Audit ≠ Security: Building Auditable Controls in a High-Velocity World

Raj Krishnamurthy (00:00)
Hey, hey, hey, welcome to another episode of Security and GRC Decoded. I’m your favorite host, Raj Krishnamurthy. And today I have the pleasure of having Varun Prasad, Varun, on our show. Varun is an embodiment of audit and assurance. And that’s the way I want to start this conversation, Varun. And 20 plus years, ⁓ Varun has had a fantastic stint at companies like Boeing, ArcelorMittal, IBM.

currently here is a managing director at BDO running audit and assurance for third party attestation. Varun, welcome to the show.

Varun Prasad (00:34)
Hey Raj, thank you so much. you for having me here and looking forward to this conversation.

Raj Krishnamurthy (00:38)
What made you an auditor Varun?

Varun Prasad (00:41)
⁓ Yeah, I get this question a lot because ⁓ definitely audit is not a natural profession or natural choice, especially back in the day. ⁓ I actually came to audit by accident, if you will. ⁓ I graduated from college with a computer engineering degree and I joined a large steel company for internship, for a software engineering internship. ⁓ So what happened was, you know,

Different interns were assigned to various departments. ⁓ And as a part of that, you know, we call it luck or destiny. I was assigned to the ⁓ internal audit department as a software engineering intern. And during the first week of my internship, ⁓ couple of their audit staff called in sick and there was an important IT audit that was going on. So the manager was like, hey, you come from a pretty strong technical background and I’m sure you should be able to help out with this.

So I was sent as an intern along with one of the audit teams out in the field to do some testing and observe them. And it just started like that one fine day. ⁓ And then this was around the time when the Sarbanes-Oxley Act had come out. So as I was finishing my internship, I also realized that ⁓ there was a dearth of talent in this IT audit field because that was the year of year zero, year one of SOCs.

and every company was scrambling to find people in this space to help them. So I’m like, okay, ⁓ why not get into this and you know, why not try this because it was going to allow me to stay in touch with technology, continue to learn technology, but do something very different. ⁓ It seemed very fancy to me because it was not routine, it was not mundane. ⁓ It was a totally different and new profession at that point of time, which was sort of booming.

So yeah, that’s how I started it and to your point you have been still doing it after so many years.

Raj Krishnamurthy (02:44)
And so engineer turned auditor, that’s sort of a fascinating.

Arun and Varun, and I apologize if this may sound downright offensive, but if there is a picking order of hate, right, within an enterprise, I think auditors are somewhere at the top, right? I don’t know which number it is, maybe next to your own manager, reporting manager, I don’t know what that is. Why is that? Why is there so much, I don’t know if it is a word, mistrust, but there is a lack of understanding of.

auditors and audit as function.

Varun Prasad (03:24)
No, you’re right. mean, definitely audits are not fun. ⁓ Nobody likes to go through an audit. We get audited sometimes and you know, I may not like that. I wouldn’t, and you know, that’s not the most favorite time of the year for me. ⁓ But I think yeah, the biggest reason is that a lot of people perceive that, you know, maybe perceive auditors incorrectly. They believe that you know, the goal of audit is to find

fault with your work or know, find issues in the way you’re doing things. ⁓ Some individuals might tend to take it a bit personally So that’s why they’re completely resenting auditors. They tend to go into a defensive mindset when they speak with them. And I think that really manifests into this, quote unquote, I don’t know if hate is the right word, but definitely quote unquote, some sort of dislike or aversion toward going to audits and things like that. Yeah, I think it’s because

The nature of audits is that you have to conduct interviews, you have to ask questions about how professionals and individuals do certain things. How do they go about ⁓ their documentation or how do they go about doing certain things as a part of their day to day routine? And people may find it intrusive. ⁓ They may they may think that it’s being nosy or they are being told what to do things and

all of that. So I think yeah, because of this So I think because of this whole notion that folks perceive audits to be more of ⁓ like a fault finding exercise. I think that that sort of that negativity towards audit builds in and yeah, we and we keep getting that always and that that’s something that I think part of the profession we have to deal with.

Raj Krishnamurthy (05:09)
You’re totally right. Nobody likes to be told what to do. In fact, I did not like when my mom used to say, brush your teeth before your cup of coffee. ⁓ But I think beyond that, I think there are some genuine criticisms that I’ve also heard. And I’ve been an engineer myself and I’ve experienced some of that, which is, does audit really add value?

Varun Prasad (05:31)
Definitely, I think if audit done in the right way ⁓ does add value, let’s probably speak about internal audit, right? I think IIA, the Institute of Internal Auditors, ⁓ they redefined the definition of internal audit or audits a few years ago, wherein specifically the goal of an audit is to add value. The goal of every audit ⁓ should be to come up with certain recommendations or certain improvements in the way that you are doing things.

⁓ It might be to enhance the quality, might be to enhance the efficiency, it might be to ⁓ help achieve better compliance. So the end goal might be different, but yeah, definitely the goal of every audit should be to add some value, ⁓ provide some feedback or, you know, provide something to the team members so that they can do things better. Technically, that should be the goal and yes.

Audits are of different kinds, but yes there are audits ⁓ being done and the goal of those audits is to add value or find out improvement points and things like that.

Raj Krishnamurthy (06:41)
The last time we spoke, you actually briefly mentioned about this airplane analogy. Can you double click on that for our listeners?

