A year ago, prior to the COVID-19 pandemic, probably very few people could imagine how the world would change. Working from home, remote business meetings, online events, and digital concerts are only some examples of the new normal. The things we could not imagine to go virtual very much did, to everyone’s surprise. One of the areas that tended to be very onsite and face-to-face was conducting audits.
Sure thing, that approach to auditing is also being revisited right now. Is remote audit possible without sacrifice on quality? Is onsite audit more a cultural thing or a real need? These are questions that arise; let’s try to look for the answers together.
First of all, let’s recall – that audit, in its essence, is a set of procedures to ensure that subject of the audit is compliant with a bunch of requirements. For example, financial reports may be required to comply with IFRS, and the payment card data processing processes should meet the PCI DSS requirements. So, the first thing that matters – is what the requirements are. The more they relate to the physical environment of the audited subject, the more difficult it is to avoid onsite audit procedures. Another significant factor would be the nature of the business, how physical it is. For example, a manufacturing business versus software development. And not least – the level of knowledge an auditor has about the audited company and the level of established trust. Yes, we know – audit should always follow the zero-trust rule. Although it is right in general, audit standards usually fall back to ‘reasonable assurance,’ which translates to ‘low-trust’ instead of ‘zero-trust.’
Let’s go into some details and take a look at the typical audit procedures in an information security-related type of audit. The critical objects audited would be digital assets (e.g., configurations and code, also known as CIs in ITIL), controls, and evidence of their effectiveness.
For the digital type of assets, the typical audit procedure would be examination, or in worst fact, observation. During an onsite audit, an auditor would usually have a meeting with someone who has access to the asset. During the meeting, the asset would be presented, and key artifacts (logs, screenshots, config files, etc.) would be provided (sent by email, copied to a thumb drive, etc.) to the auditor for further examination. The audit conclusion would come from the examination results. So the goal of the meeting is rather an identification of the asset and ensuring that the requested information was provided without any interference. This audit practice can be pretty well replaced by a remote meeting and a screen-sharing session (one could argue that it can provide an even better experience to the auditor) without compromising the audit quality.
Audit of manual controls may require sampling and physical evidence (whereas the automated controls audit is less demanding). During the onsite audit, the sampling can sometimes be done on the fly, i.e., picking the sample during the meeting, and then only sample evidence would be requested for examination. In a remote audit, most probably, it would convert to a need to give the whole population of cases or at least their identities and doing sampling based on it. In theory, it should lead to even better audit quality. However, for some physical evidence type, it may be challenging to provide the whole population for sampling in the first place. Imagine a physical registry of entry to the building. Should it all be scanned and sent for sampling? How can an auditor make sure no pages are torn out from it? So there may be cases where the remote audit quality suffers, or the audit cost noticeably increases.
And of course, any audit of non-digital assets (like physical security) or digital assets connected to physical endpoints (e.g., LAN access from a physical socket) is difficult to replace with purely remote procedures. Let’s see how official audit standards will change to incorporate the new normal of pandemic times. We at Berezha Security would see the following approach to onsite procedures beneficial for both the audit quality and the auditor’s health and safety:
- In case the auditor can get safely to the place of audit, ensure the environment itself is safe, e.g., no close physical contact with other people, premises are regularly disinfected, etc.;
- In case the auditor can’t get safely to the place, involve 3rd parties that can and instruct them to assist the auditor and ensure the evidence chain of custody;
- In case neither is possible, organize a virtual experience using a secure video-conferencing tool to show the auditor everything they need to see.
It’s important to remember that in both remote and onsite audits, the key to good audit quality lies in identifying and understanding what is audited, control over information selection, and data sharing procedures. As an auditor, make sure you decide what to select, make sure you examine what is indeed deployed, make sure you see what you want to see, not what you are shown. Adhering to these basic rules will allow doing most of the audit work remotely without any compromise on quality. Let’s leave the pleasure of face to face meetings and small talks for safer times.
Stay healthy, and take care.