The constantly evolving nature of IT continues to provide both opportunities and challenges within the IT audit profession. While remote auditing is nothing new, the COVID-19 pandemic and resulting need for social distancing fast-tracked the adoption of remote and hybrid audits. There are key benefits of these methods including cost reduction due to decreased expenses (e.g., travel, accommodations), the ability to make use of global teams with varied skill sets, and time and resource flexibility regarding audit engagements. On the other hand, there are also several challenges, including increased privacy and security risk, complexities and nuances in what findings are considered accurate, and complete evidence provided remotely and limitations in evidence gathering.
To ensure that maximum benefits are realized when conducting IT audits, there are several factors to consider including the complexity of the IT audit, industry best practices and the audit objectives of each assignment.
Continuously Assess Risk
Risk associated with performing an IT audit remotely should be adequately assessed to determine feasibility prior to the commencement of the audit and continuously reviewed throughout the audit cycle to ensure that key success factors are met. Risk mitigation strategies inform the best auditing approaches and allow for adjustments to be made in response to any changes to scope, business processes, timing of the audit etc. Feedback from prior audits can also be utilized to ensure that improvement points are able to be incorporated.
Assess the Auditee’s Resources
A successful remote audit utilizes technologies such as video conferencing software, smart devices, drones and network connectivity. Key to consider are the compatibility of technology platforms between the auditor and the auditee and any possible restrictions such as encryption, virtual private networks (VPNs) and file transfer limits.
Common examples of pitfalls encountered by auditors include:
- Organizational policy restrictions prohibiting the auditor or auditee to install software that is not authorized by the other’s organization
- Failure to decrypt information shared between the auditor and auditee
- Failure to possess the ability to screenshare on legacy IT platforms or applications
- Limited access to audit elements of the IT environment due to IT systems being hosted on third-party platforms
To overcome the pitfalls above, it is important to adequately prepare for the audit taking into considerations all possible scenarios that may impact the successful completion of the audit. Where budgets allow, pre-audit checks on the auditee’s IT environment and processes will provide an indication of potential challenges and can indicate the auditee’s readiness for the audit. Another approach will be to plan the audit in phases ensuring that challenges identified in the initial assessment can be addressed and any adjustments to the audit approach made in a timely manner before proceeding onto the next phase of the audit.
Adequately Prepare: Scope, Timelines and Costs
Adequate planning is key to understanding the total effort required to achieve audit objectives and the feasibility of performing the IT audit remotely. The extent, complexity and depth of the audit affect the proposed timelines, which can drive a decision to adjust the audit strategy. The scope and timelines influence the team composition, since skill requirements are a factor. Time differences need to be taken into consideration if team members are in multiple locations. While there could be a reduction in travel costs and expenses, there are also costs that arise because of licensing fees and training requirements for technology that supports remote work. Planning is key in ensuring that benefits are adequately assessed and optimized throughout the audit cycle.
Adequate planning is key to understanding the total effort required to achieve audit objectives and the feasibility of performing the IT audit remotely.
Consider Evidence Requirements
To perform a quality audit, sufficient and appropriate evidence must be obtained to draw reasonable conclusions. With remote auditing comes a higher risk of manipulation of evidence. Methods such as obtaining screenshots, system extracts or recordings during virtual walkthroughs and testing can offer some reassurance as to the completeness and accuracy of information. However, there are cases where the auditee needs to run scripts or reports over a longer period of time, in which case the auditor cannot observe them continuously. This raises questions about the accuracy and completeness of the evidence provided.
The auditor must apply professional skepticism when assessing this evidence and address the risk of incompleteness and/or inaccuracy. While gathering evidence, the auditor needs to consider:
- Delivery method of evidence and security during transmission
- Potential delays in the auditee providing evidence
- Implementing adequate controls when it is not possible to observe evidence as it is produced
- Possibility of using automated evidence-gathering tools to lessen the risk of manipulation
- Retention and destruction of evidence after use
- Potential privacy and confidentiality violations
Assess Communication Needs During the IT Audit
Traditional/onsite auditing allowed for a quick drop-in meeting with the auditee to verify or clarify information. It also allowed the auditor to pick up on body language and reactions during interactions with the auditee. With remote auditing, this may not be possible or timely. The auditor needs to anticipate such challenges and clearly articulate requirements while also leveraging virtual walkthroughs and testing sessions.
Ongoing communication during the IT audit can improve the quality of communication and allow relationships to be built. This is necessary to avoid pushback from the auditee, which can result when there are constant breaks or long periods of no communication throughout the audit. To remedy communication challenges, the auditee needs to provide regular feedback on progress, delays and other updates. Requesting audit requirements in advance can also assist the auditee in preparing the information and ensuring that the information is provided by the right person.
Address Teaming Considerations
Performing a remote IT audit requires the auditee to have appropriate skills for assessing the audit area. It requires timely reviews and engagement with various stakeholders during the audit. It may be difficult to identify any issues the team may be facing because of remote working, therefore, there is a need to determine and agree on the best strategy to ensure that challenges and delays are identified and solutions are implemented in a timely manner.
The auditee should also ensure that the best contact person is identified based on the information to be provided, responsibility, competency and their availability to assist during the time scheduled for the audit.
Conclusion
There is no one-size fits-all-approach to performing a successful remote IT audit. Care must be taken when assessing the best approach, balancing benefits with compliance requirements. With more organizations opting for hybrid or fully remote audits, there is a need to continuously adapt and innovate while making use of this opportunity to add more value to organizations.
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Key Considerations for Conducting Remote IT Audits” episode of the ISACA® Podcast.
Sandra Kuyengwa, CISA, CRISC, CDPSE
Is an IT Audit Assistant Manager based in the UK with over 6 years of experience in delivering and leading complex technology risk assessments across various industry sectors including Financial, Mining, Manufacturing and Telecommunications. She can be reached at http://www.linkedin.com/in/sandra-kuyengwa-26bb3823/.