While security is unlikely to be at the forefront of decision-makers at audit firms when adopting new technology tools, it is one of the most critical elements to consider when reviewing which vendor tools to incorporate into audits.
Confidence around the integrity of data in audits is vital, so practitioners must have full assurance that transaction data are accurate and complete, and haven’t been tampered with. Ultimately responsibility will lie with the partner signing off the job upon completion.
There are several different security certification standards worldwide which broadly align with similar principles, with just a few nuances.
It’s worth taking the time to understand why security is important and what to look for from vendors, as this will de-risk audits and be critical when weighing up which audit software vendors to work with.
What is security?
Data security covers three critical tenets: confidentiality, integrity and availability.
1. Confidentiality
Business software needs to maintain the data they handle confidentially to stop it from falling into the wrong hands and to give purchasers the confidence that data will not be misappropriated.
Failure to do so exposes business users to litigation risks and damage to brand reputation. Listed companies can be particularly affected by this due to adverse movements in their share price.
Within the EU, the confidentiality of data held and processed by software vendors should be protected by GDPR. Failure to adhere to it can result in fines of 4% of the company’s annual global turnover, or $20 million, whichever is higher.
2. Integrity
Integrity in the context of data security means users must be able to rely on the accuracy and validity of data processed by business software.
Data needs to be accurate and consistent over its lifecycle, as failure to do so means companies cannot rely on it.
On a practical level, this means systems must be in place to check data for errors to prove there have been no compromises. Additionally, data will need validation procedures applied to it to ensure that it has not been changed during transfers in and out of systems.
3. Availability
Availability is critical to data security, as systems and applications need to make data available whenever users need it.
Software must be sufficiently robust to withhold denial of service attacks so that users can access data uninterrupted at all times.
Denial of service can lead to applications being non-operational or, in severe circumstances, can bring systems to an unsafe state.
How these principles of security meet the needs of auditors
Security should be a key consideration in vendor selection for auditors. These principles are foundational elements for software security controls that support internal controls for financial statement auditing.
Auditors need to rely on these security controls to complete jobs with the relevant levels of assurance.
For example, they need to put complete reliance on the integrity of bank balance confirmations at year-end to prove that the balances have been reconciled correctly.
Additionally, when bank transactions after year-end are requested for post-balance sheet purposes, auditors need to ensure that the data delivered satisfies the scope and that data comes from an authorised party and hasn’t been tampered with.
Failing to have confidence in the security of data used in these processes impairs the ability of partners to sign off audits.
Another reason auditors need to rely on security for audit tech is due to efficiencies around resourcing staff and streamlining processes. Benefits of new audit tech tools include automation features that save time on core audit workflows and deliver levels of assurance beyond the capabilities of human auditors. For example, this can include analysing 100% of transactions to look for anomalies.
It’s also essential for audit firms to be able to rely on the security of their software vendors to use automation to assist and complement the efforts of staff. If audit partners can’t be confident of the underlying security of the tools used, jobs will have to rely on more manual and human efforts and will take up additional staff resources. They will also take longer to deliver, eroding profit margins.
The gold standards to look out for
To satisfy security requirements, at a minimum, audit firms should adopt vendors with an Information Security Management System (ISMS) that is broad and complete in its scope. This must address all the risks and threats related to confidentiality, integrity and availability.
Similarly to the assurance standards of financial statements, there are international certifications for security. Adopting vendors with these in place should give auditors extra comfort that they are abiding by the highest security levels.
The most widely used standards are SOC2 (more prevalent in the US) and ISO 27001 (more commonly used in Europe).
Both certifications will ensure the highest levels of security are met. There is an overlap between the two, but there are a few differences. These include how they are governed (the American Institute of Certified Public Accountants for SOC2 and the ANSI-ASQ National Accreditation Board for ISO 27001), and ISO 27001 is viewed as a harder certification for vendors to achieve.
Ultimately auditors are likely to adopt vendors that apply certifications in the geographical locations of their clients.
Review the security of your existing vendors today
If you already work with audit technology providers, review their approach to security to make sure it is sufficiently fit for purpose. If formal accreditations aren’t held, reach out to suppliers and ensure they have an ISMS in place.
At Circit, our security meets the highest standards for ourselves and our clients. As well as being formally ISO 27001 certified, the platform is fully GDPR compliant, and all our content is encrypted. We are currently undergoing SOC2 accreditation.
Security of data is bolstered by the creation of a comprehensive and immutable audit trail, between all parties, including audit firms and their clients, that embeds timestamps IP addresses and end-user information.
Learn more about our approach here.
