It used to be so simple (sort of). In the not-too-distant past, auditors would focus primarily on security recommendations from IT regarding general controls, such as testing the process for granting someone new access or how companies would test their code before moving it into production.
That worked well for isolated, monolithic business applications, where the threat to security and fraud existed predominately within the walls of business, but technology has moved far beyond that, and audit and security must also advance to keep pace.
Advancements in technology require advancements in security
Now, however, as more and more applications are moving to the cloud, auditors must also be concerned about the risk and security impacts of cloud access to these applications and their integration with third-party software vendors through APIs and web services. The internal threats are still there, but risks are growing for external threats as well.
Auditors are now taking another look at how companies perform vendor management and what questions to ask those key vendors: Do you know what controls the vendor has in place to ensure data security? If your solution is hosted in the cloud, for example, applications hosted on Microsoft Azure, do you know the security measures put in place by the hosting company to guarantee secure access controls?
These are the types of questions that auditors never had to ask in the past. Auditors used to be more concerned about the external threats to a company's network. And while those types of questions are still important, new potential problems arise from cloud access, integrated business systems, remote data backups, and more.
COVID had an impact on security
Internal and external security risk has also taken an additional sense of urgency with the COVID pandemic. Auditors must look at the security processes in place for employees working from home: Are employee home networks secure? Are employees maintaining secure password security in their home environments? Are any computers being shared with other members of the family? Do other family members and friends on network-enabled devices pose a security risk to company data?
Internal fraud is still the biggest threat
That said, even though the growth of technology has impacted the security and risk to company data from external threats, most fraud remains internal. A recent report from the Association of Certified Fraud Examiners sampled 2,500 companies and found $3.6 billion lost to fraud. Whether intentional or not, this report estimates that 5% of all revenues for companies worldwide will be lost to occupational fraud.
So, while it's important to talk about cybersecurity and protecting company data and equipment from external threats, the majority of risk still resides within the company—in the accounting systems, the HR systems, the CRM systems, and other critical enterprise applications.
Watch the full interview of Aidan Parisian, Vice President of Customer Strategy at Fastpath, by Boris Agranovich of Global Risk Community, as he shares how Covid-19 has impacted businesses, and security and risk management in particular.