Chief Audit Executives: Job Description, Responsibilities & More

Any business or service provider looking to work with the federal government or one of its departments or agencies is going to need to comply with one of the security frameworks as appropriate for their role, usually something like CMMC, FedRAMP, or HITRUST.

A key part of these security frameworks is verification and validation that security measures are in place and that continuous monitoring is effective. This is usually done by a comprehensive audit conducted by a certified 3PAO (third party assessment organization), which goes through all of a business’s processes and systems, checks for compliance with security controls, and performs tests and spot-checks to validate that security.

Any business that needs to pass these audits is likely to need at least one internal individual whose role is to oversee compliance and to whom the responsibility falls to ensure proper adherence to security protocol. They’re the person whose name comes up when there is a gap in compliance and on whose shoulders the blame can rest if there’s a breach and no other individual can be found willfully at fault.

It’s a high-stakes, high-risk, high-stress position in many organizations. In many cases, the role falls to the Chief Compliance Officer, but an increasingly popular role in many businesses is the Chief Audit Executive. What does the Chief Audit Executive do, what is their role, and how do they compare to a Chief Compliance Officer? Let’s dig in.

Internal but Independent Verification

Adherence to a security framework, or even just to business policies, requires knowledge of those policies throughout the organization, infrastructure that takes those policies and builds up a structure around them or accounts for them, and a business culture that respects and adheres to them.

A Chief Audit Executive takes the role of the member of leadership who guides the verification of these policies. They are not – necessarily – the person who oversees compliance. Instead, they are the person who comes in, validates compliance, looks for holes and weak points, and delivers reports to the board of directors and Chief Executive Officer about the state of internal affairs. When there are gaps, the Chief Audit Executive isn’t responsible for fixing them; merely ensuring that the company is aware of them and addressing them.

In order to perform these goals, the Chief Audit Executive is often considered an independent and, in some ways, oppositional position. In some ways, it’s a “red team” role; the company, under the guidance of the Chief Compliance Officer, implements policies and security. The Chief Audit Executive leads the charge in validating those policies and security measures, and finds gaps and holes in them.

This role is by necessity an independent role, because if the auditing organization is too closely linked to the core of the business, their efforts can be sub-part and the conflict of interest can lead to worse outcomes.

Verification, not Validation

An important detail about the role of the Chief Audit Executive is that they generally do not have the power to certify an organization as compliant with a security framework that requires a 3PAO audit.

Consider two security frameworks: FedRAMP and SOC2.

SOC2 is the second version of the Service Organizational Control reporting framework. It’s a set of standards developed and released publicly as a way to encourage operational security in a wide range of businesses. The standards are developed by the American Institute of Certified Public Accountants and cover five categories of trust: Security, Confidentiality, Privacy, Availability, and Processing Integrity.

SOC2 is a valuable standard for service organizations, but it’s also voluntary. There are no governing bodies or security standards (like GDPR or HIPAA) that require its use. It’s also not a certification, it’s an auditing report framework.

A Chief Audit Executive may be responsible for conducting SOC2 audits within an organization and ensuring that the organization meets the requirements necessary to pass that audit.

Conversely, consider FedRAMP. As a government standard developed by the National Institute of Standards and Technology (NIST), compliance with FedRAMP is required to work with many government organizations as a service provider. Since it’s regulated by the federal government, it requires a higher level of certification than something like SOC2.

A Chief Audit Executive can review an organization and even conduct an audit that mimics that of the FedRAMP audit. However, the Chief Audit Executive cannot certify the organization as FedRAMP-validated. That responsibility falls to a 3PAO; as above, the independence is a requirement.

That said, the Chief Audit Executive can still play a valuable role in conducting what are essentially mock audits, using their knowledge and experience with the framework to spot the same kinds of issues and holes that a 3PAO might. This is valuable because a 3PAO audit is often lengthy, time-consuming, and expensive, and failing it is the last thing an organization wants.

Chief Audit Executive Job Descriptions

Bearing the above in mind, what does a job description look like for a Chief Audit Executive?

Here are a few examples from around the business world.

Robert Half:

“Chief audit executives need advanced experience with financial and accounting applications, financial and operational controls, and with GAAP, Sarbanes-Oxley and COSO framework requirements. Professionals should have strong critical thinking, communication and technology skills. Candidates generally must have at least seven years’ experience in auditing, including in public accounting and industry. Firms seek individuals who possess a bachelor’s degree in accounting or finance, along with an MBA, and certifications such as a CIA or CPA. Travel is often required for this position. Depending on the organization, the title for this position also could be internal audit director or vice president of internal audit.”

Knowledge Leader:

“The chief audit executive is responsible for oversight of all internal audit functions and is charged with assuring that an effective internal audit function is in place systemwide. Sample responsibilities include evaluating the reliability and integrity of information and the means used to identify, measure, classify and report such information; and monitoring and evaluating governance processes.”

There are also many that can be found through job sites such as Indeed.

Chief Audit Executive Responsibilities

We’ve talked in general terms what the responsibilities are for a Chief Audit Executive, but in terms of itemized duties, what does the Chief Audit Executive do?

