For the internal intelligence service, external audits allow certain dishonest actors to recover sensitive data from a company.
The General Directorate of Internal Security (DGSI) calls on companies to be wary of external audits. They generally do so in a context of commercial growth, when they enter a new market or when they carry out a merger or sale of activity. For the internal intelligence service, these audits “can promote the capture of company data and that of its customers», but also subcontractors and business partners.
Behind these external audits, the DGSI groups commercial audits, acquisition audits, regulatory compliance audits and export audits as part of the integration of a product into a new market. To carry them out, companies call on consulting firms, evaluation centers specializing in compliance, investment funds or third-party companies. But some actors can turn out to be dishonest.
SEE ALSO – “We absolutely have to take advantage of it”, suggests Guillaume Rozier, praising the capacity for collecting health data in France
Read alsoEspionage: compliance as a legal Trojan horse
The DGSI details the example of a foreign investment fund which is suspected of having acted as an intermediary for the transmission of data to competitors. In its last note for the month of November, the organization indicates that after “have signed a confidentiality agreement and before writing a letter of intent, the fund has carried out a detailed audit giving it access in particular to the non-patented research work developed by the company“. Following this control operation, the French company had no news from the investment fund and now fears that it has been the victim of the capture of sensitive data.
Another example, a tricolor industrial group operating partly in a foreign State was forced, by a new local regulation, to acceptparticularly intrusive audits“. The authorities could demandaccess to precise information on the French company, such as the exact composition of the products, the origin of the raw materials or the identity of the suppliers“. So much information that could help to “facilitate the production of counterfeits“, note the internal security services.
To guard against this type of fraud, the DGSI recommends being particularly vigilant when choosing the service provider in charge of the audit, by studying its reputation. She also recommendsidentify sensitive company data that the audit firm may not have access to“. Once the auditors are on site, the company must define their scope of action and “educate staff so that any suspicious behavior is reported“. Finally, the company does not hesitate to “strengthen the contractual clauses established with the audit service provider“. However, if data capture is already suspected, the DGSI recommends contacting it and considering legal action.