- Forrester Councils
- Councils Overview
- log in
Posted by Chris McClean on September 9, 2009
Two weeks ago, I commented on the changing role of the risk management professional, and thought it would be worthwhile to spend a few moments discussing the auditor as well. In a contest of which job is likely to see more change in the next two years, I would expect a photo finish.
Over on the Institute of Internal Auditors (IIA) site, Norman Marks started an interesting discussion about continued fallout from the Heartland data breach. In a Q&A interview with CSO Online, an understandably defensive CEO Robert Carr states that the company’s Qualified Security Assessors (PCI auditors) were worthless and gave them false reports for the previous six years suggesting that their security systems were just fine. I don’t think we need to dwell on the concept that compliance with security standards does not equal total security, however this does bring up a more interesting debate about the role of the auditors.
As expectations for greater corporate accountability and disclosure continue to mount (some would say more slowly than expected) audit reports are going to be set under the most finely tuned of microscopes to be examined for accuracy and thoroughness. Two of the most important questions auditors will have to answer will be:
If this information is not clear, both sides are left exposed. Would an auditor be demonstrating additional value and good faith by calling out other possible issues outside of their official report? Yes. However, it would be unfair to expect them to volunteer information that is beyond their defined scope... there is more than enough pressure as it is to get that right.
[Posted by Chris McClean]
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »