A remote audit or virtual audit came as a boon to audit teams during the unprecedented covid 19 crisis. It is a method of conducting an audit remotely using technology. Just like an onsite audit, it covers interview with management and employees, verification of documents and reports.
Remote audit can be internal or external. It can be at any stage of the certification process, and can provide many advantages.
Unlike the widespread belief that only onsite audits yield results, the remote audits can bring in plenty of advantages. It forces auditors to think out of the box and come up with creative resolution to critical issues. Remote audits can enable active participation from people with different skills and expertise, and helps analyze the issues and come to resolution cost effectively.
Remote audits allow auditors to interview a global network of employees with out travelling. It also helps them to remain on schedule even with travel restrictions. By using technology and effective tools, stakeholders can perform large amount of work asynchronously. It allows them to work in their space and increase the effectiveness of audit efforts.
Remote audits can be less costly. All the money associated with travelling and time saved can bring in significant cost reduction. Communication at the starting of audit, before or after also can also be recorded. It provides better visibility to the leadership teams and improve the quality of audits.
The remote audit is a dynamic process with auditors engage in technology to audit. The phases in audit processes are:
Define the audit scope first. Then, develop a remote audit plan. The audit plan should cover the criteria, checkpoints that will be audited remotely, and the technology used during remote auditing. Once the methodology and approach is confirmed, schedule the audit date with the firm.
Conduct a kick-off meeting with the management explaining the procedures of the audit. Take a record of the opening session attendees, and identify if there is any changes in the audit plan after the initial meeting with the management.
The remote audit includes the review of internal controls, documents, evidence and proofs, and conducting remote interviews with employees. The proof, documents will be reviewed to support the findings. The team can conduct a closing meeting with the management and convey the findings.
The audit team can create an audit report, also document the methodology and techniques used in the audit and report whether audit was effective in achieving its goals.
Any type of audits involve review, analysis and evaluation of processes, documents, evidences, systems, and organizations. Auditors assess the accuracy, validity, reliability, verifiability and timeliness of information, as well as the sources and processes by which that information is obtained. An integrated software like VComply helps automate processes and workflows, conduct methodological audits, report incidents, and resolve issues promptly. Using VComply, it is easy to collaborate with stakeholders. It also keeps employees responsible for their obligations, and facilities oversight in executing compliance obligations. Documents, and proofs are made available and accessible. It also provides powerful reports and intuitive dashboards to help auditors gain real-time insights into the organization’s compliance data and risk exposure.
The primary role of auditors is to help the organization remain compliant and meet its objectives efficiently. The growing and changing needs of stakeholders, crisis management requirements, and uncertainty have widened the scope of internal audits. In response to these requirements, new trends have emerged in the field of internal audit that will add value to the organization and guide it through the landscape of risks.
Here are some of the new trends in Internal Auditing:
Disruptions, threats, uncertainty, and changes are part of today's organizations. Starting from cyber-attacks, climate change to supply chain disruptions, organizations face numerous challenges. They need a resilient approach, frameworks, and mechanisms to bounce back when dealt with unexpected risks. Internal auditing should assume bigger responsibilities beyond just evaluating the company's compliance challenges, fraud detection, and reporting in this environment. Internal auditing should take on a central strategic role in an organization and provide insights to the management to run the organization efficiently. It should provide guidance to govern risks, stays compliant, and implement an operational resilience strategy.
The pandemic has forced companies to go remote. And, at least for some companies, the trend is remote from now on. Similar to other functions, audit functions need to resort to tools that overcome communication and availability challenges. The adoption of communication technologies enable audit evidence collection, review of records, and report generation to support audit conclusion. The companies must conduct risk assessment and document the outcomes achieved through remote auditing. Internal audit must take up a proactive role by giving insights concerning different risks, challenging practices, processes, and the organization's overall risk landscape.
Audit teams need to agile to keep up with the increasing pressures of the organizations. They should let go of their rigid practices and long audit cycles, instead, focus on the organization's present needs, respond to quickly to changing risks, adopt short and accelerated audit cycles, and fewer documentation requirements. Agile auditing empowers auditors to prioritize audits based on its importance and provide long standing value.
While many companies are looking at technology specific to audit function, others already invested in technology are expanding the role of automation and analytics. Audit automation simplify the process of constructing new audits and creating new checklists. It ensures that non-compliances and weak areas are properly addressed. Thanks to advanced machine learning techniques, auditors are gaining invaluable insights by accurately analyzing mass amounts of information, saving time and money. Meanwhile, advanced analytics can shed light on new risk patterns, anomalies, internal control gaps, or opportunities. They help internal auditors improve the scope and quality of their work, while also delivering better insights to stakeholders.
