Home Features Information Technology Internal Audit Considerations Amidst COVID-19

Information Technology Internal Audit Considerations Amidst COVID-19

An internal audit should provide reasonable assurance on the governance and the management of the cybersecurity risk.

Information Technology Internal Audit

The COVID-19 pandemic, as an unpredictable event, has triggered a ripple effect on people, businesses, governments, and society as a whole. Resultantly, organizations resorted to adopting innovative rapid changes and continued to operate in ways that are quite different from the standard practices, and they had never been projected previously. With new ways of working and technological advancements, the pandemic brings not only risks but also opportunities for organizations. So, there is a need to respond, oversee, anticipate and manage both risks and opportunities in a changing environment.

By Muhammad Tariq Ahmed Khan, Head of Information Security Audit, Internal Audit Division, Arab National Bank, Riyadh


Since the recent changes are triggering both risks and opportunities, organizations are inclined to take immediate and appropriate actions to support their employees, customers, and stakeholders while reducing the impact of the pandemic. Pandemic also brings an opportunity for Internal Audit to adapt to the new changes and to evaluate the operational challenges faced by the organizations and provide them assurances about the effectiveness of their control environments.

To assist in this process, I have highlighted the following ways that can help Information Technology Internal Audit (IT Auditors) to provide reasonable assurance and recommendations to Senior Management and the Board.

Risk Assessment

IT Auditors should adopt an agile audit approach to revisit their plans to reprioritize the IT audit engagements as per the organization’s changing risk profile, regulatory requirements, and evolving practices embraced by the organization to assist the management in focusing the critical risks in order to better protect the organization.

The plan should be flexible to cover the emerging risks caused by new products and services as a result of COVID-19.

In addition, the scope of the IT audit engagements should be continuously reviewed in line with the changing risks and control environment.

Business Continuity Planning (BCP)

Since organizations have revised their business continuity plans and have permitted the employees to work from home, it is a unique opportunity for IT Auditors to give another look at whether their organization’s Business Continuity Plans (BCPs) are still adequate, relevant, and up-to-date to cope with the COVID-19 and other specific scenarios. For instance, IT Auditors should:

  1. Evaluate the key business continuity risks and dependencies including suppliers and vendors.
  2. Evaluate that the revised business continuity plans are aligned with the overall organization’s strategic plan.
  3. Attend crisis management meetings and discussions with the management to assess whether the current and future risks have been identified.
  4. Check that an alternative mechanism is available to communicate security when if systems go down?


Due to remote work environments, organizations are facing an increased landscape of cyber-attacks such as susceptibility of social engineering (phishing) attacks and malware, which is impacting organization risks and audit plans. Although it is not the responsibility of an internal audit to manage risks, an internal audit should provide reasonable assurance on the governance and the management of the cybersecurity risk.

IT Auditor considerations should include:

  1. How organizations are raising awareness to promote proactive identification and reporting of malicious activities?
  2. Are awareness sessions customized to cover current and new threats as employees are more susceptible to social engineering attacks due to employees increased workloads, usage of technologies, and augmented stress levels?
  3. Is the organization having a 24/7 monitoring of suspicious activities caused by disgruntled employees (external/ internal)?
  4. Are technological controls to reduce the risk of increased phishing attacks implemented?
  5. Is phishing testing carried out to raise awareness?

User Access Controls

Due to flexible working hours and 24/7 working from home, employees are required to have excessive access to several systems. IT Auditors should evaluate that:

  1. Whether access to employees is granted based on the need to have, need to know, and need to do principles or not?
  2. Has a dual-factor authentication mechanism been activated?
  3. Are segregation of duties ensured while granting access?
  4. Are Audit trails maintained for every access granted, and activities performed?
  5. Are privileged administration activities exclusively monitored?

Virtual Private Network (VPN)

Due to the Covid-19 crisis, the ways of doing business have dramatically changed around the world. Consequently, organizations have permitted their employees to work from home (WFH), which has led to a massive rise in VPN traffic on the networks. The main objective of using a VPN is that it facilitates remote employees to connect to their working networks by creating a private and secure tunnel across a public network connection while ensuring that data is encrypted and transmitted securely.

IT Auditors considerations for VPN may include that:

  1. Are VPN and other remote access solutions patched timely and secure configurations are being used?
  2. Are devices/ machines used for connecting remotely secured and controlled by deploying endpoint protection software?
  3. Do VPN and other remote access solutions have appropriate licenses in place to cover the required number of connections by the employees?
  4. Is an increased bandwidth capacity available to support remote access?


As an implication of the COVID-19 pandemic, privacy rights also have been amplified. The IT Audit considerations are set out below:

  1. Are legal responsibilities in terms of protecting end-users’ privacy rights identified?
  2. Have risk assessments of products or services to assess privacy rights risks, including granting third-party access to employees’ sensitive information?
  3. Is collected private data deleted after the crisis? How is it being ensured?
  4. Is there any process to ensure that all the data collected is relevant to the required business purposes and is not more than necessary in any way?
  5. Is there any policy or disclaimer about the transparency of the type of data being gathered, with whom will it be shared? And for what purposes?

The COVID-19 pandemic has exposed the organizations to huge, unexpected, and rapid changes whether voluntarily in response to the emerging pandemic situation or enforced by the regulators. Since organizations have faced their own unique set of challenges, Internal Audit should understand the changing circumstances, new ways of working conditions, the new risk landscape and actors, and how best to add value to organizations by changing challenges into opportunities.


This article provides indicative guidance to Internal Auditors (IT Auditors in particular) in developing a better understanding of the areas of risks and associated potential impacts on their organizations.

About the Author

Muhammad Tariq Ahmed KhanMuhammad Tariq Ahmed Khan is Head of Cybersecurity Audit, Internal Audit Division, Arab National Bank, Riyadh. He is a “Subject Matter Expert” in Technology and Cybersecurity Audits. He has more than 21 years of experience in the Banking industry, in areas such as IT, Cybersecurity, and IT Audit. He has a solid understanding and application of Risk-Based Audit methodology, ISMS (ISO 27001), ISO 22301, NIST and COBIT, IT & Information Security regulatory compliance. To his credit, Tariq also has sound technical knowledge (as evident by his pertinent professional certifications) in various IT platforms and IT project management – with experience in Disaster Recovery, and Business Continuity Management.

He has published articles on different topics of cybersecurity and he has spoken at regional and international seminars and conferences.


Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.