Varun Prasad (06:48)
Yeah, I I get this question a lot these days, especially more from the ⁓ more younger engineers or more from the younger professionals on questioning the value of an audit, right? They are like, why do I really need to do an audit? What’s going to come out of it? ⁓ What is the just because I undergo an audit, does it mean that we are completely secure? Does it mean that audit is going to? ⁓

take away all cyber incidents and all of those kind of questions people ask which sometimes to me is a bit funny or is a bit very ⁓ interesting. So yeah, so let’s take the case of an airplane, right? So I’m sure a lot of your listeners and people know that any airplane goes through hundreds of audits before it’s allowed to fly. Not just an airplane, every single part that is used to build an airplane, it might be a single screw or a single nut.

⁓ the way it is manufactured. In fact, some of the tools, the machinery and the software that is used to build an airplane also has to undergo a bunch of checks and quality checks and audits. But airplane accidents still do happen, right? So does it mean that we should not, know, planes don’t need to go through the certification processes or does it mean that we should just stop doing all of that? Yeah, so I don’t really think that’s the goal of an audit.

The goal of an audit is really to provide some amount of reasonable assurance and confidence in the whole process. ⁓ Confidence that there are safeguards and controls, if you will, that’s really built in the system. ⁓ Similarly, yeah, when an airplane is flying, you know, if it’s certified by the FAA and you know, if every part that is used to build an airplane has undergone certain quality checks, we do know that it has been

verified and vetted so there is that little bit of trust or confidence that builds in. So the goal of an audit is not to prevent any cyber incident or it’s not to it’s basically to provide some assurance about the level of controls and safeguards that organizations have put in around their systems and data.

Raj Krishnamurthy (09:00)
I think that’s a fantastic point and I want to.

But before I do that, I want you to maybe get your perspectives on the three lines of defense. What do you see, who are in each of those, the first and the second and the third line of defense, what do you see, what role do they play and what responsibilities do they have in each of those lines of defense?

Varun Prasad (09:29)
I mean, ⁓ it’s a great question. ⁓ I think it’s important to see that ⁓ the three lines of defense should complement each other and should not be duplicative of the effort. ⁓ So I think if you look at the literally the meaning or the theory, ⁓ every line of defense is expected to ⁓ have a specific role to play where the first line of defense is probably ingrained with the operations team or with the product team, if you will.

⁓ And the second line of defense is where I believe most GRC teams or security compliance teams may sit. ⁓ So their role is more of an advisory role where they work closely with the product teams and probably give them the right input, the right suggestions and ⁓ sort of guide them into how to implement the right control for which purpose. ⁓ And then yeah, you have the third line of defense which be more like your internal audit. ⁓

who would be performing ⁓ maybe frequent reviews and things like that. So I think ⁓ in the concept of defense in depth or in the concept of layered compliance, ⁓ I think the goal of every line of defense should be appropriately defined and segregated by the management or by your steering committees, if you will, so that it really fits the purpose. I have seen organizations where

the activities are sort of duplicated, ⁓ where ⁓ that would really lead to what I call shadow compliance teams or shadow audit teams, where you might have different groups of people doing similar kind of work, which definitely does not add value in the longer sense.

Raj Krishnamurthy (11:13)
Can we talk about a specific example? Maybe take one example. Where do you think it’s duplicative enough?

Varun Prasad (11:19)
⁓ Yeah, like for example, ⁓ you know, if you have individuals both in your first line and second line doing some kind of compliance reviews or doing some kind of checks, then it becomes duplicative. So I think the role of line, the first line should be to, ⁓ you know, should be to more focus on the implementation of the controls and design and build those controls and

It’s in the second line where I believe in, like I said, in most companies where GRC teams sit. ⁓ In the second line of defense is where they help provide more of the input and work with them and tell them how does it really fit into the big picture and how do these controls help meet the company’s objectives. So I think that is something where what happens in the second line. But if we have several teams trying to…

you know, implement controls or several teams trying to tap on the shoulder of engineers and tell them something, it’s going to be a case of too many cooks spoil the broth or that’s when, ⁓ that’s when, you know, ⁓ product teams don’t really like it because their focus is on building features and shipping features to the customers.

Raj Krishnamurthy (12:33)
It makes sense, absolutely makes sense. But yet when you look at the cadence, and I think you made a fantastic point. I mean, if I take the Denim’s plan to check act, right? There are doers, there are checkers, and obviously ⁓ there is a collective responsibility of act that primarily falls on the first line of defense. But if you look at the cadence of each of these lines of defense, in today’s world, all of us have become software companies, all of us have become AI companies, right? And the rate and the clip at which we are releasing products and services, especially in software.

Varun Prasad (12:59)
Definitely.

Raj Krishnamurthy (13:03)
is exploding. So you’re talking about thousands of releases per day per week, right, even in some cases. Yet audits happen once a year at best. And we are doing this through screenshots and very archaic means. How do you think about this cadence mismatch?

Varun Prasad (13:25)
See, audits, again, depends on what kind of audits we speak about. So if we are really referring to ⁓ more of an audit for a regulatory purpose, or if you’re doing audit to basically from a third party purpose, ⁓ these are meant to happen once a year and cover an entire period. every audit, a lot of audits specifically, if you wanna talk about SOC which is where I think most companies are really faced with that requirement in today’s day and age.

⁓ Most SOC tools have what we call an examination period. So which means we are expected to provide reasonable assurance that controls were working effectively for that period of the audit. So it’s not really point in time. Yeah. So there are two types of audits, point in time audits versus audits that cover a period of time. So when we take the case of point in time audits, we look at how things are, ⁓ how controls are implemented at that point in time.

