Page 76 - ITGC_Audit Guides
P. 76
Executive Summary
The COVID-19 pandemic accelerated the adoption of remote work and may have permanently
altered attitudes about whether or how often workers should be in the office. The rapid rise in
remote connections to enterprise networks and the continued adoption of cloud-based services
have increased the risks of accessing company data and applications over potentially less-
secure networks and devices.
Internal auditors need to understand common technologies that enable remote work, the
significant risks arising from remote access, and standard controls that prevent, detect, or
remediate unauthorized access or sharing of information.
The primary control objectives for mobile computing include:
1. Remote access – Which users are authorized to access portions of the enterprise network
remotely, and which security measures are in place to protect the transmission?
2. Centralized device administration – Which devices are authorized to access the enterprise
network remotely, and how are secure configurations managed?
3. Endpoint security – How are on-device security measures, such as antivirus software and
partitions of user-managed devices, ensured?
4. Data protection – How is sensitive data protected from transmission to a less secure
environment, including being shared in collaboration tools?
5. Cybersecurity monitoring – Are there anomalies or red flags in the use of remote access that
could indicate a breach or misuse?
6. Training – Do personnel have the training on collaboration tools and security awareness to
perform their jobs remotely and securely?
With the rise in remote work, many organizations may be motivated to assess the risks and
opportunities posed by mobile computing. Internal audit activities may have opportunities to
deliver valuable assurance and consulting services related to the design and implementation of
mobile computing controls — which, in turn, can help the organization achieve innovation and
security objectives.
1 — theiia.org
