Skip to main content


Virtual IT Audit - Not a Novel Idea

Virtual IT Audit - Not a Novel Idea

Security and IT professionals across the world have invested a large amount of time and effort transitioning to a remote workforce. At the start of this transition, much of the time was spent on getting the technology up and running, securing remote access, and finding a way to conduct business as normal (or as close to normal as possible). Now that the initial shock to the system is somewhat behind us, it’s time to shift our mindset back to a proactive security mindset.

It’s important to keep in mind that cybersecurity risks grow significantly during a time of uncertainty. In fact, we have seen a massive increase in cyber incidents in recent weeks stemming from phishing emails, phone calls, malicious websites data maps, and ransomware attacks. The spike in malicious activity is so severe that researchers have seen an increase of 667% in phishing email attacks alone in the month of March.

A critical component of proactive security includes continuous process improvement, including regular testing of an organization’s people, processes, and technology. Many times, an IT Audit is how we verify that proper security measures are in place and are effective.

A traditional onsite IT Audit has historically required a security firm to send a qualified information security auditor onsite to review policy, procedures, and technical controls, as well as to conduct investigative interviews. The auditor typically examines whether the organization is compliant with its own program (and with applicable regulations), as well as identifying possible gaps in the adequacy of controls.

Benefits from an onsite audit may be:

  • Face-to-face interaction with the auditor to discuss security measures
  • Knowledge and expertise of the auditor to help train and educate on topics which may not be directly related to audit questions
  • Ability to assess the physical security controls
  • A sit-down, in-person Exit Meeting to discuss findings and talk through recommendations with senior management and stakeholders


Essentially the greatest benefit of an onsite audit is having the auditor physically there for interview, questions, and security discussions.



The Future of the IT Audit is Virtual

In response to the COVID-19 virus, regulatory agencies have announced plans to conduct virtual IT examinations. This may seem like a novel idea; however, virtual IT Audits have been around for years.

A virtual IT Audit follows the exact same process of the onsite audit, except all the work is done remotely. The virtual audit requires the same evidence, documentation, scope, and process. Here are three common questions and solutions to note when conducting a virtual IT Audit.

Question 1: Can the IT auditor communicate effectively if the service is performed virtually?

Answer: Communication is important for all services; however, in a virtual IT Audit, communication is absolutely vital to the value that the organization gets from the engagement.

A virtual IT Audit from SBS utilizes several different communication channels such as online meetings (with screen sharing and conference call capabilities), video conferencing (when available), email, information sharing portals such as TRAC™, phone calls, and text messages to ensure the quality of the process. Communication expectations are always set up front with your auditor.


Question 2: What about the availability of the auditor vs. our in-house staff? How does that work?

Answer: When an auditor is onsite it is easy to get access to your team for interviews, questions, and concerns. When the Auditor is virtual, it’s even more important that the auditor gets access to the staff and information needed to conduct the audit.

With an SBS virtual IT Audit, a schedule is created for the duration of the audit that encompasses the topics and ISP components to be reviewed, interview times for your staff members, regular check-ins with your team, and a formal Exit Meeting to discuss findings and recommendations.


Question 3: What about physical security checks? How can you validate physical security controls if you’re not onsite?

Answer: Physical security is a very important component in an information security program and needs to be addressed even in a virtual IT Audit.

With an SBS virtual IT Audit, physical security is reviewed and assessed through the use of video or photos of each physical control to ensure the completeness of the audit. If you have the ability to turn on a webcam and walk us around your physical premises virtually, that’s the preferred option. If not, your IT auditor will talk you through taking pictures of specific physical security checks and areas to get a good understanding of the controls you have in place.


One of the biggest benefits of a virtual audit is the cost savings on travel expenses normally associated with an onsite IT Audit, such as airfare, lodging, and per diem. An added bonus of your auditor not spending any time traveling is that there should be an increase in the efficiency of the audit process from start to finish.

SBS has successfully conducted virtual IT audits for years, so we are well-positioned to deliver 100% of our engagements remotely. In that time, we have developed the technology, infrastructure, and experience to deliver the same quality of service for a virtual IT Audit that our clients have come to expect from an onsite IT Audit.

Don’t wait to perform your IT audit until later. Stay ahead of cybersecurity threats and incidents with a virtual IT Audit from SBS.


Have questions about a Virtual IT Audit? Complete this form and an SBS audit expert will be in touch:


Trouble with the form? Email


Written by:
Nick Podhradsky, EVP - Sales, SBS CyberSecurity
Clinton Watkins, CISA, CCBSP - Senior IT Auditor, SBS CyberSecurity

SBS Resources: 

  • {Service} IT Audit: The SBS IT Audit is risk-based and tailored to the size and complexity of each individual organization, providing a personalized experience from start to finish. Learn more


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, April 14, 2020
Categories: Blog