Organizations use GRC tools such as VComply to conduct audit programs, schedule audit checklists, and issue audit report. The advantage of such a tool is that you can monitor and improve upon control systems and areas of risk in an ongoing manner and in real time too. Moreover, you govern your business better as you are no longer working in silos and with spreadsheets, but organization-wide, with customized software. VComply, for instance, allows you to schedule tests, classify incidents, track progress and more. Now that you are aware of the basics of conducting an internal audit, venture forth to create a robust and consistent business process!
The mention of the very word audit evokes panic for business owners and compliance officers. You might be surprised to know that auditing can become a painful experience even for the auditors. Tight audit budgets, number of policies to flick through, lack of cooperation from stakeholders can all cause auditors' obstacles.
We spoke to some internal auditors, and here are some of the major challenges they face:
If the organization you audit does not understand the importance and scope of the audit and does not provide you enough information, then it becomes difficult for you to complete the audit processes.
Make clear what the expectations are. Agreeing the terms of audit engagements is one of the requirements. It ensures a clear understanding and communication of the auditor's responsibilities and the duties of the management. As an auditor, you need to make your organization understand that you intend to identify risks and then help them make a remediation plan.
Hear what the leadership team and staff have to say. You need to understand what is working for them and what is not, and what do they want to improve in the organization. Ultimately, you need to suggest improvements to help them get what they want. Once you get their cooperation, they will share the evidence and data you need!
If you fail to define the audit scope, there are chances that audit conversations can spill outside the scope, and the audit can become vague. At the same time, if you find some critical findings during the audit, it's worth mentioning and exploring, even if it's beyond your audit work scope. The internal controls implemented to be compliant with standards like PCI DSS, NIST, GDPR, and SOX could be your primary focus.
The auditors' responsibility lies in finding out whether the defined requirements are met. Instead of looking for whom to accuse, the focus should on on remediation. However, it does not undermine that the auditor has to let go of finding on blatant fraud. The auditor as well as the management is responsible if a fraud is ignored unless proven otherwise. It may arise due to management override of internal controls. The auditor has to set aside all assumptions and apply professional skepticism when carrying out their audit. The appropriateness of journal entries will ensure that there are less chances of collusion. Segregation of duties should be in place. Any inappropriate or unusual activity should be flagged. Any provision or accounting estimates should be thoroughly checked for fraudulent intentions and biases. Hence, a retrospective review of management judgments and assumptions related to significant accounting estimates is important.
This article has tried to highlight major challenges that an auditor faces. The auditor's primary goal is to make the organization better. A good review process by the audit firm may also flag any additional areas as deficiencies in the process. Thus, ensuring robust internal controls and timely compliance shall help the company to emerge victorious in such scenarios. VComply is a robust compliance and audit management software that helps auditors analyze and report on audit findings.
Internal audit plays a crucial role in guiding an organization with key insights on corporate governance and suggest improvements on improving compliance, reducing risks, boosting efficiency, and enhancing regular operations. It probes into soft spots and critical business areas and reports to senior management within the organization.
Standards like ISO demand some amount of internal auditing. But the management can decide how much more internal auditing is required depending on how much is at stake for the organization. It is possible for you to engage an external, third party auditor to step in if you do not have a competent team of internal auditors. However, having an internal team that can serve as a trusted consultant is always an upside. When internal audit performs an objective analysis of departments, the end result is fewer threats and more savings in compliance costs.
Below is a step-by-step guide that can be followed for an audit.
Step 1: Plan for and create an audit program
Identify what needs auditing and how often:
Depending on the risks you face, the control systems in place, and the requirements on governance, you can have more or fewer audits. If the threats are many or costly, you typically want to audit those risks more often. If you are a finance company, you could audit cash handling and credit card usage fairly frequently, while also auditing cybersecurity, cost saving opportunities, and customer service routinely.
Schedule the audit and notify teams:
It is very helpful to create an audit calendar as this ensures fruitful auditing. Your teams will have more documentation and records to bring to the table, if they know well in advance that they are expected to keep their material ready for a review. Surprise auditing might be helpful, but they may also sow distrust. It is customary to alert teams of scheduled audits with a notification.
