Skip to main content
Governance & Risk

The audit as an objective measurement of where you stand

What an audit actually measures, and how to procure it so the outcome stays yours

An audit is an independent measurement of the state of affairs at a single moment, nothing more and nothing less. It tells you the factual state of a defined system, tested against a standard that exists outside your organisation, carried out by someone with no stake in the outcome. It is not a teaching instrument, not an improvement programme, and not a tick-box you file away under the NIS2 Directive or DORA. Anyone who forces the audit into one of those other roles gets back something that resembles assurance and is not.

That difference sounds small and is large in practice. It determines who you hire, what you ask for, what you get, and what you can do with it towards the board and the regulator. It also determines whether the outcome stays yours or disappears into someone else's drawer. For the CISO who has yet to enter their next audit, this difference is the difference between a document that gives them standing and a document that hands them work with nothing in return.

What an audit does measure and what it does not

An audit measures three things. It measures whether an agreed set of controls is in place. It measures whether those controls worked as described during the period measured. It measures whether there is evidence a third party can rely on. That is all. An audit makes a statement about a defined scope over a specific time window, against a specific standard, by a specific party. Beyond that scope it says nothing.

What it does not measure matters just as much. An audit does not measure whether you are mature as a security organisation. It does not measure whether you are making the right investments. It does not measure whether your culture is sound. It does not measure whether you have understood the risk correctly; it measures whether you have implemented the controls that came out of another process. Those other processes, the risk assessment, the programme planning, the architecture choice, are your work. An audit tests the outcome, not the thinking.

Under ISO 27001 this is more explicit than many assume. The standard does not ask for a list of good intentions; it asks for a working management system. The auditor looks at the management system you built yourselves. They measure whether it runs as you have described it. They do not approve the description; they test whether it matches what they see. The same applies to ISAE 3402 and to SOC 2: the standard supplies the yardstick, the party supplies the evidence, the auditor supplies the judgement within that scope. No one supplies improvement. Improvement is not an audit product.

Why the audit-as-instrument so often goes wrong

Many organisations buy an audit as if it were a coach. They hope for targeted recommendations, for a programme suggestion, for someone to think along about next steps. That hope is not innocent. It undermines precisely what makes the audit valuable, namely its independence. An auditor who advises on what you should do can no longer independently test, in a later round, whether you have done it. The difference between advice and assessment is a wall, not a transition. The professional rules under ISAE 3402 and the assurance standards beneath it name that separation explicitly, not as a courtesy but as a design requirement.

The audit is also often procured as a compliance tick-box. The NIS2 Directive requires demonstrable risk management measures under board-level accountability. It is tempting to see an audit report as the evidence that those measures exist. The report is evidence of the moment of measurement, not evidence that the board is steering execution. Regulators who later probe will not be looking for the report. They will be looking for the decision-making cadence beneath it. The audit is the snapshot; the board carries the continuity. An organisation that confuses the two gets an unpleasant conversation at the wrong moment.

A third pitfall is scope creep during the audit itself. An auditor comes in for a defined subject, notices things along the way, and delivers a report in which the original question has dissolved into general observations. The CISO reads the report, no longer recognises the work, and can do little with it internally. Not because the observations are wrong, but because the scope has blurred. What you did not agree to measure, you cannot afterwards use to make governance decisions.

What does a usable audit look like?

A usable audit meets a limited set of criteria, established in advance, agreed in writing, tested against delivery. Five points that make the difference.

A scope defined in advance. Which system, which processes, which locations, which period. Not "the security function" or "information security", but a defined whole that can be written out in a single sentence. What falls outside, falls outside. No creep during execution.

An explicit standard or frame of reference. ISO 27001 Annex A, a SOC 2 criteria set, an in-house control framework that is traceable. Not "professional standard, proven method, customary approach, professional practice" or "what is common". A yardstick without a scale measures nothing.

A separation of roles between measurement and interpretation. The auditor delivers findings against the standard. The interpretation, what this means for your programme and your risk acceptance, is your work or the work of a separate party. Two functions in one hand make both functions weaker.

