Well, almost a year has passed, and we are really no closer to being able to conduct security control assessments on-site. So, for those of you who have been playing the waiting game, it’s time to get on board and start doing them virtually (or you can wait until the regulators and/or internal audit weigh in). For those who have already embraced the new reality, let’s discuss what we have learned to date.
Hey, When Do You Know If Virtual Assessments Can Be Done?
While they certainly require more upfront planning and collaboration between the assessor and the vendor, most of the activities conducted on-site can be effectively done virtually. The key is planning and collaboration to determine the technology to be used and the “rules of engagement” for artifact review and interviews. The platform used for artifact sharing must have sufficient security and access controls to ensure that the vendor can be assured that they can not only control who accesses the information, but that it stays safe from unauthorized access. Sharing highly confidential documents and information has been done in this manner for years in the M&A world. No reason not to apply that same technology here for controls evaluation.
Prioritize The Controls You Evaluate
In many instances we took the easy way out when scoping on-site assessments. Gee, we’re on-site so let’s just look at everything. That approach does not work in the virtual world. Use your self-assessment questionnaire (hopefully the SIG) and the artifacts you collect to define and refine the scope of your controls assessment. Take the time to determine what controls truly need to be tested, particularly if you have a history of “positive” controls assessments in the past.
Be Flexible When it Comes to Acceptable Due Diligence
Instead of physically looking at dashboards and reports you may be given screen shots, videos, or live camera views. Keep in mind that the method used to provide control validation isn’t the important part. What is important is whether the information provided is sufficient for you to evaluate and/or test the controls. Test sampling is another area where efficiency can be obtained. Look to whether the samples you request can be used to test multiple control areas. Doing so will reduce everyone’s effort.
Be Aware of Changes in the Vendor’s Environment Caused by the Pandemic
We all share the common bond of having had to quickly move to remote/virtual workforces. What this means in the world of controls assessment is that many companies who never allowed remote access to systems are doing so today. Therefore, this may be an area you have never previously assessed with many of your vendors. What else falls into this category of not having been previously evaluated? Take the time during your scoping process and determine what else may have changed in the vendors business processes that create new risk areas (and thus the need for controls evaluation).
The additional investment in planning and time spent collaborating with your vendors on how to conduct assessments effectively and safely will pay off in the end with less costly and more efficient controls assessments. With the additional benefit of keeping you in the good graces of your regulators and internal auditors along the way.