Shift to Online Audits
VIRAT SHAKTIVARDHAN, May 2020
Recent events related to COVID-19 has have had a huge impact in on the way organizations operate and function. Along with posing many challenges, it has also opened many possibilities and ideas to a new way of doing things. Auditing, a traditionally very hands-on and in location process, adopted by organizations to ensure that the vendors they work with have a comprehensive and robust security posture, to ensure that the data shared with the vendor is protected
with maximum security at all levels and services provided, if any, can continue without fail. With social distancing norms and advisory in place, in in–person auditing has become a challenge and auditors have been forced to adapt to a remote process. Some companies have just started implementing various changes to accommodate this new demand as these uncertainties may repeat.
ComplyScore, as always, has been a few steps ahead of the game. We have been offering Online Audits as a servicepart of our supplier risk assessment services for the last 3 years. We have done numerous vendor audits as well as ISO 27001 surveillance audits.
The Transition has Generally Not Been Easy
ComplyScore as a vendor risk management company, having has performed online audits for three years now have, and has mastered this process when the world has just begun adapting to this new change and process. While the online audit process is a new process and a forced change rather than a self-adopted one, it poses significant challenges to auditors. Below are a few challenges experienced on the road to performing an online audit:
- Validating the controls and their operating effectiveness over a period of time remotely can be challenging
- Evaluating risks associated with data collection, processing, and compliance
- Covering the entire security posture and all controls in a limited amount of time
- Identifying all strategically important activities and bringing them under security scrutiny remotely can often prove to be a challenge
Exponential transformation, innovation, and advancement in technology, their implementation in the organization and the impact on the informational and operational security can be another piece of the puzzle that requires great attention especially when conducted remotely
Recent development of remote work in organizations has posed a completely new challenge where every employee can be considered as a sub sub–entity with many times access to sensitive and confidential information while being in a non-company managed network and workplace.
It is Important to Establish Comprehensive Processes
Highly qualified staff trained especially for the process of online audit and the experience of several audits has ensured that these audits are performed by the most experienced experts on the subject within ComplyScore. An elaborate and comprehensive process to verify and validate the implementation of controls is established through online screenshare where all controls are validated, documents are reviewed, evidences are is gathered, and operating effectiveness by is also checked by timestamped evidences from past to the present.
Additionally, collection of pictures, videos, and a mobile screenshare during the audit provides the ability to further validate the presence of controls. ComplyScore auditors fully understand the nature of business engagements between two entities and hence can determine all the controls that would need to be implemented which are checked and mapped against various security standards such as ISO/NIST/SOC etc.
The auditors with their expertise and experience are able to analyze the risks that the data faces at every junction in the network from source to the destination while it is at rest and in transit by completely evaluating the data flow diagrams and mode of transportation.
Complyscore questionnaire, which is another part online audit process, provides additional controls in addition to the standard audit process to further evaluate the completeness of security controls implemented in an organization. Regular security and vulnerability training provided to auditors on innovation and advancement in technologies keeps them at par with the newest technology and vulnerabilities, the knowledge of which proves to be highly beneficial during such audits.
Our vendor risk management solutions include Rremote assessments developed by experts in ComplyScore and incorporated as a part of online audit, keeping in mind the security threat and vulnerabilities related to organizations working remotely has helped immensely to assess the controls implemented by such organizations to safeguard process and data.
ComplyScore has especially trained staff and the technology to support this process. This new module of online audit is helpful to organizations in many ways. One of the most important and biggest advantages of this process is the reduction in cost. Traditionally where audits require an auditor to travel to the location, stay at hotels, take ubers Uber and taxis to reach the destination and perform the audit, online audits cut all these costs and saves organizations a lot of money.
As is said time is money and online audit saves a lot of time on both ends which further saves costs. Online audit further allows the organizations‘ staff to continue with their work and does not engage them all at once, and hence does not take away time from your staff who could have spent a productive day doing regular work.
While online audit does prove very beneficial for organizations, it does pose a challenge to the auditor in the terms of increased workload and effort. The job to verify all security controls remotely is an elaborate task. and lLooking for evidences and artifacts can be time consuming and can demand extra effort from the auditing team.
All the additional steps undertaken to ensure control completeness, their implementation and effectiveness in an organization, and steps undertaken to overcome the challenges listed above add a bit of an extra workload on auditors. Utilizing remote assessment, checking for additional controls as compared to a standard audit controls through ComplyScore questionnaire, verifying pictures and video footage, etc. is expected to further increase the overall workload.
In totality, all this has resulted to in a 20% increase in the workload and effort of an auditor. Many such online audits have been successfully completed till date and organizations have been helped to save a lot of unnecessary costs without compromising with the quality.
The audit process is an elaborate process and hence involves a lot of looking around to find the gaps and loopholes in the information security posture of the organization. ComplyScore has adopted a very well-defined online audit process which that covers from the most granular controls to the most explicitly important and standard controls. Here are the few highlights of the online audit process:
- Vendor and data classification (CIA) based on business engagement.
- Preparing scope and agenda for online audit.
- Prepare a list of documents, policies, artifacts, and evidences required to verify the implementation and effectiveness of a control and share it with the vendor.
- Send meeting invites to all participants and if necessary designate individual parts of the audit to specialists.
- Perform the online audit (Screenshare, policy review, effectiveness of controls, certifications and test results, etc., collect artifacts and evidences)
- List all the observations, findings, and recommendations.
- Prepare Closeout Report
ComplyScore also ensures that the answers provided by the vendor are validated to be most accurate and we also ensure that the collection of misguided information can be reduced to maximum extents with our experienced staff performing several rounds of cross cross–checks to validate a control. A single control is evaluated in more than one place and in more than one way.
As this is a new process that the world is looking to master, ComplyScore has been ahead in the game and has already initiated the identification of challenges and problems faced in this process. We have been coming up with ideas and solutions to counter these challenges and iron out the fault lines, which would help us provide improved and better services with increased accuracy and finesse.