The General Directorate of Internal Security (DGSI) calls on companies to be wary of external audits.
They generally do so in a context of commercial growth, when they enter a new market or when they carry out a merger or sale of activity.
For the internal intelligence service, these audits “
can promote the capture of company data and that of its customers
”, but also of subcontractors and business partners.
To discover
Prime Macron 2022: conditions, amount, date of payment... how does it work?
Behind these external audits, the DGSI groups commercial audits, acquisition audits, regulatory compliance audits and export audits as part of the integration of a product into a new market.
To carry them out, companies call on consulting firms, evaluation centers specializing in compliance, investment funds or third-party companies.
But some actors can turn out to be dishonest.
Read alsoEspionage: compliance as a legal Trojan horse
The DGSI details the example of a foreign investment fund which is suspected of having acted as an intermediary for the transmission of data to competitors.
In its last note of November, the organization indicates that after "
having signed a confidentiality agreement and before drafting a letter of intent, the fund carried out a detailed audit giving it access in particular to the work of non-patented research developed by the company
”.
Following this control operation, the French company had no news from the investment fund and now fears that it has been the victim of the capture of sensitive data.
Another example, a tricolor industrial group operating partly in a foreign State was forced, by a new local regulation, to accept “
particularly intrusive audits
”.
The authorities could demand “
access to precise information on French society, such as the exact composition of the products, the origin of the raw materials or the identity of the suppliers
”.
So much information that could make it possible to "
facilitate the production of counterfeits
", note the internal security services.
To guard against this type of fraud, the DGSI recommends being particularly vigilant when choosing the service provider in charge of the audit, by studying its reputation.
It also recommends “
identifying sensitive company data to which the audit firm should not have access
”.
Once the auditors are on site, the company must define their scope of action and “
raise staff awareness so that any suspicious behavior is reported
”.
Finally, the company should not hesitate to “
strengthen the contractual clauses established with the audit service provider
”.
However, if data capture is already suspected, the DGSI recommends contacting it and considering legal action.