You know, we might go look at how configurations look today. I might look at how a specific change or feature that was deployed to production in the last week. Those are point in time audits. But when we have audits which are over a period of time, in those cases, ⁓ depending on what the control is and what the team is testing, ⁓ we do in fact try to pick multiple changes or multiple samples that occurred over the 12 months.

or that six month. ⁓ Now, yeah, I cannot go test every thousand features, right? We have to have some kind of a sampling methodology in place and take a look at it. And that’s why the goal of these audits is to provide reasonable assurance and not absolute assurance. I think there’s two key differences between these two things. So ⁓ the user of any audit report or the reader of any audit report should know and…

It’s written in most audit reports very explicitly that ⁓ the goal of these audits is to provide reasonable assurance. Yes, to your point, we cannot go look at all thousand features that got shipped or thousand releases that happened. ⁓ We have to pick a sample of different releases that happened over the months ⁓ and use that to extrapolate the results are used to understand that, okay, they did really have a process in place. And ⁓ yeah, because of which these audits provide absolute assurance.

Sorry, provide reasonable assurance here.

Raj Krishnamurthy (15:53)
and reasonable

assurance. And you have been both an internal auditor and an external auditor. How do you see those two different roles?

Varun Prasad (15:59)
Definitely, yeah.

⁓ I think the goal of both are different, right? I know there are companies where internal audits take up special projects where they are trying to provide assurance over maybe a specific process. Or let’s say a company has implemented a new tool. You want to understand is that tool really working the right way? ⁓ Are the product and engineering teams…

⁓ implementing the features of the tool correctly so that the company will have a good return on investment. These could be types of audits that internal audit teams can work on or try to find out ⁓ from a value add perspective. ⁓ Do you have the right return on investment for some of the tools that’s being implemented? ⁓ Is there right efficiency in the way processes are being done?

However, external audits usually have a purpose. It’s usually for a statutory purpose or for a regulatory requirement or an external standard that has to be met. And that is the biggest reasons why most companies ⁓ invite external auditors to conduct audit at different points of the year. But however, ⁓ like I said, internal audits can be very specific. It can be very targeted. ⁓ The management of the company can define the scope.

For example, I’ve seen companies, SaaS companies that use like maybe AWS and Azure platforms. ⁓ I’ve seen cases where the management team has requested for a specific internal audit to make sure that from a cost perspective, are they using the cloud platform in the right way? ⁓ Could they have implemented the solution in a better way so that some of the costs can be cut down?

So that could be the focus of an internal audit, which is very, very targeted, very, specific that you’re looking to look at, you know, something that’s so niche. Whereas an external audit, the goal is usually because of a legal requirement or a statutory requirement or some standard that the company needs to comply with out there.

Raj Krishnamurthy (18:11)
Okay, and as an auditor, whether it is an, maybe I’ll use this from an external auditory perspective, as an external auditor, who do you deal with within the enterprise? Is it the second line of defense? it the security and the GRC teams? Or do you directly work with the control owners and engineering security or wherever?

Varun Prasad (18:30)
⁓ I mean, that’s a great question. I really think it depends upon the culture of the company. ⁓ It really depends on how an organization is structured and what the local culture is out there. ⁓ More often than not, we’ve worked with the GRC teams. ⁓ It’s only in really, really smaller companies or very rarely do we directly interface with the control owners only. ⁓

I would say 70, 80 % we work with GRC teams and they help us coordinate the work or they help us put in touch with the actual control owners and work like that. But yeah, usually there’s somebody out there that’s helping us to work. Why? I really think because control, to your point, yeah, the first focus of control owners is, yeah, the control, building things, building the product.

Raj Krishnamurthy (18:56)
Why?

Varun Prasad (19:25)
and not getting involved. If you look at the roles and responsibility of an engineer, don’t think supporting audit or being a part of audit is there today, which I think should be added because ⁓ like I said, everyone has their part to do. ⁓ So definitely, that’s why it’s kind of segregated today.

But again, it really depends upon the culture of the company. More often than not, we work with GRC teams who really help drive things, who really help coordinate, manage the execution of it. They help us connect with the specific control owners as and when required. ⁓ Yeah, very, very rarely have we directly pinged the control owner with something.

Raj Krishnamurthy (20:12)
And you are an engineer turned auditor. And I know that you are actually knowing you personally that you are a very, very technically savvy guy as well. But the constant, maybe I shouldn’t say constant, the complaints that I typically hear from the GRC teams many times is that my auditor is asking for the screenshots. And even if I am willing to move forward with continuous controls monitoring, continuous controls management, using APIs and things like that, I am stuck.

to operate at the speed at which my auditors operate. Is there any truth to that statement? Am I misrepresenting this?

Varun Prasad (20:47)
So again, depends on what the audit is. So it depends on what the audit is. So let us say that for certain audits, we have to look at a specific period of time and we have to collect samples from a specific month or, you know, specific set of months, even though you might have had continuous auditing or there might be various mechanisms in which ⁓ internal GRC teams or internal product management teams may have put in place to obtain assurance. ⁓ If…

If the goal of a specific audit is to look at samples or look at changes or features that happened in a specific month, we will have to go back in time and look at that. ⁓

Raj Krishnamurthy (21:26)
But why screenshots?

Varun Prasad (21:29)
I mean, when I say screenshots, I think that’s really the best way to showcase things, right? Yeah, so because I don’t think the kind of technical controls we test can be given in like a report or something. So maybe let us say I’m testing a specific financial control, then you can give me a report of all the transactions that happened in a month, or you can give me a report of ⁓ all transactions over 1 million over a month.

