Remote Auditing vs. Onsite Assessments: What Do I Want?

by Sarah Harvey / January 31st, 2019

There’s a lot to consider when choosing an audit partner. What does their audit process look like? What kind of services do they offer? How will they help you reach your audit objectives? How much do they charge? Will they perform a remote audit or an onsite assessment? While these are all valid concerns, organizations also have to consider their own intentions behind pursing compliance: is it required to partner with new business partners? Is it to help strengthen your security posture? Is it just another item to check off on a to-do list? If an organization is looking to partner with a firm that doesn’t come onsite because it’s “easier” or cheaper, KirkpatrickPrice won’t be a good fit for you. At KirkpatrickPrice, we want to partner with organizations to help them meet their compliance objectives, and part of that is performing our due diligence and conducting an onsite visit. Why do many other audit firms advertise that they can effectively conduct an audit 100% remotely? Why do so many organizations loathe an onsite visit? Is there really that big of a difference between a remote and onsite audit?

Why the Difference Matters

For organizations that are just starting out on their compliance journey or for organizations looking for a new audit firm to work with, there’s one critical component that needs to be kept in mind: the audit firm you choose should always perform an onsite assessment. Why? Audit firms who promote remote-only audits are doing you a disservice. And we would know – in 2006, we were the pioneers of the remote audit. However, our remote audit methodology was never intended to eradicate the onsite visit. Instead, we positioned ourselves as a trusted audit partner for helping our clients streamline the audit process and complete 80% of the audit before going onsite.

Licensed CPA firms also have an ethical obligation to perform their due diligence while conducting audits, and we take that obligation very seriously. We are committed to delivering quality audits, which would not be possible if we did not perform onsite visits. Without an onsite visit, an auditor can’t personally experience a company’s culture and integrity, processes, or physical security. For example, when our auditors have gone onsite in the past, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. So, when you’re choosing an audit partner, ask yourself: what are you willing to risk so that your auditor doesn’t come onsite?

Controls that Require an Onsite Assessment

We know that undergoing audits requires a financial, personnel, and time investment from our clients, and we want to help them get the most out of their compliance efforts. Even more so, we want our clients to actually remain compliant, and performing an onsite visit assists us in doing that. Information security frameworks require that an auditor verifies that physical controls are in place to safeguard sensitive data. For example, PCI Requirement 9 says that entities should “restrict physical access to cardholder data.” How will an auditor be able to determine if an organization has implemented physical safeguards to protect their cardholder data environment if they don’t come onsite?

Getting Over the Fear of the Onsite Assessment

The onsite assessment versus remote audit debate really comes down to this: getting over the fear of the onsite visit. Because the audit process can be so rigorous and intimidating, many organizations fall into the trap of fearing the audit process altogether. This has resulted in organizations seeking out those audit firms that “guarantee” that they can deliver “quality” audits without coming onsite. Many of our clients  that come to us after working with other information security firms actually enjoy our onsite visits because they can feel good about knowing their auditor. While you may want a remote audit, you need an onsite assessment – it’s critical for ensuring compliance and strengthening your security posture.

If your audit partner isn’t currently performing an onsite assessment, it’s time to rethink that partnership. We know audits can be hard, but don’t take the easy way out. Contact us today to learn more about our commitment to quality, thorough audits and how we can overcome the fear of the onsite together.

More Assurance Resources

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Getting Executives On Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For