The New Normal:
Fully-Enabled Remote Audits

The new normal is anything but normal, but before we join in the chorus of “uncertain times” let’s take a moment to reflect on how standards organizations have responded to COVID-19 to enable remote audits so that organizations can continue to demonstrate trust. Beyond the obvious health and safety benefits of conducting a remote audit, there are also pronounced cost and time-saving elements with personnel no longer traveling to perform the audits on-site. These benefits are even more pronounced when you work with a tech-enabled service provider like A-LIGN since our strategic compliance management platform, A-SCEND, streamlines the audit process.

A-LIGN is committed to helping our clients achieve their compliance and certification needs. Read on for an update on how each governing body is approaching remote audits during the pandemic.

AICPA – SOC 1/SOC 2/AUP

Status: Remote Audits Allowed

The AICPA FAQs SOC 1® and SOC 2® Issues Arising From COVID-19 highlights a few potential risks that may have emerged from the inability to work on-location:

“A service organization that provides post‐sales customer support telephonically or processes health care claims may have sent personnel home to work remotely or may have had to lay off or furlough a number of personnel. When personnel with the competence and authority to review, supervise, or perform controls have been replaced by those that do not, there is an increased risk that controls may not operate effectively as designed. Controls may also be negatively affected by the lack of direct supervision by senior management.”

However, the AICPA is allowing remote audits, noting that the use of video conferencing and remote records review may minimize the impact of social distancing.

ANAB – ISO 27001/ISO 22301/ISO 9001

Status: Remote Audits Allowed

ANAB has issued a half dozen “Heads Up” communications related to COVID-19: Issue 445, Issue 448, Issue 449, Issue 450, Issue 452, and Issue 453. Issue 445 was published in early February and identified the risk of COVID-19 in China. In a related communique, ANAB notes that the outbreak may cause delays, but that health and safety should come first. Existing guidance from the IAF Informative Document For Management of Extraordinary Events and Accreditation Rule 9 already provide for off-site or blended testing alternatives. According to Issue 448, audits must still be completed by the end of 2020, but if recertification cannot be completed because of the pandemic then ANAB is allowing CBs to extend the certification up to six months.

PCI SSC – PCI DSS

Status: Remote Audits Allowed

The PCI Security Standards Council maintains a COVID-19 communication page, which points to existing guidance that outlines how remote testing is allowed and a blog with advice on how to proceed with a remote audit. An additional PCI SSC blog reveals, “Assessors must take all necessary steps to ensure that the integrity of the assessment isn’t negatively affected by remote testing.” PCI SSC is also granting six-month extensions for reassessments due July 31 – October 31, 2020.

HITRUST

Status: Remote Audits Allowed

HITRUST has issued a series of advisories related to COVID-19. HAA 2020-001, which was announced in March, waives on-site requirements for validated assessments, but HAA 2020-002 still requires newly implemented controls to operate for at least 90 days prior to assessment. However, HAA 2020-004 introduced Bridge Assessments, which provide a 30 day grace period for reassessments when applied.

FEDRAMP

Status: On-site Audits Required

FedRAMP has not published any updates or guidance related to remote audits or COVID-19. A FedRAMP Security Assessment Report (SAR) may postpone in-person testing by 90 days by noting it in a Plan of Actions & Milestones (POAM).

A-LIGN Enables Fully Remote Audits

A-LIGN’s qualified assessors have the experience of conducting thousands of audits for hundreds of clients over the past decade, while our compliance management platform, A-SCEND, enables a strategic approach to streamline audits. A-LIGN has always been very effective at performing remote audits since being founded in 2009. Our remote audit best practices include a well-defined audit plan, constant communication, leveraging A-LIGN’s internally built tool, ASCEND 2.0, for evidence collection and communicating the project status, and leveraging appropriate technologies to perform interviews and observations. Let A-LIGN navigate the challenges, complexity and responsibility of managing your remote audits.

 

Interested in learning how A-LIGN can help you mitigate cybersecurity risks remotely? Speak with our qualified assessors today by emailing info@a-lign.com or calling 888-702-5446.