Security audits in the investment industry should be both compulsory and commonplace, ensuring that computing practices are compliant, maintaining and regulating data is done securely, and operating with clarity. As an Investment Advisor, there is every chance that you have been subjected to one or more audits in the past. However, regardless of whether it’s your first or fiftieth audit, the process can still feel incredibly pressured, not to mention daunting – it really need not be, though.
Auditors don’t exist for the sole purpose of seeing your company fail, but to remind you of the practices you should be following and to point out any weaknesses that they observe. Such reviews assess user practices, security of data, the condition and efficiency of equipment, and analyze a company’s handling of operations. In short, a complete analysis of your investment business and noting ways in which it could be improved. While audits are not always welcomed with open arms, they are significantly less intrusive than the alternative – a security breach, fraud, or theft.
If you’d like to be more prepared for your next audit, there are a few things you can do in advance. Ensure that you’ve done everything in your power to keep systems and processes compliant as well as conduct your own “mini” audits on staff and equipment to pre-empt some of the issues that may arise.
Here are 3 crucial points that all security audits should contain:
1. Review of established security policies
Established security policies are your investment company’s foundations - the very lifeblood of your business’s security strategy. Upon an Auditors arrival, the first thing they’re going to look at is your policies. You must be able to demonstrate that policies exist and are in use. To do this, they need to be documented and show some sort of proof that they’re in use for them to verify your compliance.
Simply put, an investment advisory firm won’t successfully survive an audit if it hasn’t created, documented, and implemented its security protocols, disaster recovery plans, and addressed the implications of a security breach. How else do you expect to safeguard your business, and the details of your associates and clients from a prospective breach, cyber-attack or natural disaster?
2. Perform security vulnerability scans
Investment advisors come into contact with and store a great deal of sensitive information. There would be catastrophic consequences for you and your clients if such data were to become common knowledge or fall into the wrong hands. A security vulnerability scan will determine how secure your network is from internal and external threats, identify any weakness or potential for breaches, and help your company to up its game as far as security is concerned.
In addition, an auditor will request system generated audit reports detailing what was scanned, when, and what the results were. Every piece of data that has ever been entered into your computer’s system, and each procedure carried out, creates a trail that it would be very difficult to manipulate. Such a report, therefore, is likely to produce an accurate account of how your firm operates.
3. Review of contingency plans
An audit won’t just be looking for evidence that you’re doing things right, or are willing to make improvements, but also that you have strategies in place to protect your clients’ data and company’s information should the worse happen. Much as you’re likely to have a disaster recovery plan, an auditor will be looking for your coping mechanisms, and for the software that you have in place to protect your business’s interests.
Once the auditor has been and gone, make sure you review the audit report – what are you doing right, and what could be improved? An auditor’s report is not merely another piece of paperwork to be filed away and referred to just prior to your next audit, but a document that reflects how your business should be conducting itself. Audits are performed for the security of your company and its clients, so be sure to do something with the results.
And to follow-through on the concepts introduced here, be sure to download your free guide, Investing in High Net Worth Clients: The LA Investment Advisor's Guide to Using Technology to Manage and Grow Your Firm.