The “fear” of being audited

Today’s guest is Greg Wilshusen, director of Information Security Issues, at the Government Accountability Office.  When  the typical citizen hears the word “audit” there is certain association with Torquemada and the Spanish Inquisition.  A similar reaction occurs when a federal information professional learns that the GAO will be making a visit.

The reason Wilshusen is in the studio is to dispel some of the fear and trepidation that may occur if your agency gets a letter from the GAO.

First all, they do not act capriciously in targeting organizations. They are the agents for Congress.  When a Congressional committee sees something that doesn’t look good, they will ask the GAO to do an investigation.

Secondly, (with the possible exception of some members of the intelligence committee) the GAO acts in a transparent fashion.  An agency will get an initial meeting and a final meeting with its report.  There is no J. Edgar Hoover secret file for these inquiries.

Finally, you may be shocked to learn that Wilshusen estimates that as many of 90% of the GAO’s recommendations in the area of cybersecurity are implemented after the review.

If you are looking over your shoulder and need some guidelines for a cybersecurity audit, listen to Greg Wilshusen.