We are a service organization providing IT-based services to customers. Because of containment efforts and stay-at-home orders, most of our personnel are working from home, and only essential support staff who reside near the office are managing support from the office location. The internal audit department is proposing a remote IS audit. How can this be performed? What challenges might we face, and how we can overcome them?
The COVID-19 pandemic has created a unique situation. To complicate matters, we are experiencing a global lockdown for the first time since continuity planning processes have matured. Despite not being prepared, many organizations have adopted work-from-home (WFH) strategies and developed policies for employees accessing an organization’s information resources remotely in a fairly short period of time. Though employees managing essential services such as security, power, network, food and fuel can travel to work locations, many prefer to work remotely given the risk traveling to and working in an office presents.
Given that many organizations had not considered lockdowns as a possibility, the need to look at internal audit functions during this scenario was not anticipated. It is quite possible that audit firms have not thought that WFH might be required for auditors. Since the lockdown, many audit firms have developed strategies, approaches, policies and procedures for remote audit.
The American Institute of Certified Public Accountants (AICPA) has developed and shared best practices for conducting remote audits while complying with the Accounting Standard Board standards.1 Audit companies such as the British Standards Institution (BSI)2 and DNV GL3 have developed a remote audit approach and started conducting remote audits. The International Organization for Standardization (ISO) Auditing Practices Group (APG) published guidelines for conducting remote audits in April 2020.4
Thanks to fast-moving advances in technology, conducting remote audits is becoming more popular among organizations. Enterprises already have high-tech strategies that allow audit teams to receive and share data, conduct interviews, and make observations for organizations all over the world without needing to commute to the audit site. Certification bodies will certainly have to adapt to this new situation. In fact, the last version of ISO 19011:2018 Guidelines for auditing management systems5 includes new specifications for transitioning to conducting remote audits.
THANKS TO FAST-MOVING ADVANCES IN TECHNOLOGY, CONDUCTING REMOTE AUDITS IS BECOMING MORE POPULAR AMONG ORGANIZATIONS.
A remote audit is performed the same as an onsite audit, except that the auditor depends on electronic devices to conduct the audit and obtain audit evidence without visiting the auditee in person. An auditee can share evidence and data files through electronic media such as email, Google Drive and more. Auditors can also use other advanced technologies to conduct walk-throughs and interviews. The technologies an auditor may consider using are:
- Smartphones, tablets and other handheld devices
- Laptops and desktop computers
- Video cameras
- Wearables, if required
- Drones for remote viewing or access to closed-circuit television (CCTV) recordings
- Data analytics access and reports
- Internet connections at remote locations or the homes of the auditors
- Remote conferencing facilities
Internal audit departments need to adapt the recommendation of AICPA and certification bodies to develop approaches, policies and procedures for conducting remote audits. This calls for a new way of working and it requires the organization to receive support from management. Executives should take the lead and effectively communicate the new norm of remote internal audit throughout the organization. Remote auditing requires buy-in from various stakeholders and employees to ensure that it is given the importance it deserves and does not become diluted.
In addition to the restrictions created by the current pandemic, there are other situations where remote audits may be considered, either now or in the future, including:
- Availability of relevant stakeholders such as process owners, asset owners, risk owners and data owners for providing information for audits
- Restrictions on accessing production data remotely including those due to security policies
- Situations that limit or prohibit complete and accurate information for review of controls-related processes required for testing for audits
- Availability of technology required for conducting remote audit
There are pros and cons to conducting remote audits. Auditors should consider both before deciding to conduct remote audits. It may be noted, however, that during this current pandemic, conducting remote audits is a better option than deferring audits.
Conducting remote audits can improve productivity by eliminating inconveniences and saving time and money required for travel and logistics. Most important, the management of the auditee organization may also reduce costs and save money because onsite audits are timebound and must be completed in a pre-defined time period, which may not be required for remote audits.
There are some important questions identified by the APG to be considered in cases of remote audits:6
- When conducting virtual walk-throughs, either
with the help of a remote video camera operated
by the auditee or stored CCTV camera images,
there can be questions such as:
- Are these real-time images or video records?
- Is this the entire control environment or just what is chosen by the auditee?
- Will the Internet connection required for interviews, meeting and other data gathering be stable and have adequate bandwidth?
- Can we audit the processes and sites as realistically as can be done in person?
- Can we get a good overview of the facilities, equipment, operations and controls?
- Can we access all required and relevant information?
When in doubt, a site visit may be considered for a shorter duration to confirm the answers to the questions once in an audit cycle, but it is not necessary for every audit.
There can be other challenges associated with remote audits, such as:
- Remote audits may not be approved or accepted by some regulators or certification and accreditation bodies.
- All auditee locations may not support sophisticated technology, which can lead to availability issues, malfunctions or other anomalies with technology.
- There may be a lack of management and process owner involvement.
- Auditors may be uncomfortable with technology, as some auditors feel they can trust the audit only if they have physical access to audit evidence. This can be true particularly in cases of physical walk-throughs.
- Auditors must have adequate training and experience in the use of technology.
To carry out remote audits, these steps should be considered:
- Understand the audit scope and auditee area.
- Determine the tools and setup required to conduct the audit.
- Prepare an audit plan.
- Set up audit meetings using virtual meeting tools. Discuss the plan and schedule during the first meeting, and explain the document sharing and evidence collection method. Ensure and provide assurance of the security of the information collected from the auditee.
- Use CCTV footage or mobile cameras for physical walk-throughs. If this is not possible, defer the physical security audit until a site visit can be conducted.
- Consider auditee resources, work schedules and plan breaks.
- Review the documents and analyze evidence.
- Discuss the draft audit report on a call or in a virtual meeting.
- Declare the limitations of the remote audit, if any, in the report.
Remote audits will continue even after the current pandemic is over. These will not replace onsite audits, but the frequency of onsite audits may be reduced. Managers from auditee organizations are finding remote audits very attractive due to minimized interruptions, flexibility of schedules, and reductions in logistic efforts and costs.
Endnotes
1 Murphy, M. L.; “AICPA Best Practices for
Conducting Remote Audits in Uncertain Times,” Compliance Week, 6 April 2020, http://www.complianceweek.com/accounting-and-auditing/aicpa-best-practices-for-conducting-remote-audits-in-uncertain-times/28710.article
2 British Standards Institution, Remote Audits, United Kingdom, 2020, http://www.bsigroup.com/globalassets/localfiles/en-th/our-service/assessment-and-cert/remote-audit/bsi-remote-audit-flyer-final.pdf
3 DNV GL, Remote Auditing—Getting the Most
Out of Every Interaction, Norway, 2020,
http://www.dnvgl.com/assurance/remoteauditing/index.html
4 International Organization for Standardization
(ISO) and International Accreditation Forum
(IAF) ISO 9001, Auditing Practices Group
Guidance on: Remote Audits, Switzerland, 2020,
http://committee.iso.org/files/live/sites/tc176/files/documents/ISO%209001%20Auditing%20Practices%20Group%20docs/Auditing%20General/APG-Remote_Audits.pdf
5 International Organization for Standardization
(ISO), ISO 19011:2028(en,) Guidelines for
Auditing Management Systems, Switzerland,
2018, http://www.iso.org/obp/ui/#iso:std:iso:19011:ed-3:v1:en
6 Op cit ISO, IAF
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Has worked in IT, IT governance, IS audit, information security and IT risk management. He has 40 years of experience in various positions in different industries. Currently, he is a freelance consultant in India.