to strike the right balance. The implementation of security practices should really be risk-based which isn’t a feature of generic audits that scratch the surface on this topic by looking at the basics; acceptable use policy, security awareness training, endpoint device tracking.
The risk based tailored approach looks at the factors that determine the right approach. For example; do you allow bring-your-own-device? Do you have an office, remote working, or both? Is data stored on endpoint devices? What data? What’s the nature of systems accessed from those devices?
A generic policy, generic audit, and skimming over these design considerations may mean you do one think to tick a compliance box while managing separate processes to actually address these risks. Or it might leave a gap, with a security weakness, and something an enterprise customer may raise and leave you scrambling to address or falling short of their standards. And building your business on this generic approach makes it harder to improve and re-establish later - it’s easier to lay the right foundations early.
Security configurations
Continuous monitoring of cloud security is a popular topic that in large part led to the increase in generic audits. For years auditors have treated these security practices like encryption, firewalls and system monitoring as binary controls; that you either have them or don’t have them.
However, in the real world they are not binary. And that’s where continuous monitoring solutions diverge into two camps.
- Security monitoring like AWS Security Hub, and Cloud One Conformity (acquired by Trend Micro) look at detailed configurations to give recommendations of best practices for hundreds or even thousands of configurations. These apply according to the cloud architectures and multiple accounts, databases, and other varying system components.
- Compliance monitoring like Drata and Vanta, look at the auditors perspective to classify each part into a binary outcome and confirm that is maintained over time. For example; database encryption is either on or off, without necessarily identifying how many databases, what types they are, and where some are not encrypted, whether that matters as they may be non-prod or not hosting sensitive data.
The challenge with security monitoring for auditors is the software does a great job at identifying improvements. That makes it hard for some auditors (not us) to draw a line on what’s enough for compliance. Compliance software only shows that surface level result which is easier for auditors to sign off, but can leave other security gaps and weaknesses hidden.
Governance
Standards are often referred to by their primary purpose, like information security, privacy, or X regulation. But one thing almost all standards require is good governance that supports those other objectives. Of course these elements can’t be automated and aren’t generic in nature because they’re the leadership, management, advocacy, culture and behaviors of an organisation.
The specific practices that fall under governance include Board and management meetings, company communication methods, information tracking systems, engagement with customers and users of your services, setting objectives and monitoring and managing performance.
The generic approach cuts back these areas, defines them at a high level to avoid needing to adjust to the specifics of how they work, and ultimately treats them as a box-ticking activity. These are some of the areas business get value from their auditors that see various ways to manage these activities and find the best fit for their culture and objectives.
Which approach is best for you?
We generally advocate for the tailored approach. However, that way can be unnecessarily painful with some audit firms. Or you might be limited with a small budget before onboarding enterprise customers and the generic approach is the only way to get a foot in the door with your first step of compliance sorted. The tailored approach sets you up better for longer term success, for future requirements and other standards, and with real benefits from compliance that fits with alignment to security practices that address your risks.
A good first step we recommend is using our free software to see what’s involved in the tailored approach. Often our clients find they have a number of things already in place. Being able to leverage your own way of managing things can be a big boost to your compliance program.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.