With official reports that the U.S. economy has entered a recession, organizations are looking for every opportunity to cut costs and grow their business. And while the economy slowly reopens, most organizations are opting to work from home because of the advantages it offers. Yet, despite this economic slowdown, compliance remains mandatory and the trust it provides is at a premium. With organizations working more from home and compliance remaining mandatory, the ability to complete audits remotely is more important now than ever before, both for the business value of compliance and the efficiency (cost and flexibility) of the approach.
Fortunately, almost every regulatory board or accrediting body recognizes the value of remote audits and their importance in these times. Ultimately, the responsibility to conduct remote audits effectively falls to the CBs or QAs conducting the testing, so make sure your auditor has that ability.
AICPA – SOC 1/SOC 2/AUP
According to the AICPA FAQs SOC 1® and SOC 2® Issues Arising From COVID-19, remote audits are allowed. The AICPA notes that there are risks from a remote workforce that may have emerged, such as managing call centers from home or effectively maintaining controls during layoffs. However, remote audits are permitted since video conferencing and remote records review can help maintain social distancing protocols.
ANAB – ISO 27001/ISO 22301
ANAB has published a series of “Heads Up” advisories, including Issue 445, Issue 448, Issue 449, Issue 450, Issue 452 and Issue 453. ANAB has stressed that health and safety come first since the beginning of the pandemic and acknowledged the pandemic may cause delays. Although ANAB is still requiring audits to be completed in 2020, the organizations is granting a six-month extension if the outbreak prevents recertification. Previous guidance from the IAF Informative Document For Management of Extraordinary Events and Accreditation Rule 9 already enables remote testing.
PCI SSC – PCI DSS
According to the PCI SSC COVID-19 communication page, the process for a remote audit was outlined in a December 2017 Article. And from July 31 to Oct. 31, the PCI SSC is granting six-month extensions. In March, PCI SSC published a remote assessment blog that acknowledged that an assessor may not always be able to be on-site, but that the assessor is still responsible for maintaining the integrity of the assessment. A follow-up remote assessment blog provides much more detail and some potential risks, such as disabling security controls to enable remote testing.
HITRUST has published a series of advisories in response to the outbreak. A March advisory, HAA 2020-001, waives on-site requirements to enable remote audits, citing the risk assessment-related travel. HAA 2020-004 announced Bridge Assessments, which grant a 30-day extension for reassessments, recognizing the challenges that organizations face during this time.
FedRAMP has not provided any communication related to remote audits. As of now, organizations still need to plan for on-site testing; however, a FedRAMP Security Assessment Report (SAR) may delay this testing by 90 days by recording it in a Plan of Actions and Milestones (POAM).
Realizing the Strategic Value of Remote Audits
To summarize, the majority of audits can be conducted remotely and many are offering grace periods for recertification or reassessment. If organizations are considering more than one of these audits, they should be advised that they could address multiple security standards at once.
According to Gartner’s “Market Guide for Organization Security Certification Services” published May 26 by Brent Predovich, Katell Thielemann and Sam Olyaei, “The control requirements and the sections of the security standards against which certifications and attestations are generated have significant overlap. If there is a need to obtain more than one certification or attestation, there is value in consolidating audit planning, audit data gathering, interviews and evidence collection efforts into a vendor selection exercise with multiple security certifications/attestations.”
Strategic compliance may be defined as centralizing evidence collection and audit processes, standardizing compliance requirements and consolidating audits and service providers into a streamlined project approach. In this way, remote audits should be considered a tactic to enable strategic compliance, as the elimination of in-person requirements further streamlines the audit process and efficiencies. As business leaders continue to navigate uncharted territory, they can establish a sense of certainty through compliance—and they can approach compliance more strategically to drive business growth. Remote audits will help achieve this goal.