Single Sign-On: Key Element in Remote Cyber Auditing

As digital transformation enabled banks and other financial services firms to offer customer-facing services via the Internet, managing cyber risk effectively became essential. As remote auditing becomes the norm, employing Single Sign-on is becoming critical.

Financial services firms have been audited for decades, both by outside auditors hired to provide an unbiased status of financial risk, and by regulators with the responsibility to oversee enforcement of agency regulations. As institutions and regulators realized the extreme risk that cyber breaches represent, agencies and auditing organizations responsible for assessing financial risk added oversight for assessing cyber risk.

More recently, as agencies pressed for more stringent cyber risk oversight, government initiatives have mandated auditing for a massively higher number of organizations. Accomplishing these directives translates into orders of magnitude more audits, and the ability to send auditors onsite for all but the largest organizations is no longer practical.

This vastly increased audit volume dictates that an overwhelming majority of audits must be conducted remotely. Adding new auditors is not a viable solution, since training more auditors can’t begin to keep pace with multiple hundreds of thousands of organizations now having to be audited. Regulatory agencies and other auditors must drastically increase efficiency and lower audit costs to have any chance of meeting new levels of demand. Remote auditing is clearly key, but doing it on this scale presents these challenges:

• Providing auditors and regulators with a comprehensive, standardized view of cyber risk for easy and efficient review. Automated assessment standards, namely FFIEC CAT and NIST CSF, fulfill this need and are essential for remote auditing.
• Streamlining communication between auditors and those who provide information for the audit. Standards help, but lacking automation to support (a) reporting by users and (b) review of evidence by auditors and regulators greatly limits efficiency.
• Secure the remote auditing process to prevent access by bad actors. Use of automated standards and remote review to aggregate information into a single system of record dramatically increases efficiency, yet it also introduces risk.

Creating an Ideal Remote Cyber Auditing Environment

An ideal remote cyber auditing environment requires four key elements:

1. An Automated Standards Platform – Automating recognized standards on a hosted platform for cyber assessments is more efficient than using spreadsheets, and it decreases the risk introduced by enabling access behind the firewall. Users can document supporting evidence and attach corroborating links and files securely.
2. A Single System of Record – Regulators often request information from across the enterprise, causing response delays and requiring integration of multiple sources of data, e.g., numerous, inconsistent, confusing spreadsheets. An automated platform serving as a single system of record, with all the information readily available, can cut the time for an audit by half or more.
3. An Audit Support Facility – Even more efficiency results by offering an automated facility for creating and managing audit notes specific to a control that can be exposed to users at the appropriate time. Automated notification of changes support interactive communication between regulators/auditors and users.
4. Integrated Single Sign-On Security (SSO) – Controlling remote access to hosted, automated systems is vital. Leveraging existing SSO systems (e.g., Okta, Azure Active Directory) assures that external users like regulators and auditors can gain access to all the facilities they need, while being restricted from accessing other assets.

Justified government concern about cyber fraud has increased the number of mandatory cyber audits by orders of magnitude. Initiatives requiring government contractors to comply are already instigating legal actions and driving emerging new standards, such as CMMC. A preponderance of remote audits has evolved.

Likewise, banks and other financial institutions, as well as other SMBs, are adopting remote cyber auditing to verify their security practices and to comply with agency regulations (e.g., OCC, FDIC, SEC). Implementing best practices within a highly efficient audit environment helps organizations meet these requirements with a limited impact on finite resources. Single Sign-On is a key component of those best practices.