“As auditors, we abide by clear rules that are repeatable,” Doug Landoll said this month in his ISACA Conference North America presentation, “Remote Assessments: Retooling Security Risk Assessments in a Pandemic Environment.” He shared some of the work-around solutions he has tested over the last 14 months in which he hasn’t been onsite for audits.
To retool risk assessments, you must optimize your communications; Landoll found that conference calls were not conducive to complete interviews and that video conferences are a must. He recommended shifting evidence sources, such as having someone familiar with the office complete the physical walk-through as they video conference with you; they are likely to know the quirks of the spaces. Other retooling efforts include adjusting contract language to reflect offsite work and to review the audit report boilerplate to reflect the new approach.
“You must audit current state,” Landoll said. “That can be very different in a pandemic – current state can be fluid. Be precise and document to capture the current state and pin down the current processes.” Landoll believes that remote auditing is here to stay, and said “all auditors need these tools in their bag, even when Covid is in the rearview mirror.”
Another audit-themed ISACA Con session, “The Harsh Reality of Audit Fatigue” with presenter Steve Horvath, vice president, Strategy & Cloud, Telos Corporation, noted that organizations being subject to multiple regulations and standards are among the factors that can contribute to audit fatigue.
Horvath laid out several recommended approaches to addressing audit fatigue, including:
- Embracing automation (the overwhelming majority of security professionals believe their organizations would benefit from or be interested in an automated solution to manage audits)
- A focus on maturity
- Remediation and security orchestration
- Centralized communication and a repository for BoE across teams
- Concise asset inventory and definition of critical systems
- Mapping across multiple regulations – test once and comply with many
- Utilizing controls inheritance