If an auditor you’ve never met requests you to copy files to their thumb drive, what is the best course of action?

The best course of action in this scenario is to direct the auditor to the Office of Compliance Programs. This response ensures that any requests for sensitive or confidential information are handled appropriately and in accordance with established protocols. The Office of Compliance Programs is equipped to verify the auditor's credentials, authority, and the legitimacy of their request, which protects both the integrity of the data and the organization's compliance with laws and regulations.

Directing the auditor to the compliance office ensures that the request is assessed by qualified personnel who can manage the situation appropriately, maintaining the necessary security and confidentiality of the files involved. It also provides a clear and documented procedure for handling such requests, which is critical in compliance areas to mitigate risks associated with data breaches and unauthorized access.