Be Wary of Requests for Mystery Data
Software auditors such as KPMG, Deloitte and PriceWaterhouseCoopers like to have things their way. It’s an understandable impulse – with likely hundreds of audits pending at any one time, the natural inclination is to standardize the process around a single set of tools and processes with which the auditors are most familiar. However, those tools and processes often are a poor fit for an audited business for any number of reasons, some technical and some legal.
A good example is the practice of some auditors to request that audited companies use one or more automated scripts – often proprietary to the auditors – to gather network and system data that they believe to be relevant to an investigation. In many cases, the scripts are configured to generate output that is easily read by other tools available to the auditors, and – when they work – they typically gather information relatively quickly and unobtrusively.
However, audited companies must take steps to protect themselves against the use of third-party software tools in their network environments, especially if those companies store any sensitive, personal or trade-secret data on their systems. For that reason, it makes sense to reject requests to run such scripts absent a reasonable opportunity to test their functionality. In some cases, a company also may want to insist that the auditors accept responsibility for any damage or data loss that could result from the use of the scripts. (Bear in mind that few software license agreements obligate a licensee to deploy specific tools in the event of an audit – “reasonable cooperation” does not mean “rolling over.”)
Of equal importance, however, is the fact that the auditors’ scripts or other automated tools often return output files that may be easily read by the auditors’ other proprietary tools, but that are impractical or even impossible for the audited business to review in advance of submission. We always advise our clients to be very wary about agreeing to provide data regarding their computer networks when they are unable to review that data for accuracy or for the presence of confidential or out-of-scope information.
If the auditors cannot provide insight into the report contents in a way that is intelligible to a human being independently reviewing those contents, then it makes sense to explore alternatives to collecting the requested data.