listen to this article:

Compliance Audit Failures

Financial institutions rely on cryptography to meet many compliance goals, including internal control and satisfaction of regulatory mandates. If an institution is meeting a compliance goal, it should be able to persuade a third party, such as an auditor, of that success. If it cannot persuade a third party, then it is not really in compliance.

What is the Key to Avoiding a Compliance Audit Failure?

Third parties like auditors act on evidence. If an auditor is unable to access persuasive evidence that a belief about a cryptographic resource is true, then the auditor must report a deficiency (a failure) about that belief.

Here is an example: In 2019 the US Government Accounting Office published an audit report on deficiencies discovered on the use of cryptography at the Internal Revenue Service, a division of the US Treasury Department. The GAO said IRS had failed to produce evidence that it was complying with its policies on the encryption of email. The GAO report called on the IRS to correct these deficiencies.

Evidence is key to avoiding a compliance failure. The accumulation and presentation of evidence is therefore the mission of administrators who want to achieve cryptography compliance success.

Learn how Unbound’s CORE platform enables centralized key management to meet compliance requirements   

Recommendations to Prevent Crypto Audit Failures

In pursuit of compliance, and evidence to prove compliance, cryptography administrators have much to learn from the audit profession. Learning to think about cryptography from the perspective of an auditor can illuminate hidden pitfalls.

Think the Way an Auditor Would Think

How does an auditor think? A window into the auditor mindset is US Statement on Auditing Standards 99 (SAS 99). SAS 99 requires an accountant evaluating the financial statements of an enterprise diligently to look for fraud, such as embezzlement or misappropriation of assets. Using an auditor’s style of thinking, SAS 99 provides the accountant tips and guidelines on how to look for fraud and how to think about evidence.

Be A Professional Skeptic

SAS 99 teaches an accountant to think about evidence as a “professional skeptic.” A professional skeptic sees a piece of evidence, such as a cryptographic algorithm, as something to be noted and weighed, but not necessarily to be received as conclusive proof of anything.

Corroborate Evidence

Armed with this outlook of professional skepticism, cryptography administrators should ask: What evidence is available to persuade an independent party that a belief relevant to compliance is true? How could this evidence be abused, fabricated or misinterpreted? Can the risk of abuse, fabrication or misinterpretation be reduced by way of corroboration of the evidence?

One way to corroborate compliance with cryptographic mandates is to maintain records like logs, or reports from third parties.

Lack of records of encryption led to a compliance disaster at Accretive Health, Inc., a financial institution that helped hospitals with billing and collections. It had stored patient data on a laptop, which later was lost. The laptop was required by law to be encrypted. But Accretive could not prove the laptop was encrypted. The laptop might have been encrypted, and it might not have been encrypted, but the firm lacked convincing records. Therefore, it failed an investigation by a regulator, the Minnesota Attorney General. The failure contributed to the AG imposing a $2.5 million fine.

Write Policies That Match the Real Practice

Another way to corroborate evidence about cryptography is to maintain accurate written policies.

To that end, cryptography administrators should write policies that make practical sense and then review compliance with those policies to ensure the institution does what the policies say. A company that failed at this was ClixSense. ClixSense managed financial relationships with consumers. Its written policy was to “utilize the latest security and encryption techniques to ensure the security of [consumer] account information.” But ClixSense fell short of its stated policy. It stored personal customer information, including Social Security numbers, in clear text with no encryption, an investigation by the Federal Trade Commission revealed. The FTC, a US regulator, ordered ClixSense periodically in the future to obtain expensive third-party assessments of its security.

Secure Executives Support

SAS 99 emphasizes the critical role played by executive management when an enterprise is audited. Under SAS 99, the auditor should interview executives personally to inquire whether they are aware of fraud in the enterprise and to gauge the cultural support for compliance in the enterprise.

Let’s translate that guidance from SAS 99 to audits of cryptography. It doesn’t necessarily mean executives need to be interviewed in a cryptography audit. But it does mean that a culture of compliance, led by executives, is critical to a successful crypto audit (or other review by a third party).

Successful cryptography audits depend on executive buy-in, according to experienced cryptography auditors. If executives foster a general culture of compliance – they take risks seriously and they avoid cutting corners — it is much more likely the auditor will be satisfied in the cryptography audit.

Therefore, a critical step to avoiding compliance failures is to obtain strong executive support for cryptographic processes. This support leads to a robust budget for and prioritization of cryptographic work.

Support Unpredictable Audit Tests

SAS 99 stresses that a successful audit includes unpredictable audit tests. This means the auditor should test the process under scrutiny in ways or at times that are not expected by the people in control. In cyber security, a successful penetration test normally involves an element of unpredictability, so that the people administering a resource being tested don’t know when or how a test will happen.

An example of an unpredictable crypto test is specified in “Security and Test Requirements – Payment Card Industry (PCI) Contactless Payments on COTS (CPoC™).” In an audit test, “the COTS platform attestation must be performed … at unpredictable intervals, polled during an online session (at least every 30 minutes).”

How can the administrators of a cryptographic resource promote unpredictability in an audit or other review? One answer is that they can brainstorm with the auditor/reviewer to invent practical steps for injecting unpredictability into the review. The administrators understand their environment and infrastructure. They can creatively help the auditor devise unpredictable tests so that the auditor becomes more comfortable with the overall design and outcome of the audit.

Ask Where the Opportunities for Non-Compliance Exist

How does an auditor know where to look for fraud? SAS 99 says the auditor should look for places where people have opportunity to commit fraud.

Opportunity to commit fraud rested in Gary Foster, a staff accountant at a large US bank. He embezzled $22 million because he had the power to move money from an obscure account to his own account, with little oversight. The source account accumulated unclaimed funds, something that attracted little attention because no customer was asking for the money. Foster did have to prove to others that he managed the unclaimed funds account responsibly, but because they were young and inexperienced, he knew how to trick them.

How can the lesson from Foster be applied to cryptography compliance?

  • Cryptography administrators should ask themselves probing questions: Where in our systems do opportunities for non-compliance exist?
  • Administrators should gameplay among their team members: What components of our systems attract little scrutiny? How could a rogue insider trick people or use a resource in an unexpected way?

Such questions help administrators anticipate compliance shortfalls and address them before they materialize.

Plan for The Compliance Review Long In Advance

Cryptography administrators who think ahead and take early steps to satisfy future reviews are less likely to have unsatisfactory outcomes when an auditor or other investigator does show up.