The Schellman Blog

Benjamin Franklin once said, “By failing to prepare, you are preparing to fail.”

Auditors. We’re an odd breed. “A necessary pain in the tuchus,” some may say. Admittedly, we’re not everyone’s cup of tea. In fact, in our 20+ years of experience, we’ve seen the word “auditor” invite various visceral responses. To be sure, organizations aren’t always enthusiastic about inviting us assessors in to do the requisite checks, despite the benefits of doing so (and despite being invited guests).

If you’re a parent, you’ve likely had the debate in the car with your young kids—they want to stop for McDonalds and you tell them, “we’ve got food at home.” From their perspective, they want what they want, but from yours, you understand you’ve already made an investment in perfectly good food at the grocery store, and you’re not about to spend any more money that you don’t have to.

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government initiative that standardizes the security assessment and authorization process for cloud products and services used by federal agencies. Part of this process requires cloud service providers (CSPs) to complete a FedRAMP Readiness Assessment Report (RAR), which is used to determine whether they are prepared to undergo full FedRAMP authorization.

Authorization from FedRAMP allows Cloud Service Providers (CSPs) the lucrative prospect of providing services to the federal government community.

The audit world isn’t as scary as people make it out to be. But there are things that you can only learn in the audit profession through experience and not in the classroom. Here are some of the biggest takeaways I learned as a first year auditor:

[NOTE: Schellman has since updated this content in a more recent article.] Think of your auditing firm like you would a long-term business partner. They are someone you will work with year after year, and they will be an integral part of setting the stage for your organization’s success. As such, the act of selecting the appropriate assessor shouldn’t be taken lightly. Here are several key qualities your organization should look for when choosing an auditing firm:

The Health Information Trust Alliance is a U.S.-based organization that works with healthcare, technology and information security leaders to establish a Common Security Framework (CSF). A CSF is a body of controls for all organizations to follow to create, access, store and exchange private or regulated data. The Health Information Trust Alliance believes security should be a core pillar of health information systems and exchanges, not an obstacle to be hurtled, hence its mission to normalize security controls via the CSF. The CSF includes: