Working from home is not a new idea, but it was historically undertaken on a more casual basis than it is now. Firms have dispersed processes that were traditionally carried out in the office, but are now performed across multiple locations - and this trend is set to continue as 60% of UK workers are keen to work from home more in the future.
Traditionally, working from home audits were limited to cyber security. Our clients are looking at this more holistically, including both people and processes alongside the technology. Firms not only recognise this as the right thing to do, but they are also responding to the need to meet regulatory expectations.
Regulators recognise that the risk profile is different when working from home, and it is important to remember that for financial services firms, regulatory obligations remain, whether you work remotely or on-site.
Some specific concerns for the financial services industry include:
The FCA provides regular reminders to firms regarding the financial implications of COVID-19 and their obligations to ensure customers are protected and markets continue to function well through increased vigilance, monitoring and oversight.
While there are also more-general concerns:
Sensitive data, organisational or personal, must be treated appropriately and the Information Commissioners Office released guidance for handling data when working from home.
Working from home for staff who have never worked from home before, combined with using unfamiliar collaboration platforms, increases the risk of cyber attacks through email scams and increases the likelihood of data leakage. The National Cyber Security Centre has issued guidance on how to make sure your organisation is prepared for an increase in home working.
The well-being of staff is critical, not just from the perspective of the working environment, but also in terms of individuals' mental wellbeing. Having regular check-ins with staff and providing them with regular opportunities to share their concerns is important to remove any feeling of isolation.
Working from home is a risk area to manage and mitigate like any other, in line with your unique risk appetite. But many of the risks are interdependent and taking a holistic approach can offer greater assurance that they are managed effectively. For example, if your people are feeling isolated or demotivated, they may be more susceptible to a well-targeted phishing email. Likewise, lack of training over data protection can increase the risk of data leakage, which could potentially lead to a regulatory breach.
When auditing working from home arrangements, firms should consider five lenses for a comprehensive assessment of the current set up and preparedness for a new kind of workplace.
The right working environment should support governance and oversight, maintain regulatory compliance and fulfill data protection obligations. It is important that people are aware of the risks, so they can embed controls into their new work environment. You should consider the following points, among others:
Working from home introduces new risks around cyber security, and penetration testing can demonstrate if controls are working effectively. Key areas to think about include:
Managing your peoples’ wellbeing is a key consideration for internal audit. A well-being review should consider:
Working from home brings new challenges for your firm’s culture, and the right tone needs to be set from top. Key topics to think about include:
It will take time to re-adjust when offices re-open, especially with a phased return and many people adopting home working in the long-term. When reviewing the potential scenarios, you should consider:
In the short-term, the key concern is mitigating and managing these risks. But reduced office capacity means many will continue working from home for the foreseeable future. Others may optionally adopt it on a more permanent basis to help reduce overheads, in response to staff feedback and also as part of the ongoing business continuity arrangements.
Working from home will be a common feature on audit plans moving forward and now is the perfect time to lay foundations to maintain regulatory compliance, strong information security and the culture for your business.
Written by Sylvia Ashley, Alan Jones and Adrian Chalcraft.