By | Razana Binti Md Salleh & Noor Aida Binti Idris
Introduction
COVID-19 is an infectious disease caused by a newly discovered strain of coronavirus, a type of virus known to cause respiratory infections in humans (Coronavirus disease (COVID-19) pandemic, 2020). This new strain was only discovered in late December 2019, when an outbreak involving pneumonia of an unidentified cause emerged in Wuhan, China. The COVID-19 pandemic caused a lockdown in Wuhan on 23 January 2020. The purpose of this lockdown was to prevent the COVID-19 outbreak to other cities or even countries. The World Health Organization (WHO) called it "unprecedented in public health history" (Coronavirus disease (COVID-19) pandemic, 2020). By 30 January 2020, WHO declared the COVID-19 outbreak as a Global Public Health Emergency. As of 18 Oct 2020, COVID-19 has affected more than 200 countries with 39,596,858 cases reported (World Health Organization, 2020).
Malaysia is one of the many countries affected by the COVID-19 pandemic. Its first COVID-19 case was detected on 24 January 2020. In March 2020, Malaysia faced an alarming high number of COVID-19 cases, dubbed as “second wave”, as a result of one cluster involving a large gathering in Sri Petaling. On 18 March 2020, Malaysia government instituted a Movement Control Order (MCO) lockdown as an effort to “flatten the curve”. Other countries also adopted similar measures in an effort to bring down the COVID-19 cases as well as to stop the pandemic outbreak. Figure 1 shows the alarming numbers of COVID-19 cases in Malaysia (as of 5.00pm, 18 March 2020) which prompted the Movement Control Order.
Remote Audit
As Malaysian business and services came to a grinding halt in March 2020 due to the MCO, most employees suddenly found themselves in a completely new norm. For the employees of Information Security Certification Body (ISCB), a department within CyberSecurity Malaysia, this new norm involved remote auditing. When the clients closed their premises and worked from home, ISO/IEC 27001 audit fieldwork had to be accomplished using technology means. The traditional model of working at client sites and interviewing clients face-to-face were rendered impossible during the Covid-19 pandemic.
A remote audit process is described in ISO 19011:2018 as a process using interactive communication methods that involve human interaction (e.g. interview, observing process performed by client personnel) and non-human interaction (e.g. document review, data analysis, observing process performed by surveillance means) (ISO 19011 Guidelines for auditing management systems, 2018). The remote audit is conducted using technology and electronic methods such as video conferencing, email and telephone to verify audit evidence and conduct interviews with relevant personnel. This remote audit may be conducted from the homes of auditors as opposed to the normal audit conducted at the client’s premises. Nevertheless, the purpose of remote audit remains the same which is to evaluate the evidence objectively and to achieve the audit objectives.
Benefits And Barriers Of Conducting Remote Audit
Remote audit is an electronic audit that uses technology to evaluate compliance. There are a variety of reasons that an audit may be needed to be conducted remotely such as safety issues, physical or logistics constraints, pandemics or travel restrictions. The voluntary or mandatory movement restrictions due to the current COVID-19 pandemic is a perfect example where auditing remotely is beneficial to both auditor and client.
There are several reasons why conducting remote audits can be beneficial for clients and audit team members. Here are the most relevant ones:
-
Avoid travelling to difficult or unsafe location
Situations where travelling to difficult or unsafe locations can be solved with remote auditing. Difficult locations can refer to locations which are remote or difficult to access due to being in an isolated area, or strict permits are needed to enter the location. Logistics arrangements related to these issues are not needed when conducting remote audits. Unsafe locations may be caused by riots or demonstrations gone wrong, and also pose a risk to traditional face-to-face audit. Remote audit may also be beneficial for locations that are very huge to cover such as a plantation or manufacturing plant. Live video or even surveillance video can be used to gather the necessary audit evidence.
-
Cost saving
Information and communication technologies (ICT) have made remote auditing more feasible. As access to ICT has increased, remote auditing has become more commonly used globally. Remote auditing means that an auditor can easily interview any key personnel in any part of the world without incurring travelling cost.