Gather information and define the scope:
Part of this step involves gaining sufficient subject matter expertise. If you handle a lot of personal data, for example, you want your auditors to be thorough with the likes of SOX, PCI DSS, HIPAA,FISMA, FedRAMP, as well as business best practices that have a bearing on risk management and control systems. External auditors can be of help, depending on the level of expertise required.
Another part of this step is risk assessment. The inputs and concerns of the leadership are essential here and depending on your business, you want to know your inherent risks and the impact recent regulatory changes have on your operations.
Outlining the objectives and scope of the audit in an entrance meeting is also important. In general, the main objectives of internal audit pertain to the evaluation of risk management systems and internal controls. But specific objectives, such as a 6-month review of financial activity, a vendor assessment for conflict of interest, and a review of company data security, can help clarify the scope and purpose of the audit.
Draft an audit program:
With risk assessment done and the objectives laid out, you can proceed to planning for a fruitful yet cost-effective audit. The program should list out practical elements, such as:
● Audit methodology
● Deliverables like audit report
● Controls to be tested
● Deadlines and timetable
● Modes of communication
Step 2: Focus on fieldwork
On-site fieldwork comprises the evaluation stage of the audit. Internal audit will seek to gather audit evidence through different modes. These include:
Depending on the scope of the audit, the on-site fieldwork could stretch for days to months. Nevertheless, care must be taken to ensure that disruptions to regular activity is minimized. Further, internal audits may bring up issues as they surface and provide preliminary evaluations. This is beneficial, as informal communication can help the organization adopt recommendations on the go. Proper communication is a vital component of an internal audit. In fact, many rue the fact that poor communication lessens the value of critical information.
It can be helpful to have internal audits categorized risks into high, moderate, low, for instance, and provide audit status updates, in case the audit is long. Once internal audit has satisfactorily gathered audit evidence and all necessary information, it should proceed to documenting results. Systematic recording of findings makes for a better audit report.
Step 3: Issue an audit report
The most important deliverable of the audit is the audit report. The format of the reporting may differ from one organization to another, but the goal of the report is to present the audit findings in a formal manner.
The reporting phase may include these 3 elements:
The reporting step is of great importance and efforts should be taken to ensure that it receives adequate budgeting. The audit report stands as evidence of the audit being conducted and must be signed by senior management.
Step 4: Follow-up after the audit
Many organizations today have a structured process to verify whether the action plan is being implemented or not. If the corrective measures require time, monitoring and follow-ups become necessary. The ISO PCDA (Plan, Do, Check, Act) model supports an ongoing cycle for the improvement of processes and systems. Internal audit can adopt this method to improve upon areas where gaps have been identified.
Organizations also use GRC tools such as VComply to foster a healthy environment of compliance and adequate risk management. The advantage of such a tool is that you can monitor and improve upon control systems and areas of risk in an ongoing manner and in real time too. Moreover, you govern your business better as you are no longer working in silos and with spreadsheets, but organization-wide, with customized software. VComply, for instance, allows you to schedule tests, classify incidents, track progress and more.
Now that you are aware of the basics of conducting an internal audit, venture forth to create a robust and consistent business processes!
With digitization of services progressing at a relentless pace, businesses are storing large volume of customer data . But with sensitive information being routinely handled by service providers and third-party associates, there is a pressing need for increased information security. Data breaches and cybercrime too are a threat to security. In such a scenario, it is not uncommon for clients to want an independent review of your internal controls for data security prior to partnering with you, especially if you are a SaaS organization.
This is the kind of guarantee that an SOC 2 audit provides, and many organizations seek to be SOC 2 compliant to possess more robust internal controls and improve their trustworthiness. To have an in-depth look at what is SOC 2 and the relevance of SOC 2 audits, read on.
Framed by the American Institute of CPAs (AICPA),Service Organization Control 2 or SOC 2 lays down a framework for strong information security for cloud service companies. SOC 2 applies to SaaS companies and businesses that upload customer data to the cloud and aims to safeguard this data through 5 Trust Services Criteria.
The 5 Trust Services criteria are:
● Processing integrity
Following this, SOC 2 compliance is about an organization being able to assure the security of customer data, based on these 5 principles, using adequate controls and systems. Beyond criteria, SOC 2 also provides an auditing procedure and a SOC 2 audit report aims to assure users, clients, stakeholders, and third parties that the organization is complying with the criteria in place for handling sensitive information.
That said, SOC 2 reports are unique to your organization and you have the power to design controls and systems to comply with the trust service criteria that are relevant to you. SOC 2 audits are performed by accountancy organizations or an independent CPA (Certified Public Accountant).