A delivery that is legible at board level. A management summary the board can read without translation beforehand. No technical depth without a heading, no recommendation document dressed up as an assessment report. An audit serves a formal function. The form must serve that function.

A repeatable measurement method. Next audit, next measurement, comparable outcome. An audit whose method you cannot repeat produces no time series, and without a time series no development to show the board or the regulator.

So what belongs where?

If the audit is the measurement, where does the work that depends on it happen? In three places, and it is worth keeping them apart.

The decision on what to measure. That is board work, prepared by the CISO, established in the risk assessment. Which subjects require external assessment, at what frequency, at what level of depth. An organisation that runs the same audit every year because that is how it grew misses the entire point. The audit follows the risk assessment, not the other way around.

The translation of findings into work. That is your programme, your planning cadence, your own or contracted capacity. An auditor delivers no plan of action. An auditor delivers observations, and what you do with them is a separate decision under a different mandate. Anyone who lets the auditor write what needs to happen buys up the independence of the next assessment.

The evidence that the work is happening. That is what the regulator under the NIS2 Directive actually wants to see: not only that a measurement was taken, but that something was done with it, in a traceable cadence, under board-level accountability. The report is the snapshot. The decision-making chain around it is the continuity. The Netherlands' National Cyber Security Centre points out consistently, in its governance publications, that it is precisely this chain that is the weak point in most organisations.

How do you procure an audit so the outcome stays yours?

Three questions that sharpen the procurement conversation and prevent the most common later frustrations.

What is the scope, word for word, and what is explicitly out of scope? Ask for a written demarcation you can put to your CIO and your CFO internally before the engagement starts. An auditor who will not put a demarcation on paper before beginning is an auditor who will stretch the scope along the way. No scope, no engagement.

Who takes ownership of the report and who takes ownership of the findings? The report should be yours. So should the findings. The method the auditor uses may be theirs, but the outcome belongs to the organisation that was measured. Ask for it explicitly. Many parties write their reports in a format they want to reuse elsewhere; that rarely works in your favour.

How is the separation between measurement and advice maintained? If the same party that measures would also want to deliver what it measures, that is a conflict of interest by design. Ask to record in writing that the auditor will offer no additional services within the measured scope for a reasonable period. Under the assurance standards this is standard practice. Anyone unwilling to write it down takes you less seriously than your board deserves.

These three questions turn the procurement conversation around. It is no longer about what the auditor is going to do, but about what you will be able to do with it. That is a different conversation, with a different kind of party, and it structurally excludes a considerable part of the market. That is not a problem. That is exactly the filter you want.

What this means for your position

The CISO who enters their next audit without this demarcation gets a report and a quantity of extra work, and then has to explain internally why the outcome gives them no standing. The CISO who procures the audit as an independent measurement within a defined scope, with a method that is repeatable and a report that stays theirs, gets something else: an instrument the board can read, the regulator can accept, and that they can deploy again the following year to make movement demonstrable. That is not rhetoric. That is how you distinguish a measurement from an improvement programme.

The board that oversees execution under the NIS2 Directive does not need two hundred pages. It needs a few structured measurements, in a cadence that repeats, with an interpretation supplied by you, not by the auditor. With that it can govern. Without it, the report stays in the drawer, and you end up in a conversation defending a document you did not write yourself and do not fully understand why it was written the way it was.

Procuring an audit well is not clerical work. It is positioning work. You determine what gets measured, which standard applies, what evidence is delivered, in what form the report comes home, and what may be done with the findings. Whoever agrees this sharply in advance ends up with a document that stands alongside the other documents you produce yourselves, not above them. A measurement beneath the programmes, not a programme beneath the measurement.

If you are weighing whether your next audit becomes the instrument that gives you standing or an obligation you carry alongside everything else, a conversation beforehand is the shortest route. An hour in which we work through the scope, the standard and the terms before you put the engagement out. That is where the difference is decided between a report in the drawer and a measurement you can build on all year.

Governance & Risk

Dit vraagstuk vertalen naar jouw organisatie.