Raj Krishnamurthy (21:33)
You don’t have a-

Varun Prasad (21:57)
But because in IT audits, we look at system configurations and we look at ⁓ how folks probably did things within a tool, screenshots are probably the best way to showcase ⁓ it. I can’t ask you for a report of all the changes you approved over a few six months or whatever. It’s not really easy for every company to pull out.

So I think that’s why the concept of screenshots comes because, you know, when I pick 25 samples across one year, we look at screenshots of how every specific change went through the cycle or went through your flow at that point in time.

Raj Krishnamurthy (22:35)
Got it. And let me rephrase the question slightly differently. Given the fact in today’s age that we live in declarative systems, in many of these, you can actually define what the to-be state is. And we have automated reconciliation mechanisms like Kubernetes that works on and cloud systems. And lot of these are API-driven. And lot of these products and services have become API first. Why not?

look at the entire population of data and consume them through APIs and then derive your sample set, right? Why not do that? Why not rely on APIs? And why not be more focused in terms of what you’re trying to audit for rather than asking for random samples and screenshots?

Varun Prasad (23:18)
See, what you explained to me looks great, okay? It just sounds so good and so futuristic when you tell me that, but the reality is, ⁓ yeah, it’s very difficult to implement for all companies, okay? So in Audits, one of the biggest things is we wanna understand the source from where every data is coming from. you talked about screenshots, right? So if you’re gonna show me a screenshot of something and we wanna understand where it came from.

Raj Krishnamurthy (23:26)
part of running.

Varun Prasad (23:46)
Or to put it in other words, the concept of completeness and accuracy. These are two key terms that you would have also heard a lot in your interaction. So for any piece of evidence that we look at, any piece of data that’s given to us as an auditor, it’s important for us to understand the completeness and accuracy of that data that’s coming from. Now, if we start consuming information provided by APIs or start looking at what APIs is giving us,

⁓ In order to validate the completeness and accuracy of that output that’s come through an API, we have to start auditing the API itself. So we want to first understand how the API was built. What are the underlying data sources the APIs are talking from? Is the API doing any data massaging or data calculation on top of it before ⁓ spitting out the final output to us or what’s really going on?

So ⁓ if you look at it, this is actually increased the work. Now, if I have to start relying on outputs from APIs or reports from APIs, we have to go in and basically start conducting all controls on the API end to end. So lot of companies actually believe this is more work. Now they have to start not only give us evidence from the specific system they’re auditing,

but they also have to give us evidence about the underlying APIs and the underlying mechanisms that they are using. yeah, one, this actually does increase the work. ⁓ So if companies do really see the value in going through that process, and if that’s really going to, you know, at the end of the day, bring in some savings, ⁓ both us as auditors and for the company, yes, we can do that.

But yeah, it’s a great concept, but not so easy to implement in the real world as it really seems.

Raj Krishnamurthy (25:47)
But I think what you’re outlining is obviously there is an upfront effort, that investment that you need to put in, right, to validate. And I think the good news is that, ⁓ and this may be complex for, for example, if I built a custom application, right, it may be a lot more complex than out of the box ⁓ cloud systems, right? For example, AWS, Azure, well-known products and services with very well-published and documented APIs. I think that it might make a difference, I’m assuming. Is that a fair statement?

Varun Prasad (26:17)
Yeah, I mean, if it’s a well-known API that has been vetted already or, know, probably if there is a sock report for the way an API functions and if companies are using the same API without no further customizations, then maybe yes. But ⁓ it’s very rare. Maybe I can count with my fingers companies were actually doing that.

Should more companies start doing it? Probably yes, but as things stand, yeah, I can probably count with my fingers the companies who are actually using that level of sophistication in order to ⁓ maybe operationalize controls that we can really rely on complete automation APIs to test audits.

Raj Krishnamurthy (26:42)
Got it.

Got it, and I want to come back to this. want to talk about continuous controls ⁓ monitoring, continuous controls assurance. But before I do that, are the incentives tacked against this from an auditor’s perspective? What I mean by that is that auditors typically ⁓ are paid in terms of, and I could be completely wrong, Are paid in terms of hours, and this could potentially impact your top line, so we better resist. Am I wrong?

Varun Prasad (27:26)
No,

no, no, definitely not at all. all audits, especially today. ⁓ Today’s world are not not all probably by ours. Maybe years ago, you’re the typical consultant who you see coming into your office in full suit with briefcases. Yes, they were probably paid in hours, but no longer these days. ⁓ It’s all more based on different kind of fee arrangements that we have. See, the goal of an auditor is we want to make it easy for our clients. We want to make it easy for our customers.

As you mentioned earlier, when we started talking, I do know that no one really likes audits. So our goal is not to stay on for longer and make someone’s life more difficult or make it more difficult for them. We want to get in there, look at the things and be out as fast as possible. But however, there are certain basic principles or fundamentals of auditing. Some of the requirements of these audit standards that we have to comply with. One of them being the way in which we collect evidence.

ensuring the completeness and accuracy of data. So let’s say when I’m speaking to company and they bring up the concept of continuous auditing or continuous monitoring to me, ⁓ when we start explaining to them that we want to probably understand the solution that you use for continuous monitoring, we want to understand what are some of those scripts that you’re using, some of the scripts that you’ve implemented to ⁓ monitor things. So

Yeah, that really probably scares them off because they know that they may need to get more people involved for the audit. They are actually opening up more systems and more processes of their own. So I think that is really the biggest reason ⁓ why, especially for third party assurance or third party regulatory audits, ⁓ continuous monitoring and continuous compliance has not become as famous and as prevalent as it should be.

