The existing ways that organizations vet third parties such as cloud service providers are missing a critical element. They lack a barometer that shows the corporate culture, the tone at the top or the organizational leadership’s attitude toward internal controls. The customary tools used for vetting third-party organizations—such as a review of documented information security and privacy policies and procedures, a review of the organization’s past breach history as reflected in public disclosures, a review of security certifications, a review of questionnaire responses, audits of the responses provided in questionnaires (sometimes) and a review of references—do not indicate whether the organizational leadership is genuinely committed to a robust information security and privacy program.
It is this tone at the top that is critical because it defines the attitude and the approach that the rest of the organization, and its affiliates, will be using. The importance of the tone at the top was shown in the US Congressional hearings related to the Sarbanes-Oxley Act of 2002 (triggered by the Enron and WorldCom scandals). The tone at the top can be expeditiously reviewed by independent third parties through a compliance audit process.
This compliance audit process can generate a new trust currency—a way to quickly and definitively give third parties confidence in an organization’s overall ability to manage and govern both information security and privacy. This audit process involves the use of an independent attorney. Such an attorney, a lawyer auditor, first compiles an independent collection of all the laws, regulations, court decisions and contracts to which the directors and officers of the organization in question are subject to. This lawyer auditor then determines whether the directors and officers at the auditee organization have met their minimum fiduciary duties required by law and this collection of requirements. The evidence examined is at a high level, and it typically includes the crisis management system, the third-party breach-related communications system, the internal compliance reporting system and the risk management system. The result of this type of compliance audit, which I call a duties audit, is a one-page professional opinion indicating whether the directors and officers are in compliance in all material respects.
At least the first time it is performed, this type of a compliance report can be used strictly for internal purposes, such as to inform the directors and officers about the remedial actions still needed to obtain a fully compliant professional opinion in the future. In addition, internal use of this audit process can generate evidence that might later be used in a court of law as evidence that could exonerate either the organization or the directors and officers.
However, when shared with third parties, this type of audit also is a powerful way to obtain trust. Such a compliance audit is warranted for any high-impact value transaction (mergers and acquisitions, major infusions of capital and major loans), high-criticality relationship establishment and renewal (outsourcing contract signing, business partnership contract signing and the annual renewal of such contracts) and high-consequence data exchanges (disclosure of a trade secret to a third party or connection of information systems to an outside organization when one handles national security information). Such an audit can be performed in a few weeks, so it can readily be built into the process for closing a major transaction, such as inclusion in the due diligence process used by a venture capital firm considering a multimillion-dollar investment in an enterprise.
This audit process is an excellent candidate for a trust currency—a widely recognized and standardized token by which trust in a particular organization can be measured. Since it is patterned after the existing process used by certified public accountants (CPAs) when they review the financials of a publicly listed enterprise, this new process benefits from the decades of practical experience surrounding the financial audit process, and it can therefore be placed into service immediately.
Such a duties audit is also universally applicable. Every organization must meet the minimum requirements of the law and is therefore required to meet the audit criteria used for such a compliance audit process. This means that the results can be used as a universal threshold condition for decision-making purposes (e.g., whether to enter into, or perhaps renew, a contract with a certain organization).
This result of a duties audit is also easily understood because any person can readily appreciate the notion of being compliant with legal obligations. The rating system employed (basically compliant versus noncompliant) is simple and does not require training, explanation or supplemental caveats.
To further foster trust in the process, the lawyer auditor performing the compliance audit process must be truly independent. They must meet the highest independence screening criteria set by both CPAs and attorneys. Since so much is at risk personally for the lawyer auditor (i.e., they could lose their license to practice law if there was an ethics violation), this independence is significant.
The duties audit methodology is additionally standardized as it uses the existing process that attorneys must follow to render a professional opinion letter. Because the duties audit process is standardized, the people receiving the report can readily determine what steps were taken to generate the professional opinion. This standardized process, accompanied by a standardized professional opinion, enables reliance on the professional opinions as triggers for smart contracts the generation of roll-up attestations. For example, a single outsourcing organization could provide a professional opinion to its customers that includes similar professional opinions from its subcontractors and business partners all rolled-up into a consolidated statement of legal compliance.
However, it is important that the generation of such an audit report does not jeopardize the business decisions or inappropriately change business processes. Because businesses should be compliant with the minimum required by law anyway, all that this audit process does is bring third-party scrutiny to internal activities related to compliance. Although anticipatory changes may be made before such a compliance audit is performed, these changes only bring the auditee organization to where it should be anyway. A related beneficial side effect is that it motivates directors and officers to stay fully compliant year-after-year and, in that respect, helps make sure that information security and privacy budgets are adequate (at least in the eyes of the law). This is because the results of this audit process act as a balancing factor that dampens the otherwise dominating force of financial metrics.
Such a trust currency audit process must also be free from activities that would jeopardize auditee organization systems or data. For example, the audit activities must not crash production systems that generate revenue for the organization. The duties audit process meets this requirement in that all the regular controls surrounding a third-party risk assessment apply (e.g., confidentiality agreements). But there are special additional benefits to using an attorney as the lawyer auditor. When attorneys do this work, they also bring attorney-client privilege and attorney work product doctrine to the project, and the work can be structured so that these legal protections prevent the details of the work from being released to anyone, even in a court of law.
For these reasons, the use of the minimum required by law as the barometer for a compliance audit of the actions taken by directors and officers in the realm of information security and privacy is a good candidate for a new trust currency.
Editor’s note: For further insights on this topic, read Charles Cresson Wood’s recent Journal article, “Adding a New KPI to Determine Whether Directors and Officers Have Met Their Legal Duties,” ISACA Journal, volume 6 2022.