When Social Distancing Becomes Audit Distancing
Flattening the Curve
- Connect with your Auditor / Assessor:
By now your auditor will have most likely prepared temporary or emergency protocols for managing existing audits and projects with respect to the new circumstances brought on by COVID-19. The situation changes daily, so establishing a timely communication channel with your audit and compliance professional is likely the minimum consideration for your examination. As new updates impact your organization, regulatory requirements, or the auditor’s methodologies, having a consistent touchpoint may be just what the doctor ordered—please excuse the pun. Additionally, your compliance professional should be able to outline, in specific detail, any impact to your particular compliance requirements and explain in very clear and easy to understand terms the position of the governing body on remote or distance auditing. While we know that in the case of attestation examinations, in-person auditing is not a requirement from the governing standards, your auditor should also be able to speak to the other and non-authoritative requirements that may impact your examination.
- Distance Audit Techniques:
As travel restrictions are in constant flux at the federal government level and company level, this is likely to be the greatest single change for your assessment and technology will go a long way here in mitigating restrictions. Most business-class laptops are equipped with a high definition camera suitable for effective video conferencing—video conferencing software is as ubiquitous as MS Office, so using the obvious software solutions to overcome the challenges of distance auditing is to be assumed. Even still, the evaluation of physical safeguards and processes would need to be accommodated in potentially non-traditional ways, and if the physical walkthrough was the primary source of evidence, consideration should be given to other forms, including evaluating system logs from physical access portals and systems, physical control monitoring logs, video surveillance logs, badge and system access listings, as well as remote viewing sessions using cell phones and/or laptop cameras among other possibilities. Again, for any assessment or examination, the governing principle in this area is the sufficiency and appropriateness of the evidence; therefore, what may have been sufficient with an in-person tour may require more corroborative data than before, and that is largely true across other standards. Please expect and plan for this with your auditor. Alternate techniques should be planned out in advance, as well as contingency plans if key personnel or systems become unavailable and thus would prevent a remote approach to evaluating certain controls.
- Be Available:
Notwithstanding the above, there are indeed certain conditions that may inhibit distance auditing. While using teleconference technology may be obvious, what may be less obvious is the availability of network access to critical software, applications, and infrastructure that would be necessary for effective auditing, including VPN availability, which will surely be stress-tested across businesses and home offices during this time. (It is also worth noting that this article was written without the benefit of high-speed Internet connectivity due to an unforeseen outage that is hopefully temporary.) Contingency planning adds just one more variable to consider when planning with your auditor—redundancy in your network and personnel availability should be identified and communicated.
- Optimize Your Audits:
Combining and leveraging audit and compliance programs has become a vestige of a much simpler and largely extinct compliance landscape. Many, if not most, medium-to-large businesses and several small businesses that deliver services via the Internet (also known as every service organization) are faced with multiple external compliance requirements, e.g., GDPR, CCPA, PCI DSS, HITRUST, ISO, HIPAA, FedRAMP, CMMC, etc.—those that aren’t managing against at least two of those acronyms in addition to an attestation are considered in the distinct minority. As such, it is recommended to identify areas of synergy throughout these assessments at a distance, not only for the sake of being productive in primary business operations, but also to optimize every precious resource used towards satisfying Compliance Project X for purposes of Compliance Project Y, whenever feasible. An audit firm that can seamlessly perform your SOC examination concurrent with your ISO 27001, evaluating a single piece of evidence or interview towards both projects, will be extremely valuable to all organizations who can manage such synergy. Further, such synchronized evaluation has a compounding (or curve flattening) effect as other compliance requirements are properly planned and organized using a single assessor that is duly qualified.
1 SOC reporting is governed by professional standards promulgated by the AICPA. These standards have been codified into SSAE No. 18, Attestation Standards: Clarification and Recodification.
About the AuthorMore Content by Ryan Buckner