Raj Krishnamurthy (29:21)
No, I think that’s a fantastic point. ⁓

And if there are ways to accelerate that and simplify that process, the better we are all off. I think I get that. Now, one question I want to ask you is that whether it is compliance or risk, and I’m not so much getting into governance. There are two ways to, what I’ve typically seen is that there are two ways to approach this. And I’m saying GRC as a function. One is that you can approach from a perspective of audit, which is that the auditors at the end of a cycle are going to ask me a bunch of questions.

Varun Prasad (29:49)
Mm-hmm.

Raj Krishnamurthy (29:54)
They’re going to ask me for screenshots. I’m going to present them the screenshots. Let me just do enough to get through that audit. That’s one perspective. The other perspective seems to be that my DevOps teams, my engineering teams are operating at an extremely rapid clip. I mean, we have DevOps, we have sector DevOps, we have all sorts of different labels that exist that are operating at a very high speed. So I wanted to look at compliance and risk from the perspective of assurance, which means that

I have to get closer and closer to what is happening on product releases rather than the typical and traditional back office compliance or risk function. ⁓ How do we square these two? And this is where I think continuous controls monitoring comes in. So what I’m basically asking is, as a GRC professional, I’m trying to build a case for continuous controls monitoring, which is that I want this to be more assurance-focused than audit-focused. The moment I say that, I make almost assurance and audit as two different entities.

In reality they are not. But how do you reconcile as an auditor when I make this study?

Varun Prasad (30:55)
Yeah, think, yeah, to your point, we need to find the fine balance between the two. Yes, it is important to provide continuous assurance. So you have to maybe build systems or build scripts or build monitoring tools that will give the product management or the engineering management teams assurance about how things are working. ⁓

But the reality of today is you also have to get through audits. So you have to find the right balance between the two. ⁓ A lot of times teams continue to, know, teams have focused a lot on operational metrics and operational monitoring that ⁓ it’s very difficult for them to prove how things are done when we get into audits.

because as an auditor, we need to see how things work. ⁓ Yeah, we need to see and understand how things work and get to really the bottom of it. Let us say that they’ve automated the entire CI CD pipeline in a company. We want to understand how the automation works. ⁓ What are the specific steps? Now, who has the access to modify these?

Raj Krishnamurthy (31:44)
Totally.

Varun Prasad (32:05)
automation configurations. ⁓ know, can somebody override the existing processes and push things and things like that. So we really need to look at multiple factors, not just the end result or not just the end goal. So that’s why it’s important to find a balance between. ⁓

what assurance or whatever internal assurance or operational assurance you require versus what we need to see as auditors. So it’s just a matter of finding the right balance. ⁓ Or another term that I use for it is called auditable controls. You can have continuous monitoring, you can have continuous assurance, ⁓ you can automate your entire pipeline, but they should all be auditable. Ultimately, there should be a way to

it to people. Now are you going to show me hundreds of lines of code? Well yes okay then I’m going to more questions come you know who are the developers who have access to it can somebody override this ⁓ automated function to do things on their own. ⁓ There are a lot of lot of other things that really come into picture so I think the biggest challenge today is coming up with what I call quote unquote auditable security controls.

I do know companies are doing the right thing. ⁓ In today’s world, ⁓ you know, there’s a lot of awareness about cybersecurity. So even the smallest one person startup who’s, you know, building a product or building an MVP, I know has thought about security, but

As an auditor, I have to see things. They have to explicitly show me what they did, how they did and things like that, which is where a lot of companies probably ⁓ struggle with because ⁓ as an auditor, one of the golden rules that we’ve been taught on day one is that inquiry alone is never sufficient, which means just having an interview or just seeing the final output of something alone is never sufficient. ⁓

Yeah, we really have to understand how the implementation was done and you know how it was how it was really put to work. So the goal is defining designing those quote unquote auditable controls where yes you have strong controls which are automated easy to implement but yes will stand the test in an audit as well.

Raj Krishnamurthy (34:33)
Enquiry alone is not sufficient. It’s almost as if I’m hearing Mando Panishad, right? It’s very philosophical. ⁓ And I think that’s a great point, Varun. And so we typically use to come across these terms, compliance by design, compliance by default. And I think what I’m hearing you say is very interesting. You’re saying audit by, maybe not audit by design, and you said auditable controls, right? And I don’t know what’s the right term. It’s auditable controls by design and auditable controls by default. Maybe it’s a better way to approach this.

And I think that makes absolute sense. I wanted to double click on this particular problem, which you said the right balance, right between how do you think about from an assurance perspective and how do you think about passing audits? And you have to achieve that balance. Can you maybe get, can we take a step back? Are there common themes by which customers, GRC teams, security teams, engineers should think about this? For example, are there top low-hanging fruits

that can get you this balance faster, vulnerability management, asset management, anything that comes top of mind for you in terms of how they can go about thinking, achieving that balance.

