Alexander Stangl on Rethinking Audits: From Compliance Checklists to Security Enablers

Early in his career, Alexander recognised a duality in compliance requirements: ensuring adherence to mandatory regulations while also uncovering opportunities for organisational improvement. 

This vision marked a significant shift from traditional audits, which often focused solely on ticking boxes on a compliance checklist.

Alexander argues that a rigid adherence to control frameworks can be counterproductive. Instead, he advocates for a deeper understanding of the intent behind the requirements. By viewing compliance standards as opportunities for interpretation, organisations can develop a more flexible and effective security strategy.

This approach goes beyond simply identifying issues during audits to turning audits into security enablers. 

The true value of audits lies in resolving issues and preventing them from recurring. By focusing on root causes, implementing controls that mitigate risks, and following up on issues, organisations can achieve a more robust security posture.

What do you do when vulnerabilities extend far beyond an organisation’s walls, as is the case with today’s ever-expanding supply chains?

There is no straightforward solution to overcoming the lack of transparency and control that complex supply chains introduce, and there are no comprehensive standards in this respect.

However, Alexander believes companies need to be more willing to invest in resources for supply chain management. While in some industries, like the automotive one, supply chain management is a given, it’s yet to be adopted in the software industry.

Alexander favours on-site audits, when possible, to examine issues behind “closed doors”.

He also recommends focusing on core principles: understanding assets, conducting a business impact analysis (BIA), and ensuring the testing of Business Continuity Plan (BCP) and Disaster Recovery (DR) plans.

Work with management to develop strategies for understanding and managing supply chain risks. This might involve conducting audits of key vendors or implementing processes to ensure suppliers adhere to robust security practices.

External consultants often focus on completing their contracted work and delivering reports, with limited follow-up on corrective actions.

Internal audits can take a more comprehensive approach by:

• Dedicating resources to follow-up on corrective actions.
• Holding departments accountable for completing actions on time and ensuring they are sustainable improvements.
• Focusing on high-risk findings to prevent recurrence.
• Aligning audit efforts with the organisation’s vision, mission, and strategy.

The value of an audit lies in verifying the effectiveness of corrective actions and ensuring they are implemented sustainably. Some companies fail to grasp this concept, Alexander believes.

Static, one-off audits have limitations, especially given the dynamic nature of the threat landscape.

A continuous auditing approach allows organisations to regularly assess controls and processes and proactively identify and address emerging risks before they become major security incidents.

Alexander’s approach fosters a more collaborative relationship between internal audit and other departments within an organisation. By working together to identify and address security risks, internal auditors can become valuable partners in an organisation’s overall security strategy. 

This shift in mindset benefits everyone –  it strengthens security, improves compliance, and ultimately helps the organisation achieve its goals.

Jonathan Lipton, IT Director with over 25 years of experience, proposes a similar approach in his conversations with Roscoe Platt, VP of Client Services at Chaleit, in this interesting piece: Lessons in Audits and Cyber Security.

What are your thoughts on this paradigm shift in auditing? Let’s connect and continue the conversation. 

If you’d like to learn more from top industry experts, check out our blog and YouTube channel.