Companies and clients you liaison with may not require you to furnish SOC 2 reports. SOC 2compliance is not a strict necessity in that sense. However, being SOC 2 compliant has its share of benefits. Here’s a look at what they are.
● When auditors attest to your organization’s system sand controls for data security, you possess a competitive advantage in the market. All things equal, clients are sure to prefer an organization that assures them of information security and integrity.
● SOC 2 compliance can help boost your other compliance efforts, such as preparing to be compliant with ISO 27001.
● Data breaches can cause grave financial losses and have legal ramifications too. Being SOC 2 compliant is an ideal way to safeguard yourself against such aspects.
So, while SOC 2 compliance is not mandatory, objectively speaking, it may be required for your organization on a practical level.
The 5 Trust Services Categories outlined by AICPA are:
Security: Refers to information and systems being protected against unauthorized access, unauthorized disclosure, and damage that could affect the entity’s ability to meet its objectives.
a. Information protection in this case covers the points of collection, creation, transmission, storage, processing, and use
b. Systems under protection are those that employ electronic information to act on the information gained
The criteria of security seeks to safeguard customer data against aspects like theft and unauthorized disclosure. Consequently, tools like 2-factorauthentication can be used to secure data.
Availability: Refers to systems and information being available for operation and use to meet the entity’s objectives.
So, your systems need to be available and accessible as per the terms of your service agreement. Availability is vital, for instance, if you run a datacenter or a web hosting service, which requires data to be accessible 24/7.Likewise, if you sell a SaaS product, you need to ensure that it is available for use, as per the agreement.
Processing Integrity: Pertains to services provided or goods manufactured, distributed, or produced. It ensures that the audited system’s processing is valid, complete, timely, accurate, and authorized in such a way that the entity’s objectives can be met.
If you provide e-commerce services or transact on behalf of clients, processing integrity should make its way into your SOC 2 report. This ensures clients that data modification is authorized, processing errors are able to be detected, system output is accurate, and so on.
Confidentiality: Stipulates that information that is held as confidential is aptly protected to meet the entity’s objectives. This applies from the point of collection right till removal. While privacy pertains to personal information, confidentiality refers to other information as well, such as proprietary information, trade secrets, and intellectual property.
An example of data that needs to be protected is personal health information. If your organization collects and stores such information, an audit of confidentiality ought to be carried out as per the SOC 2 guidelines.
Privacy: Refers to the collection, usage, retainment, disclosure, and disposal of personal information to meet the entity’s objectives. Privacy has parameters such as:
a. Notice and communication of objectives
b. Choice and consent
d. Use, retention, and disposal
f. Disclosure and notification
h. Monitoring and enforcement
The criteria of privacy verifies that your organization is handling customer data in accordance with the privacy terms agreed upon.
SOC 2 has two types of reports. Type 1 reports attest to the design of controls and security systems at your organization at a specific point in time. Type 2 audit reports are broader in scope. They contain everything that is included in Type 1 reports and attest to the effectiveness of the controls in place evaluated for a period of 6 months or more. Thus, a SOC 2 type 2 report is more valuable.
An SOC1 report attests to financial controls only. It is mainly for other auditors. An SOC2 report attests to controls that come under the 5 Trust Service Criteria. An SOC 2 report is mainly for the company itself and while SOC 1 focuses on internal controls over financial reporting (IFCR), SOC 2 focusses on data handling as per the Trust Criteria. SOC 3 report is a general use report that is designed for public sharing. It is a high-level summary of the SOC 2 report but does not go into details of the information in it.
A GRC platform like VComply can help you design internal controls that keep your organization compliant with the criteria requirements of SOC 2. VComply provides an uncomplicated way for you to manage compliance and risk, allowing you to assign controls and track them through an intuitive interface. For instance, you can assign responsibilities for data security so as to comply with SOC 2’s primary criteria.
Being SOC 2 compliant is sure to throw open doors to business opportunities and improve customer confidence in your services. Go about it the smart way with a GRC solution by your side!
The tick mark has grown to become a symbol of the internal auditor’s raison d'être, but the primary role of internal audit is not, in fact, defined by stationery and workpapers. The Institute of Internal Auditors (IIA) notes that:
“The role of internal audit is to provide independent assurance that an organization's risk management, governance and internal control processes are operating effectively.”
