Re: CPE Audit Process

denbesten · ‎09-05-2019

I just got selected for random audit. Thought I would detail the experience so that others know how it works.

Immediately after clicking "submit" on a CPE, my CPE dashboard displayed the following alert:

2019-09-05 14_51_46-Home.png

I was also notified by an email from <membersupport@isc2.org> entitled "(ISC)² CPE audit notification - Audit reference: ##########", which indicated that I could also respond to the audit notification via email.

My response was to click "Respond to Audit", enter a simple explanation of the CPE and attach a bit of evidence (in my case, a BrightTALK viewing certificate). The web site then reported it would be reviewed within 21 days.

A couple of important observations:

The entire process was less stressful because I am in the habit of collecting and stashing audit evidence as I enter each CPE.
If the CPE dashboard has a yellow "Pending CPEs" notice, that means that you have not completed submitting a CPE. It is not the same thing as an audit. Audits show up in red.
I also received an email alerting me to the audit. It was sent to my "primary email on file".
Even after responding, the alert remained on my dashboard until my audit was complete. Unfortunately, the alert does not change to indicate that I have responded to the audit, nor does it link to a member-visible issue-tracking page.

So far, over the life of my certification, I have been audited at a rate of about 2%. Anyone else pay attention to their audit frequency?

denbesten · ‎09-05-2019

UPDATE: 10 minutes or so after submitting my response, I got a follow-up email from <auditor@isc2.org> reporting my audit was successfully completed, "by automated process", so the entire process from start to end was under an hour for me. No clue how I managed to get the FastPass.

Also, the email outlined timing expectations giving me 90 days to respond / submit evidence and the auditor 4 weeks for processing the audit.

AlecTrevelyan · ‎09-05-2019

Did you submit any evidence with the initial CPE submission?

denbesten · ‎09-05-2019

Yes. The exact same PDF containing the BrightTALK certificate.

AlecTrevelyan · ‎09-06-2019

I haven't been audited since the move to the new CPE portal where I've been including evidence with each CPE submission.

I had assumed the lack of audits was related to the inclusion of the evidence. e.g. One of my submissions might get randomly audited and the auditor sees evidence has already been provided so the audit is passed without any further interaction from me, or even any requirement to notify me.

Seems that's not the case and the auditors probably don't even look at what's been included with the submission they're auditing. Makes me wonder if it's even worth including the evidence with the submission in the first place - it is only optional anyway.

emb021 · ‎09-06-2019

I've been audited a handful of times with my 2 ISC2 certs.

In I think all cases, the audits occurred shortly after obtaining or renewing the certs. I think within a couple of months.

In all cases, I also easily passed the audit because, like you, I keep a track of my CPE evidence.

I have had only one audit using the new portal. I am disappointed to hear of being audited even if you had already submitted evidence. I figured submitting evidence when you submit CPEs would forgo the need to be audited and re-submit that evidence.

[as I do speak with others about certifications and such, I also cover CPEs and the auditing process, so have given my experiences to others. I have yet to be audited by ISACA, tho]

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

denbesten · ‎09-06-2019

@AlecTrevelyan wrote:
I haven't been audited since the move to the new CPE portal.

If my 2% rate holds true for everyone, you should expect about 1 per year. It also implies they are auditing about 300 entries per day, which would not leave much capacity for routine deep dives.

@AlecTrevelyan wrote:
... the auditors probably don't even look at what's been included with the submission they're auditing.

I suspect that no humans are involved in a random-audit until after we submit our response, and even then it probably sits in a work-queue for a while. In my specific case, I further suspect that something in my response triggered an automated acceptance of the audit and that it will never be looked at by a human auditor.

Makes me wonder if it's even worth including the evidence with the submission in the first place - it is only optional anyway.

I've wondered the same thing, especially given that we can not see the submission details after the fact. I'm hoping our "christmas present" includes an "view/edit" button so we can validate that details were properly recorded and so that we can reference it in the event of audit.

Shannon · ‎09-07-2019

@denbesten wrote:

So far, over the life of my certification, I have been audited at a rate of about 2%. Anyone else pay attention to their audit frequency?

I took the certification in 2016, so nothing yet, but I guess it's too soon to tell. Anyways, I too retain CPE proofs, so it won't be much of a hassle when / if it I'm audited.

But like @AlecTrevelyan said, they probably do this only if they require proof of the CPEs; the majority of mine are automatically added by (ISC)2 or BrightTalk, and for all manually entered ones, I've included proof; perhaps that's why I haven't had the 'honor' yet.

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz

Jesse_Mundis · ‎09-27-2019

I had one of my first CPE submissions randomly audited in the first month after getting my CISSP, back in 2016. None since then. I wrote up an email explaining what I did, submitted it, and that seemed to satisfy them.

Pretty straight forward, but a little unnerving so soon out of the gate.

Jerry · ‎10-09-2019

I was absolutely thrilled when they allowed us to submit evidence for CPEs ahead of time. I always have more CPEs than I need, so the new process makes me feel better about it all. I do my part, they do their part.