This policy governs the work provided by Volkis in auditing situations, including:
- Offensive Security
- Security reviews
- Gap assessments
- Compliance advisory
The intention of the policy is to ensure that Volkis auditing remains free of conflict of interest, with independent auditing that is free from bias and undue influence that may impact the results of the audit.
Definitions
- Auditor: The auditor in this policy includes any personnel directly involved in the audit, including those that perform the work and those who perform quality assurance processes.
- Client: In this policy, the term “client” relates to any person or organisation outside of Volkis that has invested interest in the results of testing. This could include the end-user, the implementor, a Volkis partner, or a managed service provider.
- Direct inverstment: This includes:
- Owning equity such as shares, including through trusts, estates, or other investment vehicles, not including investment funds or ETFs where the auditor does not have decision making authority over investment.
- Having an ongoing contract including contracting or employment.
Independence from implementation
-
The auditor must not have had direct material involvement in the implementation of the system.
Direct material involvement includes:
- Active remediation assistance from previous audits on the system.
- Development of the system.
- Having a direct supervisory role in the development of the system.
Direct material involvement does not include:
- Providing advice or recommendations for remediation activities in previous audits.
- Working on policies, procedures, processes or standards that govern the system.
- Working on a library or third party system that is used by the system but was not built specifically for use within the system.
- Working on other systems that the system integrates with.
Free from undue influence
-
The auditor must not have direct investment in the client.
-
The auditor may have a loan, have loaned money, or have deposited money with the client, or be provided insurance policies by the client.
The auditor may have a loan, have loaned money, or have deposited money with the client if it is provided under standard retail conditions such as through bank lending or deposits.
-
The auditor must not receive material gifts from the client.
Material gifts include:
- Monetary gifts
- Non-monetary gifts over $30 in value
- Discounts that are greater in value than those that are provided to other organisations or people
- Hospitality
-
The auditor may receive non-material gifts from the client.
Non-material gifts are non-monetary and have a value of less than $30
Free from bias
-
Issues must not be removed from the report at the request of the client.
-
Risk ratings and conclusions must not be adjusted at the request of the client.
-
Risk ratings and conclusions may be adjusted based on information provided by the client.
The auditor may change risk ratings and conclusions in the audit based on further information provided by the client, provided this information changes the professional opinion of the auditor.
Personal relationships
-
The auditor must not have a close personal relationship with employment or direct investment in the client.
Close personal relationship includes direct family members such as a spouse, parent, sibling or child or de facto partners.
Close personal relationship does not generally include friendships, in-laws, old colleagues, or acquaintances.
Company relationships
This section governs the involvement that the auditor’s company may have with the client.
-
The auditor’s company must not have had material involvement in the implementation of the system. This includes the development, implementation, or integration of the system itself, or security products that protect the system.
-
The auditor’s company may monitor the system for security incidents.
-
The auditor’s company may have a financial relationship with the client outside of the engagement.
Additional engagement
-
The auditor may have previously performed audits on the system
Auditors from previous engagements such as the last year’s penetration testing may be excluded at the request of the client, but will not be automatically excluded by Volkis.
-
The auditor may provide consulting outside of the scope of the engagement
-
The auditor may assist with fixing issues identified during the engagement