While security is unlikely to be at the forefront of decision-makers at audit firms when adopting new technology tools, it is one of the most critical elements to consider when reviewing which vendor tools to incorporate into audits.

Confidence around the integrity of data in audits is vital, so practitioners must have full assurance that transaction data are accurate and complete, and haven’t been tampered with. Ultimately responsibility will lie with the partner signing off the job upon completion.

There are several different security certification standards worldwide which broadly align with similar principles, with just a few nuances.

It’s worth taking the time to understand why security is important and what to look for from vendors, as this will de-risk audits and be critical when weighing up which audit software vendors to work with.

What is security?
Data security covers three critical tenets: confidentiality, integrity and availability.

1. Confidentiality
Business software needs to maintain the data they handle confidentially to stop it from falling into the wrong hands and to give purchasers the confidence that data will not be misappropriated.

Failure to do so exposes business users to litigation risks and damage to brand reputation. Listed companies can be particularly affected by this due to adverse movements in their share price.

2. Integrity
Integrity in the context of data security means users must be able to rely on the accuracy and validity of data processed by business software.

Data needs to be accurate and consistent over its lifecycle, as failure to do so means companies cannot rely on it.
‍
3. Availability
Availability is critical to data security, as systems and applications need to make data available whenever users need it.

Software must be sufficiently robust to withhold denial of service attacks so that users can access data uninterrupted at all times.

How These Principles Of Security Meet The Needs Of Auditors
Security should be a key consideration in vendor selection for auditors. These principles are foundational elements for software security controls that support internal controls for financial statement auditing.

Auditors need to rely on these security controls to complete jobs with the relevant levels of assurance. For example, they need to put complete reliance on the integrity of bank balance confirmations at year-end to prove that the balances have been reconciled correctly.

Failing to have confidence in the security of data used in these processes impairs the ability of partners to sign off audits.

It’s also essential for audit firms to be able to rely on the security of their software vendors to use automation to assist and complement the efforts of staff. If audit partners can’t be confident of the underlying security of the tools used, jobs will have to rely on more manual and human efforts and will take up additional staff resources. They will also take longer to deliver, eroding profit margins.

The Gold Standards To Look Out For
To satisfy security requirements, at a minimum, audit firms should adopt vendors with an Information Security Management System (ISMS) that is broad and complete in its scope. This must address all the risks and threats related to confidentiality, integrity and availability.

Similarly to the assurance standards of financial statements, there are international certifications for security. Adopting vendors with these in place should give auditors extra comfort that they are abiding by the highest security levels. The most widely used standards are SOC2 (more prevalent in the US) and ISO 27001 (more commonly used in Europe). Both certifications will ensure the highest levels of security are met.

Review The Security Of Your Existing Vendors today
If you already work with audit technology providers, review their approach to security to make sure it is sufficiently fit for purpose. If formal accreditations aren’t held, reach out to suppliers and ensure they have an ISMS in place.

At Circit, our security meets the highest standards for ourselves and our clients. As well as being formally ISO 27001 certified, the platform is fully GDPR compliant, and all our content is encrypted. We are currently undergoing SOC2 accreditation.

Security of data is bolstered by the creation of a comprehensive and immutable audit trail, between all parties, including audit firms and their clients, that embeds timestamps IP addresses and end-user information.

‍‍Learn more about our approach here.‍