Today, in the wake of the pandemic, organizations across the world are not just realizing the importance of internal audit, but also appreciating the merits of internal audit that go beyond the confines of ticking and tying. With automation, AI, and ML brining data-driven insights to the table, C-suites and boards are better able to realize why internal audit departments should exist. What is the primary objective of auditing? It’s about offering an independent opinion. But how many times do auditors unearth matters that are of immense importance? The crux of the issue lies in going beyond sheets and into strategy. For that, it is helpful to list out some best practices that can change how internal audit works.
This applies to what and how much. After all, internal audit teams help boards and the C-suite steer the ship. It is of prime importance that auditors are trained to look at the big picture and not just at minute details, which very often have no significant consequences on decision making. As the pandemic unfolded, many organizations were confronted with realities they had, hitherto, turned a blind eye to and if internal audit can unmask threats with well-timed counsel, it will well and truly have done its job.
The objectives of each audit too must be defined so that teams do not get overwhelmed with scope creep. This is when you aren’t able to audit in a modular way and land up investigating and rummaging through everything. To define the scope of the undertaking it can be helpful to learn from past audits and factor an element of structure into the internal audit process by drawing out a schedule, assigning responsibilities, setting a budget, and so on.
One thing the pandemic made clear is that a spotless past is no absolute guarantee of a seamless future. Many ways of working were condemned to at least temporary obsolescence and today, many organizations question their preparedness for things to come in the future. Hence, internal audit has the chance to evolve into the role of a dependable advisor. The emphasis here lies on what lies ahead. Yes, GRC is important, but consulting must come to the fore too.
Shining a spotlight on issues that have occurred, and even diagnosing them is one thing, investigating processes for issues that may occur in the future is quite another! This is the kind of value that leadership and stakeholders seek, especially after the pandemic. Forward-looking internal audit can take many forms: providing data on how much of a cybersecurity risk work from home poses, probing into current employee morale and what a company needs to do to avoid attrition, alerting management to current ways of working that are likely to come under environmental sanctions in the future, and so on. The advantages of internal audit multiply when you add strategy to assurance.
You’ll note shifting the focus from hindsight to foresight is not so much about an internal audit process, it is more about the competence of the team. As such it makes sense to recruit and retain top talent. Besides technical audit skills there are several competencies that you should look to your auditors having.
Data analysis: There is a reason that data science is in vogue and people from all professions are taking to it. With operations and processes becoming increasingly digital, there is a dire need for professionals who can work on that data, make sense of it, and churn out insights from a heap of 1s and 0s. This means that if an audit lead, for instance, were to be able to process data, he or she could instantly steer the internal audit team towards bringing data-driven insights to the executive table.
Soft skills: Irrespective of the internal audit procedure and the technical skills it mandates, what does not change is the requirement for soft skills like exemplary communication. Often, these are hard to teach and given that internal auditors communicate with persons at different levels of the organization, the audit committee, board, C-suite, employees, and stakeholders alike, soft skills can be the factor that determines the efficacy of an audit.
Cybersecurity: With online work going mainstream and unsafe cyber practices being commonplace a fragile digitally-connected world is now a reality. Along with this is the increased probability of a cyber pandemic that can cripple to industries on a global scale. Far from being conspiracy theory, this is what entities like the World Economic Forum are talking about. Having an internal audit department that understands cybersecurity is almost a necessity today (why wait for the next pandemic to strike!).
Ancient philosophers believed that what is received is received according to the mode of the receiver. Meaning that an internal audit report may be only as good as the way it is accepted. Since it is to comprise of an independent opinion, it becomes necessary to foster transparency across the organization, and definitely between the auditors and the people they are reporting to. If internal audit reports to an audit committee, things become easier, but, for instance, in a small organization, if auditors must report to the department they are auditing it becomes tricky.
An interesting way to improve transparency across the organization is to reduce the gap between employees through collaboration. If auditors work with other employees and vice versa mutual trust will be formed and further, cross-team projects give internal audit an opportunity to glean strategic insights.
The traditional internal audit checklist is replete with items like repetitive tasks, manual data extraction, spreadsheet-intensive work, and report preparation. Not only are many of these time-consuming but in other fields tasks such as these have already been automated. It is this gap that GRC solutions like VComply seek to fill, offering internal audit capabilities such real-time metrics, easy reporting and dashboarding, advanced data analytics, compliance management, and remote auditing tools.
Deploying such a software organization-wide increases the scope of internal audit instantly and is in fact a clear sign that you want to move beyond tick marks and spreadsheets, and into the realm of data-driven insights and advice. Good luck!