Varun Prasad (35:46)
Yeah, think, yeah, so vulnerability management is a great example. So I would also like to talk about CI, CD security, because we talked about companies shipping hundreds of features or even thousands of features on a daily, weekly basis, correct? So yeah, I think the change management or the whole process in which this happens is very, very critical.

in any audit, think this is one of the biggest key risk areas. So as you are implementing controls around your CI CD process, ⁓ you know, maybe teams are automating a lot of automated checks through their Jenkins pipelines, but there should be a clear way to show it to us. You know, when I take the team, they’re like, I have 10 different checks that happens automatically through my Jenkins pipeline. And without going through 10 different checks, ⁓ which

tests so many, you know, which they probably have a static code scan happening and you know, they run a lot of automated unit tests and they do a lot of stress testing and multiple different tests. ⁓

and then finally the product is deployed. But if they are not able to show me the details of what these 10 different tests are, and let’s say I randomly pick up one feature that got deployed last week, they need to be able to show me that for that specific feature, all of these things did happen successfully. Now this is what I call an auditable control. Okay, yes, I know that… ⁓

Raj Krishnamurthy (37:12)
Got it, got it.

Varun Prasad (37:17)
various different checks are automated and integrated in the pipeline where when developers probably create a pull request in the backend, a lot of different magic happens. ⁓ Like Jenkins or any other orchestration tool is used to ⁓ do a number of different things. But

if they are not able to show it to a third person like me or if they are not able to show that to a third party auditor on what exactly happened, how it is happening, ⁓ the details of ⁓ how it was defined and…

The next question again, like I told you is can somebody override all of this? Are you able to push something to production where one of these checks did not happen? Let’s say that two of these checks failed, will the release still go into production? So these are all different questions that come up. if, if.

scripts are written to automate this or if scripts are written to notify people in case things go wrong, all of that is great, but it should be showcased and it should be made very clear to somebody. ⁓ Often, you know, all we see is just the last line of the Jenkins script, which alone is not sufficient a lot. So yeah.

Raj Krishnamurthy (38:31)
Totally, totally. And I

think to what extent auditors are equipped and technical to talk about frameworks like salsa, supply chain level, what is it, software artifacts from open SSF. To what extent are auditors, do auditors understand frameworks like salsa?

Varun Prasad (38:53)
See, auditors will understand any framework that’s required if there is a need in the market, right? ⁓ So…

how many companies actually implement Salsa or how many companies have actually gone there and you’re not taking that. So from an audit perspective, the biggest frameworks are probably your NIST frameworks, the NIST 853s of the world. Back in the day, was COVID a few years ago, ISACA, COVID was something, but then that was very theoretical, not as technical as such. So then people started talking more about controls for SOC 2, controls for ISO 27001 and things like that. So these are all probably the most commonly

use frameworks today and yeah definitely auditors are equipped but again I know every industry today has its own framework like probably a healthcare industry like the automotive industry they have different requirements so ⁓ depending on

the specific use case and the specific requirement. ⁓ Yeah, there are auditors who will be equipped in that specific area with that specific speciality. It’s just like, for example, you you want to go to a specialist for a specific knee problem or for a specific gastric problem like that. If you are looking for specific audits around different frameworks, yeah, we will have to work with specialists who will come and help you.

Raj Krishnamurthy (40:14)
Got it. No, I

think I’ll rephrase the question. I hear what you’re saying because there is a purpose of an audit. It could be a regulatory audit, right? It could be an organizational audit. It could be a lot of different things, even within cybersecurity. I think my question was more so that most of these frameworks are very abstract, even though some of them tend to be sort of more detailed. I think PCADSS tends to be a lot more prescriptive than others in my experience. But what I’m trying to say is that something like salsa,

is very prescriptive to a point where it exactly tells you what are the threats and the risks that you have to manage in your supply chain, right? And where do you tap in and how do you generate the provenance and how do you validate the provenance? So that if you understand that, right, I could have done this and implemented this 100 different ways because of the tooling that may have, but at least you and I can speak the same language, right? And I can tell you what I do on my build systems, what I do on my source systems.

How do I deal with transitive dependencies? How do I produce SBOMs and the reports and things like that? And how do I sort of generate provenance? And the question to what I’m asking is that, you consider that as a specialized area where you bring a specialized auditor to deal with supply chain? Or should an auditor who’s dealing with security audits understand about this enough?

Varun Prasad (41:37)
Yeah, see if your goal is to basically, if let’s say you’re implementing the salsa framework and your goal is to provide assurance around that, yes, then you will probably need to bring in a specialist who also understands that. But one thing that you mentioned probably, I’d like to talk a little bit more about is should frameworks be really so prescriptive?

Raj Krishnamurthy (41:51)
Delta.

Varun Prasad (42:03)
I have been a part of so many committees and standards bodies where we actually write these control frameworks and where we come up with these control requirements as such. And one of the biggest debates that happens between the members of these groups or that really happens is should control frameworks be really prescriptive or not?

There’s one school of thought that if you get too prescriptive, you are basically restricting the organization or you’re really restricting the company or forcing them into a lot of specifics. That’s why a number of control frameworks ⁓ just provide you with the requirement. They provide you with a requirement statement or a control objective or a risk objective that needs to be mitigated and they really leave it to the implementers or the various companies to get creative on how they want to really

⁓ address that requirement or how they really want to meet that requirement by not telling them you have to do only these five things. ⁓ Take the example of most ISO standards or even SOCTOs, they have criteria, right? They don’t have specific controls in them. So it’s really up to every company because…

If you start having very prescriptive requirements, companies tend to get into a check in the box exercise ⁓ where they just go implement those five things. But let’s say three of those things would not have been applicable or relevant to that company because of various reasons. So.

I think the goal is more to provide organizations with high level requirements and risk objectives or risk statements and allow them to come up with specific ways of meeting that.

