Due to lockdown situation, a long term model of working from home has been introduced in the last few months and it is continuously going on. It is not at all a new idea but previously, it was offered by few companies or at times when any of their employees become sick and unable to continue work at their office. Almost 60% of UK workers are interested in this concept of working from home, more in the coming months. This new method of working has impacted many businesses but in this blog, you will read that what impact this new method has put on the organisations and key considerations for internal audit. Firms have also modified their processes which were carried out by them in offices usually but now it has been transferred to multiple locations. Generally, you have a limited cyber security when you perform work from home audits.
Working from home – Risk Profile
When you perform your tasks at home, it is quite different from the way it has been done in the office. As recognised by the regulators, risk profile of a person working from home is different, where you must remember that for financial services firms, regulatory obligations remain, either you work on site or remotely. Financial services industry have some specific concerns which includes –
The Financial conduct Authority (FCA) issues reminders to firms on regular basis in relation to financial implications and obligations of COVID-19 to make sure that those customers are protected, markets are opening and functioning properly through oversightness, vigilance and monitoring.
Electronic communication with Clients
Many of the financial services firms also follow a Practice of recording certain telephone and e-mail communications with clients and maintain them in records for at least 6 months.
Company staff who have never worked from home needs to face certain challenges while working from home. Most common challenges faced by the company staff are as follows –
- Increased risk of cyber-attacks via e-mails.
- Possibility of loss of data
In order to overcome this, certain guidelines have been issued by National cyber security centre to make your organisation prepare for this new method of work – Working from home.
You may need to handle personal, organisational or confidential data while working from home. Hence, this must be handled appropriately. Information Commissioners office also released guidance for data handling while working from home.
Mental well-being of people working from home is also been taken care of. Many times people doesn’t like the home working environment or get a feeling of isolation while working at home. A regular meeting with the staff and giving them chance to raise their concerns over any issue is the best way to remove any isolation feeling. In order to overcome such feelings and to work safely under COVID-19, certain guidelines have been issued by health and safety executive which guide and give instructions to firms on how to undertake risk assessments. Working from home is a risk which can be managed effectively taking a holistic approach as it can offer greater assurance.
For ex – A person feeling isolated or demotivated can have more chances of becoming a victim of phishing e-mail. Similarly, risk of data leakage can also increase due to lack of data protection training.
Auditing working from home
You must take these 5 factors into consideration to assess the current set up in order to prepare yourself for the new workplace.
Environment- The right working environment should support oversightness, governance, fulfills data protection obligations and maintains regulatory compliances. People working at home must be aware of the risks in order to control the new working environment. Following areas must be considered –
- Adequate arrangements for supervision and control with appropriate audit trails.
- Secure and confidential communications with high privacy and protection.
- Effective security controls for accessing and storing personal data of the customers.
- Whether policies and procedures are being followed by your people working on remote locations?
- Staff training awareness about high risks.
Technical- Many new risks are introduced around cyber security while working from home and you can make sure that controls are working effectively by way of penetration testing. Following areas to be considered –
- Are devices and software’s up to date?
- Whether you are using a robust and reliable remote working infrastructure?
- Whether the devices used are safe and data encrypted?
- How the maintenance is being done for patch management process and end point security?
- How the risk is being managed around remote printing capability and removable media configurations?
- Are issues and potential risks flagged and monitored?
Well-being- One of the key considerations of internal audit is managing your people well-being. Reviewing of well-being must include the following –
- Are you able to maintain balance between your work and home life?
- Are you taking regular pulse surveys to check your well-being?
- Whether you realised that managers role has been changed and now more supervision and well-being will be a more beneficial step?
- What KPI’s are in place for monitoring of well-being and remote working?
- Have you ever thought about buddy system for enhanced support?
Culture- Working from home also impacts your firm’s culture and bring new challenges for which right tone should be set from the very start. Key areas to focus includes –
- What are the views of senior leaders about remote working?
- Have bars been set by people managers?
- What type of risks has arisen for people and what its impact on culture of the company?
- Is there any need of cultural change to support remote working and will this support your operating model too?
Return- It is quite sure that people have to readjust themselves when offices will reopen soon as many people adopting work from home in the long term. Key areas to focus on, when people will get back to office –
- How to maintain and implement social distancing model around your office physical infrastructure such as limited office space, lifts, toilets and walkaways?
- How people concerns about returning to work will be managed?
- What arrangements have you made for your people safe entry and exit from the premises as well as evacuation in the event of earthquake, fire etc.
- What measures are you taking to protect your people inside or outside the office premises?
- How will you protect and support weak people?
- Have you ever thought of cost of running your office with the less capacity?
- Whether you are thinking of including work from home policy as a future strategy?
As per the situation we are going through, mitigating and managing of risks is of primary concern. Offices with reduced capacity mean that many people will continue this work from home model in the future. It may be possible that other may adopt it on permanent basis optionally in order to reduce overheads. Moving forward, you will see this work from home model as a common feature on audit plans. Come forward and lay foundations of maintaining strong information security, business culture and regulatory compliances.
In case you want more information or advice on auditing working from home, kindly call us on 03330886686 or you can also e-mail us at firstname.lastname@example.org