- Flexible schedule There can be situations where an auditor is on the road travelling from one audit site to another site to fulfil the audit fieldwork. This can be avoided via live video of the site, which can save the auditor’s time in travelling. At the same time, it provides the auditor with flexibility and visual access to the audit site.
On the other hand, remote auditing has its hindrance. The followings are some of the barriers while conducting a remote audit:
-
Issues with technology
Limitations and risks posed by ICT should be well considered by the auditor. The location of the client or auditor may cause issues and limitations with technology and network. Such examples include unreliable or slow Internet connections which may impede the fulfilment of audit objectives. Online interviews can be interrupted and evidence stored in the cloud may be inaccessible. Due to these issues, there may be insufficient time to conduct the audit as more time is spent on troubleshooting or re-connecting to the Internet connection.
-
Trusting the audit
Another challenge in remote auditing is the auditor does not have physical access to audit evidence and face-to-face interview with the client. The physical communication may be useful to provide subtle signs to the auditor that there are conflicting messages during the interview. The auditor may not be able to detect inconsistencies in the areas of audit. Being not physically present on the client’s site also make it possible for the client to hide issues and even possible non- conformities during a remote audit.
-
Insufficient training / experience
Depending on the technology used by the client, there may be key challenges faced by the auditor in remote auditing. Lack of experience and/or training of conducting remote audits can lead to an inability to collect sufficient audit evidence using the technology.
There are a variety of ICT tools which can help facilitate remote auditing such as file-sharing via cloud, desktop access, screen sharing, video conferencing and live data analysis. Competency is crucial in ensuring that remote audit is conducted efficiently and meets its intended objective.
Preparing And Conducting Remote Audit
Once a remote audit is mutually agreed by both the audit team and client, preparation needs to be done to ensure a smooth and effective audit conducted despite using online methods. The ISO 19011 Guidelines for Auditing Management Systems (ISO 19011 Guidelines for auditing management systems, 2018) provides a guide on how to conduct a management system audit and specifications for conducting remote audits.
There are several items which must be prepared by both the auditor and client. These are based on ISO 19011 Guidelines for Auditing Management Systems (ISO 19011 Guidelines for auditing management systems, 2018) as well as some personal experience of CyberSecurity Malaysia in preparing and conducting remote audits. The key items include, but not limited to, the followings:
- ICT tools and good network connection
- Competency and availability of personnel
- Document accessibility
- Time management
- Security and confidentiality consideration
ICT tools and good network connection ICT and network connections are important elements in ensuring that remote audit can be conducted effectively. Having a laptop easily helps an auditor to audit from their homes. The auditor also needs to use ICT tools. There are a variety of ICT tools that can assist the auditor in conducting remote audits efficiently. For example technology solutions such as Zoom and WebEx have made this remote audit possible.
A simple video conference or telephone call could also be used in a remote audit. Using a combination of ICT tools will help both the auditor and client to switch to the best and suitable method. Table 1 provides a list of ICT tools that can be used during various stages in a remote audit.
Table 1 Examples of ICT tools
The network connection is another challenge faced by the auditor. It is difficult to predict the connection especially during the remote audit. Nevertheless, connection testing prior to the audit can be beneficial and helpful to determine if remote auditing will be a success. Furthermore, the auditor should have an alternative solution if there are difficulties regarding the network connection.
In a remote audit situation, there may also be challenges to understand what the other party is trying to explain. As such, one needs to be diplomatic, to listen attentively and to be respectful. This applies to both auditor and client.
Competency And Availability Of Personnel
Just having a reliable network connection is not enough during a remote audit as both the auditor and the client must also be competent in utilizing ICT tools. It is crucial for the auditor to have the necessary knowledge to correctly conduct audits using the technology. Since there is a variety of tools which can be applied in remote audit, the client may decide which one they prefer.
In any audit situation, ISO/IEC 27001 ISMS (ISO/ IEC 27001 Information Security Management System - Requirements, 2013) requires the auditors to adopt standard auditing techniques which include interviewing key personnel. Auditors will need to ask relevant questions related to the scope of the audit. Therefore, the client’s key personnel must be ready for online interviews during the remote audits.
