Shift to Online Audits
VIRAT SHAKTIVARDHAN, May 2020
Recent events concerning COVID-19 have had a huge impact on the way organizations function. Along with posing new challenges, the pandemic also presents many opportunities and ideas for new ways of operating. Auditing, traditionally a hands-on, on-location process, has been adopted by organizations to ensure that the vendors they work with have a comprehensive and robust security posture. This ensures that the data shared with the vendor is protected with maximum security at all levels, and any services provided can continue unimpeded. With social distancing advisories in place, in-person auditing has become a challenge and auditors have been forced to adapt to a remote process. ComplyScore, as always, is ahead of the game—we have been offering Online Audits Service for the past 3 years. We have done numerous vendor audits online, as well as ISO 27001 surveillance audits.
ComplyScore, with its innovative experience, has mastered this process while the rest of the world is just beginning to adapt to it and the significant challenges it poses for auditors. Below are a few of the challenges of performing an online audit:
- Remotely validating controls and their operating effectiveness over time
- Evaluating risks associated with data collection, processing, and compliance
- Covering the entire security posture and all controls in a limited timeframe
- Identifying all strategically important activities and remotely bringing them under security scrutiny
- Giving greater attention to exponential transformation, innovation, and advancement in technology—their implementation in the organization and impact on informational and operational security
- Developing remote work methods in organizations where every employee can be considered a sub-entity, often with access to sensitive and confidential information while in a non-company managed network and workplace
With ComplyScore’s highly qualified staff, trained especially for the process of online audits and experienced in conducting such audits, these audits are guaranteed to be performed by experts on the subject. An elaborate and comprehensive process to verify and validate the implementation of controls is established through online screenshare. Here all controls are validated, documents are reviewed, and evidence is gathered. Operating effectiveness is also checked by timestamped evidence from past to present. Additionally, the collection of pictures, videos, and a mobile screenshare during the audit allow for further validation of the controls.
ComplyScore auditors fully understand the nature of business arrangements between two entities and can determine all the controls needed for implementation; these are then checked and mapped against security standards such as ISO/NIST/SOC etc. The auditors can analyze the risks that the data faces at every juncture in the network, from source to destination, while it is both at rest and in transit, by completely evaluating the data flow diagrams and mode of transportation. The ComplyScore questionnaire, another part of the online audit process, provides additional controls along with the standard audit process to further evaluate the completeness of an organization’s security controls. Regular security and vulnerability training, provided to auditors on innovation and advancement in technologies, keep them up to date with the newest technology and vulnerabilities, the knowledge of which proves to be highly beneficial during such audits.
ComplyScore has specially trained staff and the technology to support the process. This new module of online auditing is helpful for organizations in many ways. One of the most important and biggest advantages of this process is the reduction in cost. Traditional audits require an auditor to travel to the location, stay at hotels, and take taxis to reach the audit destination. Online audits cut all these costs and save organizations a lot of money, and they further allow the organization’s staff to continue their tasks without needing to take time off from an otherwise productive day of work.
While an online audit can prove very beneficial for organizations, it does pose a challenge to the auditor in terms of increased workload and effort. The job of verifying all security controls remotely is an elaborate task, while looking for evidence and artifacts can be time-consuming and demand extra effort from the auditing team. Utilizing remote assessment, checking for additional controls (as compared to standard audit controls through the ComplyScore questionnaire), verifying pictures and video footage, etc. are all expected to further increase the overall workload. All of this has resulted in a 20% increase in the workload of an auditor.
The audit process is elaborate and involves a lot of searching to find the gaps and loopholes in the information security framework of an organization. ComplyScore has adopted a very well-defined online audit process that ranges from the most granular controls to the most explicitly important and standard controls. Here are a few highlights of the online audit process:
- Verifying vendor and data classification (CIA) based on business engagement
- Preparing scope and agenda for online audit
- Preparing and sharing with the vendor a list of documents, policies, artifacts, and evidence required to verify the implementation and effectiveness of a control
- Sending meeting invites to all participants and designating individual parts of the audit to specialists, if necessary
- Performing the online audit (screenshare, policy review, effectiveness of controls, certifications, test results, collection of artifacts and evidence, etc.)
- Listing all the observations, findings, and recommendations
- Preparing closeout reports
ComplyScore also ensures that the answers provided by the vendor are validated as accurate, and we also ensure that the collection of misguided information is reduced to the fullest extent, thanks to our experienced staff’s performance of several rounds of cross-checks to validate a control. A single control is evaluated in more than one place and in more than one way.
Despite this being a new process that the world is looking to master, ComplyScore is ahead in the game and has already identified the major challenges and problems faced in this process. For years we’ve been coming up with ideas and solutions to counter these challenges and iron out the fault lines; this experience allows us to provide dynamic and improved services with increased accuracy and finesse.