Providing insights in the changed risk and opportunity landscape
Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional methods adopted for an audit. The current uncertainty and unpredictability may create risks of material misstatement in the audits.
There anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because
occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a
trivial example, which of us ever undertakes laborious physical exercise,
“Predicting the unpredictable: Adapting to the changing needs” has always been a key mantra, and this holds true today with the emergence of COVID-19.
Considering the recent situation and the paradigm shift in business operations CyRAACS would advise the audit teams to adopt the below methods for a precise, fact-based audit.
1. Re-evaluate the audit scope
With the change in the mode of business operations and the technology implemented, auditors may have to relook at the scope of the audit. Include the technology and architecture deployed to support remote working. Auditors may have to re-evaluate the effort estimates and timelines based on the changes in the scope of the audit.
2. Utilize Collaboration tools and communicate
Conference or video call facilities or collaboration tools such as Skype, Teams, Slack etc. allow for regular communication with clients and team members. Extensively use the collaboration tools to communicate what you need and what you have been working on. An additional point to note while implementing these communication and collaboration technologies is to keep an eye on the advisories issued with the vulnerabilities identified in these technologies. Any open-source tools adopted may be evaluated for any security flaws before implementing.
3. Use cloud services for storing evidences
Utilize cloud storage services to collect audit evidences. The cloud services like OneDrive, SharePoint enable gathering adequate, appropriate audit evidence remotely. Ensure all security controls are implemented in the cloud service being used for restricting any data leakages. Additionally, ensure that the current cloud platform being used is accessible to all stakeholders required to provide data for the audit.
4. Technology controls to be stringently implemented by the IT Team
In the event of the recent crisis and the work from home model adopted globally, the IT team may be evaluating stricter and stringent controls on implementing digital certificates, Multi-Factor Authentication to the environment etc. Auditors may integrate the additional security controls in their methodology to adapt to the changing environment.
5. Check for regulatory/contractual requirements for evidence sharing
All the regulatory requirements for data hosting, data sharing may be validated before sharing the data with the auditors. In case of strict organizational policies on data sharing, organizations may create a segment or a white room for the auditors to securely review the evidences.
6. Centralize work performed by other auditors
Centralize the audit engagement and the documentation on the cloud platform. This would enable the audit team to coordinate and review the work of auditors to meet the requirements in auditing and reporting standards.
7. Flexibility in reporting audit findings
As audit teams respond to the crisis and changing business risks in differing ways there may arise a need for more adaptable and flexible auditing techniques During this period, auditors may not be restricted to the traditional reporting methods and may consider different reporting templates like unrated reporting, e-mail reporting, mid-review reporting.
8. Reassess key risks in a real-time environment
Risk changes rapidly with the slightest change in the environment. Re-Assess the current environment to identify the new threat landscape and associated risks. The exercise would give insights into the changing risk landscape and aid in developing a robust risk mitigation strategy.
Additional Articles for a good read and understanding of global security controls and audits:
1. NBS Special Publication 500-153: Guide to Auditing for Controls and Security: A System Development Life Cycle Approach
2. NIST Special Publication 800-53 A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations.
The writer- Deepti Bhatia, a Cyber Security professional, has attained industry-relevant certificates like CISSP and CISA. She has a master’s degree in IT Business Management with specialization in information security. She is been associated with the cybersecurity and audits domain for 6 years, in organizations like EY, Ocwen Financial Solutions etc on global platforms. She is currently working with CyRAACS as a Senior Consultant – Risk Advisory Services. CyRAACS is a one-stop for Cybersecurity Consulting services with expertise in a spectrum of Cyber Security services. The signature services at CyRAACS include Information security, cybersecurity, risk management and privacy. Cloud Security, Business Continuity & Disaster Recovery Management, GDPR Compliance, Information Security Maturity Model Assessment, RBI IT Directives Compliance etc.