Audit & Assessment
What’s The Difference?
So, what’s the difference between and Audit and an Assessment?
Essentially it is in the degree of formalism involved.
An Audit is usually against some formal definition or standard, which may be externally defined, such as ISO-27001 or PCI:DSS, or a law or regulation such as Sarbanes-Oxley in the US or the Canadian PIPEDA. Such audits will have a clearly defined methodology and a clear report of the degree of conformance.
Management should think of the deficiencies reported in a formal audit as matters of grave concern that need to be addressed. This is especially so in the case of audits for regulatory compliance since there may be punitive measures for non-conformance.
An Assessment is less formal and less severe. An assessment is usually observations by an experienced practitioner that compares the operations and practices of the client against that are generally considered Best Practices.
Very often, an assessment can be of more use to management than an audit. Since audits are concerned primarily with compliance, they may miss out on many important factors. Its often said that being compliant does not mean being secure – and vice versa. Many of the credit card security breaches in the last few years were of companies that were PCI compliant. On the other hand, compliance and security are not exclusive.
But an assessment can do more, can be more valuable for Operations than a formal audit. It can tell you how you can improve your IT in various ways; make it more efficient, more robust, more flexible. It can address issues of change, generate new ideas and possibilities. It can tell you what is good and what is bad, what ventures should be encouraged and which should be killed off. It is inherently more open-ended than an audit, and this can make it much more valuable.