Raj Krishnamurthy (43:46)
I think I hear you and I think you’re absolutely 100 % right. I’ve heard your side of the argument loud and clear. There have been very many prominent proponents. And it’s a very valid argument because one size does not fit all. In fact, one size does not fit anybody. ⁓ And you’re absolutely right. But the challenge on the other side is that, especially given that we are building products for different objectives. I rarely see anybody building products to pass audits.

Varun Prasad (43:58)
Fit on.

Raj Krishnamurthy (44:15)
Right? And because it always becomes an afterthought and most companies struggle with this. Right? Because what you’re saying is also valid in some cases that big organizations are very complex themselves because even within one part of the organization what is true is not true for the other in terms of the process and tools and technologies and people and functions that they use. the question is, I think the gap that I also see is how do people go from what you are stating as the intent of the requirements to demonstrating that

Varun Prasad (44:15)
Yep.

Raj Krishnamurthy (44:46)
they can keep the promises that they make. I think that’s where it seems to be a lot of sort of gap and confusion that exists and the lift that needs to happen.

Varun Prasad (44:56)
Yeah, see, I think you made a great point, okay? So never, please, don’t, never make products to pass an audit or don’t do anything for an audit sake. Let me make it very clear. Don’t implement a control because you have to pass an audit. Please build a control because it enhances the compliance posture or security posture of the product. Build products that are having secure by design, but.

make sure you implement controls in a way that will also help you pass an audit. So I think that’s the key thing. You wanna have right controls in place because it’s gonna enhance your operations or because it’s gonna add value to your stakeholders or the users. But when you are building or implementing those controls, do it in a way so that you can explain it easily to an auditor.

Raj Krishnamurthy (45:36)
Totally.

Beautifully said which is what your idea of auditable controls are make sure that you build them at least Consciously train focus enough of them so that he can avoid these style later right and ⁓ What is your view of the current state of GRC tooling?

Varun Prasad (45:49)
Exactly.

Correct. Correct. Yeah.

Yeah, I think, you know, there are really great tools out there. So depends on what is the focus of every tool, right? So there are many tools.

which just help in passing evidence from companies to auditors. Those are more like file exchange tools. But there are also tools which actually help you in the monitoring process. Go into the systems and really pull the evidences for you, which is great. But again, from an audit perspective, when we rely on various features of a GRC tool, we have to understand the tool itself. ⁓

This goes back to the initial conversation we were having about APIs. So let’s say GRC tools have backend scripts or backend APIs through which they talk to the underlying infrastructure to pull details of the configuration in order again for auditors to really rely on that output. I don’t think I can log into the screen of a GRC tool and if I say something is good, I can never take that at face value. That is not.

what how audit should be done that’s not how I thought to be done. ⁓ Let us say that you know I’m looking at a dashboard from a GRC tool which is telling me a change was approved or how things were done. Yeah we need to have GRC tools which give me the entire picture. ⁓ We want to understand

how did the tool really find that out? What was the underlying query that the tool used? Which ⁓ parts of the infrastructure or which other tools did it query to pull the data out for us ⁓ and make sure that there were no changes made to it and things like that. So. ⁓

That’s those are those are I don’t want to call it the challenge, but those are the realities of how we need to conduct audit. We want to go to the source. Yeah, we want to go to the source and make sure that ⁓ data is coming from the source without any alterations or modifications.

Raj Krishnamurthy (48:00)
You want to go to the source. You want to go to the source. Absolutely.

what do you see is the role of generative AI, large language models, large reasoning models, and the impact of that on audit as a function?

Varun Prasad (48:22)
Yeah, great question, I always get this a lot. see, audit has always been a judgment-based function, and it will remain a judgment-based function. I don’t think an AI tool is gonna replace auditors or that would never happen, or that should never, that should not happen. ⁓ It can help us in maybe comparing different things.

You talked about generative AI. So let’s say that I have a 20 page document. I can probably feed that to a generative AI tool which will help me summarize what’s in there. Let’s say that I’m looking at hundreds of lines of code. If I have an AI tool which really looks through those hundreds of lines of code and tells me in plain English what was trying, you know, what that script is trying to do. Those are all great uses of generative AI for auditors. So like we always said, generative

AI and AI based functionalities and tools can help make the life easier for auditors. it can help ⁓ improve our productivity and efficiency, but definitely not replace what we do. Audit is one of the most judgment based functions where you have to think critically and make decisions and apply judgment and it will continue to remain that way. But yes, AI can make a lot of things. There have been cases where we’ve had to look at user

which are given to us probably sometimes in a notepad, sometimes in a CSV file, we may have to compare user lists ⁓ from various different formats. So maybe an AI tool can help read these things and make it easier for us. So yes, AI has several use cases in auditing ⁓

in order to probably ⁓ simplify things, make it easier. ⁓ But an AI tool can never tell me if a control is passed or failed.

Raj Krishnamurthy (50:18)
And I think what I mean, so as an auditor, you’re inherently skeptical. And I don’t mean that offensive in any way, right? ⁓

Varun Prasad (50:24)
No, no, no, that is

right. fact, professional skepticism, think that is one of the…

Raj Krishnamurthy (50:31)
professional skepticism, constructive skepticism.

Varun Prasad (50:33)
Yeah, professional skepticism is one of the ⁓ fundamental principles as auditing or auditors. So we have to remain skeptical and we have to ask those questions, ⁓ which is why some people don’t like that But it’s not because I don’t trust you or it’s not because I don’t believe what you say. ⁓ We have to go through and understand a few things and that’s why we continue to ask you questions.

