SPOT: Security Audit Rules of Engagement (ROE)

Connect--But, be very careful

Take Control before you are taken control of….


  • The lead auditor will establish evaluation criteria for the assessment of the controls.
  • There are no “partial” control credit; it’s either “compliant,” “non-compliant,” or “NA”.
  • All controls are subject to inspection; auditors will not be restricted from accessing portions of the facility or system sub-components directly related to the audit
  • The auditor may go beyond documentation review and require demonstration when the control is not clearly answered.
  • The company/business is responsible for addressing controls.
  • The company/business must demonstrate the controls’ implementation to include inherited (in the case where the government provides a means to address the control)
  • Controls that are not assessed due to company/business not addressing, will be marked as non-compliant.
  • Controls that are assessed as non- compliant, and not scored prior to auditor’s departure will be categorized as non-compliant.
  • Inspected POAMs must include an expected completion date and mitigations (until a permanent solution is employed).
  • All document references will include document name, version number and date, page number, and section number that addresses the control.
  • If a document reference does not address the control, then the auditor will categorize that control as non-compliant.