Chief Audit Executives are responsible for:

• Advocating for a culture of risk awareness and security throughout an organization.
• Guiding and directing the internal audit processes within the organization.
• Assessing risk and determining frameworks relevant to the business.
• Developing auditing strategies for optional and mandatory compliance checks.
• Creating independent processes for ethics and compliance violation reporting.
• Evaluating internal governance processes and improving said processes.
• Understanding relevant frameworks and how they apply to the business.
• Identifying and assessing new security controls and their implementation.
• Hiring, training, and guiding internal auditing staff and teams.

Depending on the industry, type of business, and any external compliance measures the business must adhere to, there will be additional responsibilities as well. Financial companies, for example, have a variety of specific finance-related regulations and frameworks to follow; government contractors and defense contractors have theirs as well. International organizations generally have to comply with GDPR. Healthcare-related businesses need to pay attention to HIPAA.

How Much are Chief Audit Executives Compensated?

The increasing importance of the Chief Audit Executive role means that salaries and compensation packages are increasing.

For smaller companies and mid-range businesses, typical compensation can range from $125,000 to $250,000 per year. For more intensive roles, larger companies, and defense contractors, it’s not unusual for compensation packages to approach $1,000,000. Obviously, the necessary skills, knowledge, experience, and certifications required for these higher compensation packages are proportionally steeper.

Chief Compliance Officers and Third-Level Control

When a CEO or board looks at the fact that they would be paying a quarter of a million annually for someone to tell them that they’re doing things wrong, they often balk at the suggestion. CEOs love to roll together related roles, lumping more job duties onto specific individuals and – critically – cutting costs to the business. It’s their fiduciary duty to the board and to their shareholders, after all; the more they can cut costs, the more they can realize profits for all involved.

The dangerous proposal is to lump together the Chief Audit Executive role and the Chief Compliance Officer roles. Audit and Compliance are, after all, related fields; the CCO is responsible for understanding the frameworks the business needs to adhere to and enforcing compliance throughout the organization, while the Chief Audit Executive is responsible for understanding the frameworks the business needs to adhere to and checking compliance throughout the organization.

The issue with lumping these two roles together is two-fold. The first is the aphorism: you can’t check your own work. If the person responsible for testing the validity of your security is also the person who designed that security, there’s a clear conflict of interest. More importantly, though, of course, the security is going to be resilient to the threats that individual can come up with. It requires someone else to think outside the box and try threat vectors outside of that paradigm to truly check for robust security.

Now, ideally, the adherence to a third-party framework like FedRAMP/CMMC/HITRUST/HIPAA or whatever else is good enough to be that outside-the-box thinking. But it’s still not a good idea.

The second reason there’s a problem is the three-party system of governance. In an ideal business, the first-level layer of governance is the organization’s management, the board, the CEO, the upper management directors, and others. These are responsible for acting in compliance with rules and regulations. The second level supports the first level and includes departments like HR, financial, and others that have some level of validation and verification. Auditing should be the third layer, independent of these two, and capable of testing them internally and externally.

If conceptually, this isn’t enough, well, consider the case of high-profile manufacturers of expensive vehicles. This manufacturer lumped auditing and compliance together into one role in part of an overall push to cut costs and optimize profits after a notable merger. Since that time, there have been many high-profile incidents, and more seemingly every day. Can you guess the company? It’s one whose name was formerly synonymous with quality but now risks it all: Boeing.

Do You Need a Chief Audit Executive?

For businesses that must adhere to a framework like FedRAMP, where a third-party assessment organization comes in to perform audits every three years with a comprehensive audit to gain initial certification, you might wonder: do you even need a Chief Audit Executive? After all, if there’s already going to be independent auditing, you can focus on your own compliance, and as long as you do it right, the 3PAO will validate you in that audit.

The answer, disappointing as it may be to many a cost-sensitive CEO, is yes. You should still maintain an internal auditing department headed up by a Chief Audit Executive.

Why? There are several benefits.

• By conducting internal audits, your Chief Audit Executive can identify gaps and holes in your compliance in a lower-stakes setting, where issues can be fixed before they jeopardize certification and cost time and money for a failed audit.
• The Chief Audit Executive can validate more than just one framework like FedRAMP; where a 3PAO has one audit in mind, the Chief Audit Executive can oversee auditing for everything from that same FedRAMP to independent and optional frameworks like SOC2 to simple compliance with internal business processes.
• You have someone on staff whose sole responsibility is making sure your organization is in compliance and validated and who can take responsibility if there’s an issue. For some, this can be invaluable.

Whether you’re gearing up a new Chief Audit Executive, or you’re simply trying to run through your business and categorize every element of your processes in terms of NIST security controls – or another framework from our list of covered frameworks – we can help. We’ve developed the Ignyte Platform as a comprehensive tool and cloud-based alternative to siloed and isolated spreadsheets and other software. Designed to assist with compliance across over 25 different security frameworks, virtually any cloud service provider or business looking for assistance with auditing and compliance can make use of the platform. Book a demo today to see it in action and learn what we can do for you.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/compliance/chief-audit-executives-description/