Raj Krishnamurthy (50:57)
Now, the reason I asked you that question was because I think in the example that you gave, it is one thing to take a list of users that is, let’s say, given for you in this PDF and using Cloud to convert that into an Excel spreadsheet. But it’s another thing to rely on Cloud to generate some insights on the data that you’re presented. Let’s say that I give you a PDF of 10,000 users, right? And for you to determine whether compliant or not compliant, right? Where do you put your

sort of how do you approach this skepticism? Meaning, how do you rely that when the generative AI reads and summarizes a policy document for you, or reads data and summarizes it for you, how do you rely on that?

Varun Prasad (51:43)
⁓ Good question. Again, we still need to understand that the tool I’m using. I don’t think I’ll be able to…

upload something into cloud or chat GPT today to do an audit. That’s not how we work currently. Yeah, I can maybe use them for more simpler functions, but I don’t think we are there yet where an AI tool is actually doing the audit or helping us do a lot of things. There is still a lot of work that we will need to do over the top of it. AI tools are being used, like I said, to probably help us with more simpler tasks, but…

Raj Krishnamurthy (52:12)
Got it.

Varun Prasad (52:21)
I don’t, if somebody is telling you AI is going to be your auditor or cloud is going to be your auditor, then I’m not sure they’re doing the right thing. Yeah.

Raj Krishnamurthy (52:28)
Because the reason I’m

asking is that these tools are inherently probabilistic. And security by definition is inherently, has been inherently deterministic. MFA is either turned on or off, right? There is no 80 % probability of on, right? So, makes sense. And maybe we are approaching the end of the segment, Varun. And I would love to sort of get your perspective. Are there people that have gotten

Varun Prasad (52:43)
Good, good, yeah.

Raj Krishnamurthy (52:57)
that have sort of been your role model, or the books that you read, podcasts that you listen to, something that has shaped your thought process on cybersecurity, risk, governance, compliance, and audit.

Varun Prasad (53:10)
⁓ I mean, I don’t have example of a specific podcast or a specific book, but what I can definitely say is that, ⁓ yeah, like I’ve had to reinvent myself every year or every two years, you know, with changing technology. ⁓ It’s not like, I’ve learned Python or I’ve learned Java, so I can really go apply my skills in any use case. ⁓

Yeah, I think there’s one quote by one of the CEOs of Disney, Bob Iger. He said that innovate or die, which was very true of the Disney company during his time, because it was during his tenure that Disney really grew. It opened so many new amusement parks. ⁓ You know, it bought the Star Wars franchise. It brought Marvel. So that has really stayed with me. One quote which says innovate or die. And to me, ⁓ even as an auditor, that’s very true.

I need to stay on top of technology innovation. If AI, you know, I had to know what AI was maybe a month before it hit the market. Like right now, probably quantum computing and the risks related to quantum computing.

A lot of people are talking about it. I’m not sure how much it’s really implemented in the real world, but these are certain things that I’m really learning right now and trying to get updated with because when quantum computing is going to hit the market and become a big thing, I need to be ready for it as an auditor. So innovate or die, that’s probably one quote which is really stuck with me. And I’ve always felt I’ve had to like reinvent and relearn and unlearn every two, three years with changing technology because as an auditor, I’ve always

believed I need to understand the technology in order to go audit that.

Raj Krishnamurthy (54:58)
No, that’s beautiful. And for somebody who’s listening to this podcast, ⁓ Varun, and who wants to sort of become a cybersecurity auditor like you did, an IT auditor, what should they do? And especially if they are in college or they’re just coming out of college.

Varun Prasad (55:15)
Yeah, be curious. ⁓ Definitely be curious. Ask a lot of questions. Understand how every technology works.

I’ve had so many people coming to me saying that, you know, I want to start auditing AI. So understand some of the basics of it. So what I mean that is they don’t have to learn how to write an LLM. They don’t need to know how to train data sets or how to play around with data sets, but they need to know the concepts. Concept needs to be very, very clear. So make sure that you understand, get to the bottom of how technologies work.

back in the early days, as auditors, had to be really thorough with how networking works. We needed to know what the OSI model was and what were some of the risks at every layer of the OSI seven layer model and all of that. So that’s just an example. So somebody who wants to get into auditing.

Yeah, understand how technology works, how programs work. You talked about APIs, understand what is an API. You don’t necessarily need to know how to write an API. You need not know some of the actual commands that you have to go in and, you know, give the system, but understand what they mean and what is the purpose of various commands and some of like that. So for somebody who really needs to get into auditing, you need to sort of be like an all rounder where you need to have a good understanding

of various different technologies and their concepts and how they work and continue to question them and continue to ⁓ go deeper to understand the underlying logic behind how all of these technologies really come together.

Raj Krishnamurthy (56:58)
And Varun is a frequent speaker in ⁓ IAA ISACA circuits. So ⁓ please feel free to say hi to him if you meet him next time. Any ⁓ immediate speaking engagements coming up, Varun?

Varun Prasad (57:13)
⁓ Yeah, in the end of September, I’m actually going down to Southern California. I’ll be speaking at the IIA and ISAC Orange County ⁓ Joint Fall Conference on September 24th and 25th. My talk is on the morning of the September 24th.

Raj Krishnamurthy (57:29)
Beautiful, Varun, it has been a pleasure having you. I think this has been one of the most sort of fiery discussions that we have had on the show. So thanks for putting up with me and thanks for patiently answering.

Varun Prasad (57:42)
Yeah, thanks a lot Raj.

Thanks again for having me and hope it was helpful and resonate with your listeners. Thank you.

Raj Krishnamurthy (57:48)
Absolutely. Thank you. Take care. Bye.