Document Accessibility
ISO/IEC 27001 ISMS (ISO/IEC 27001 Information Security Management System - Requirements, 2013) audit requires mandatory documented information to be established by the client. Some examples of this documented information are risk assessment and risk treatment methodology (clause 6.1.2), Statement of Applicability (clause 6.1.3 d), Risk treatment plan (clauses 6.1.3 e and 6.2) etc. Thus, the ISMS auditor must have access to this documented information as well as other relevant documents that can provide assurance of the client’s management system. Clients who have cloud-based audit management systems and document imaging will be at an advantage when auditing remotely. It will be easier for both client and auditor if the client has moved towards a digital document system. The more documented information auditors have access to, the more remote auditing is possible.
It will make the process of remote auditing much easier if relevant documents can be accessed by the auditors via the agreed ICT methods (e.g. email, cloud sharing) and in accordance with the agreed information security arrangement. For ISMS audits, the documents may include (but not limited to) the client’s Statement of Applicability, ISMS internal audit report, management review records, risk assessment report and risk treatment plan. The relevant policy and procedure, records and evidence of ISMS implementation and information security controls should also be accessible during remote audit.
Time Management
In any auditing exercise, time management is critical in meeting auditing objectives within the agreed audit timeline. Network interruption or other technical issues can also cause a delay in the remote audit process. The auditors should manage their time well during these interruptions and be flexible in carrying out the audit plan. Any deviation to the audit plan though, will need to be discussed and agreed with the client.
There can be situations where the auditor may be unable to observe the implementation of processes and / or activities during the remote audit. The auditor should not waste time but instead proceed to observe and audit other relevant areas. In certain situations, the auditor may have to arrange a follow-up audit including but not limited to an on-site audit. If necessary he or she has to cover the area which cannot be accessed during the remote audit. Alternatively, the auditor may need to reschedule the remaining on-site audit activities to a later date when scheduling allows appropriate supporting evidence to be captured. This will ensure ISMS requirements are met to support the client’s certification.
Security And Confidentiality Consideration
Security and confidentiality need to be emphasized in any audit, more so if it involves remote audits. As documents, records and evidence may be transferred using ICT tools to the auditor, extra precaution should be taken to ensure these are protected accordingly. Information security controls such as encryption and password-protected documents can be applied to ensure the security and confidentiality of these documents and records.
Furthermore, auditors would have signed a confidentiality agreement with the Certification Body and/or with the client. They are required to keep all information obtained from a client during their audit as confidential. At the end of a remote audit, auditors are also required to delete every document and record received from the client.
Conclusion
Malaysia is now experiencing its third wave of the COVID-19 pandemic (based on 18 October 2020, the date this article is written). The country has registered a triple-digit rise in new OVID-19 cases since 1 October 2020 with 869 and 871 cases reported on 17 and 18 October 2020, respectively (COVID-19 MALAYSIA, 2020).The total number of cases in Malaysia has reached 20,498, as of 12 noon of 18 October 2020 (COVID-19 MALAYSIA, 2020).
As the COVID-19 pandemic is unlikely to be over in the next few months, remote audit remains a viable alternative continuity tool for a more efficient and productive method of auditing. While online and virtual methods for auditing needs to be explored further, the traditional face-to-face audits should not be ignored. There must be a balance for conducting both traditional and virtual audits to ensure effective ISO/IEC 27001 ISMS audits.
References
- COVID-19 MALAYSIA. (2020). Retrieved from Kementerian Kesihatan Malaysia COVID-19 : http://covid-19.moh.gov.my/
- Coronavirus disease (COVID-19) pandemic. (2020). Retrieved from World Health Organization: https://www.who.int/
- World Health Organization. (2020). Retrieved from WHO Coronavirus Disease (COVID-19) Dashboard: https://covid19.who.int/
- International Standard (2013). ISO/IEC 27001 Information Security Management System - Requirements. Switzerland: International Organization for Standardization.
- International Standard (2018). ISO 19011 Guidelines for auditing management systems. Switzerland: International Organization of Standardization.