Auditing working from home – taking a holistic approach
03 Jul 2020
True innovation is often met with resistance, but lockdown has provided the ideal proof of concept for a long-term working from home model. Sylvia Ashley, Alan Jones and Adrian Chalcraft look at what this means for organisations and key considerations for internal audit.
Working from home is not a new idea, but it was historically undertaken on a more casual basis than it is now. Firms have dispersed processes that were traditionally carried out in the office, but are now performed across multiple locations - and this trend is set to continue as 60% of UK workers are keen to work from home more in the future.
Traditionally, working from home audits were limited to cyber security. Our clients are looking at this more holistically, including both people and processes alongside the technology. Firms not only recognise this as the right thing to do, but they are also responding to the need to meet regulatory expectations.
The working from home risk profile
Regulators recognise that the risk profile is different when working from home, and it is important to remember that for financial services firms, regulatory obligations remain, whether you work remotely or on-site.
Some specific concerns for the financial services industry include:
The FCA provides regular reminders to firms regarding the financial implications of COVID-19 and their obligations to ensure customers are protected and markets continue to function well through increased vigilance, monitoring and oversight.
Sensitive data, organisational or personal, must be treated appropriately and the Information Commissioners Office released guidance for handling data when working from home.
Working from home for staff who have never worked from home before, combined with using unfamiliar collaboration platforms, increases the risk of cyber attacks through email scams and increases the likelihood of data leakage. The National Cyber Security Centre has issued guidance on how to make sure your organisation is prepared for an increase in home working.
The well-being of staff is critical, not just from the perspective of the working environment, but also in terms of individuals' mental wellbeing. Having regular check-ins with staff and providing them with regular opportunities to share their concerns is important to remove any feeling of isolation. The Health and Safety Executive has issued guidance on working safely during the coronavirus outbreak that instructs firms on how to undertake risk assessments.
Working from home is a risk area to manage and mitigate like any other, in line with your unique risk appetite. But many of the risks are interdependent and taking a holistic approach can offer greater assurance that they are managed effectively. For example, if your people are feeling isolated or demotivated, they may be more susceptible to a well-targeted phishing email. Likewise, lack of training over data protection can increase the risk of data leakage, which could potentially lead to a regulatory breach.
Auditing working from home
When auditing working from home arrangements, firms should consider five lenses for a comprehensive assessment of the current set up and preparedness for a new kind of workplace.
The right working environment should support governance and oversight, maintain regulatory compliance and fulfill data protection obligations. It is important that people are aware of the risks, so they can embed controls into their new work environment. You should consider the following points, among others:
Supervision and control arrangements, with appropriate audit trails
Secure and confidential communications with protection and privacy best practice
Effective security controls over access and storage of customer personal data
Staff training and awareness around heightened risks
Are your people following policies and procedures for remote working?
Working from home introduces new risks around cyber security, and penetration testing can demonstrate if controls are working effectively. Key areas to think about include:
Is the remote working infrastructure robust and reliable, and are devices and software up to date?
How is a patch management process and end-point security maintained?
Have access controls and user permissions been confirmed appropriate and based on a least-privileged model?
Are devices kept safe and is data encrypted?
How are you managing risks around removable media configurations and remote printing capability?
Are issues and potential risks flagged and monitored?
Managing your peoples’ wellbeing is a key consideration for internal audit. A well-being review should consider:
What are your internal communications arrangements and are they frequent enough and inclusive?
Have you been taking regular pulse surveys to check in on well-being and action lessons learned?
Are there clear boundaries between work and home life?
Do managers realise that their role has changed, with greater expectations for supervision and well-being and would further guidance be beneficial?
Have you thought about a buddy system for greater support?
What KPIs are in place to monitor remote working and well-being?
Working from home brings new challenges for your firm’s culture, and the right tone needs to be set from top. Key topics to think about include:
How are senior leaders responding to remote working?
Have expectations been set by people managers?
What people risks have arisen and what has the impact been on company culture?
Does the culture during remote working still align to your core values and purpose?
Is cultural change needed to support remote working and will this support your operating model?
It will take time to re-adjust when offices re-open, especially with a phased return and many people adopting home working in the long-term. When reviewing the potential scenarios, you should consider:
How will you manage people’s concerns about returning to work?
What arrangements have you made for the safe entry and exit of your premises at start and end of day and evacuation in the event of, for example, a fire?
How will you implement social distancing around your physical infrastructure, such as lifts, limited office space, toilet facilities and walkways?
Have measures been put in place to protect your people, such as protective equipment when using public transport?
How will you protect and support vulnerable people?
Have you thought about insurance and the cost of running an office with reduced capacity?
Does your future strategy include home working as part of the mix and, if so, have you considered how you will formalise this with staff?
In the short-term, the key concern is mitigating and managing these risks. But reduced office capacity means many will continue working from home for the foreseeable future. Others may optionally adopt it on a more permanent basis to help reduce overheads, in response to staff feedback and also as part of the ongoing business continuity arrangements.
Working from home will be a common feature on audit plans moving forward and now is the perfect time to lay foundations to maintain regulatory compliance, strong information security and the culture for your business.