Back to Blog
Audits and Compliance21 min read

Cybersecurity Audits for Fully Remote Companies: The Framework That Actually Fits a Distributed Workforce

A

Alexander Sverdlov

Security Analyst

6/1/2026
Cybersecurity Audits for Fully Remote Companies: The Framework That Actually Fits a Distributed Workforce

Remote Workforce · Audit Framework · 2026

Cybersecurity Audits for Fully Remote Companies: The Framework That Actually Fits a Distributed Workforce

Most audit firms still walk into a remote-first SaaS with a 1990s checklist. Locked server rooms. Badge logs. Visitor manifests. None of it applies. From 23 audits run on fully distributed companies over the last 18 months, this is the framework we use: nine control domains that actually map to a "no office" reality, the seven traps that fail audits even when controls look strong, real budgets by company size, and the 60-day plan to be audit-ready without flying anyone anywhere.

Key Takeaways

  • A fully remote company is not a regular company with WFH days. The audit surface shifts: the office network disappears, the endpoint becomes the perimeter, identity becomes the access plane, and home routers, personal printers, and coffee-shop hotspots become part of the threat model whether you like it or not.
  • SOC 2, ISO 27001, HIPAA, and the EU GDPR all assume a physical-control story by default. An auditor who has only worked with hybrid clients will write a finding for "no physical security review" if you do not hand them the compensating-control narrative on day one.
  • The single most expensive mistake we see in remote audits is treating endpoint hardening as "MDM is installed". A real remote audit verifies encryption at rest, screen lock, OS patch state, browser extension inventory, USB policy, and screen-recording app inventory on every device, with evidence collected at the device level, not the policy level.
  • A correctly scoped remote-company audit for a 30 to 80 person SaaS runs USD 28,000 to USD 64,000 all-in across nine domains plus the auditor's opinion fee. Below 28,000 you are almost certainly buying a desk check. Above 64,000 the auditor is double-counting evidence between domains.
  • The nine domains that matter for a remote company: identity and access, endpoint security, network and home-WAN posture, SaaS sprawl and OAuth grants, data classification and DLP, secrets and key management, incident response with no NOC, vendor and sub-processor governance, and people controls including onboarding, termination, and travel.
  • The audit-readiness sprint is not 12 months. For a well-run remote company already on Google Workspace or Microsoft 365 with MDM, the gap-to-ready window is typically 45 to 90 days. The bottleneck is almost always evidence collection, not control implementation.

A founder of a 47-person fully distributed analytics company emailed me on a Tuesday morning. Her largest prospect (a US health insurer, USD 2.1 million ARR pending) had just sent a 38-page security questionnaire with a question that read: "Please describe your physical security controls and provide your most recent facility walkthrough report." Her company has no facility. Twelve states. Three time zones. Two continents. Everyone is on a laptop in a kitchen, a co-working day pass, or a guest bedroom.

Her previous auditor had told her she would need to "lease a small office for the audit period" so they could check that box. She had quoted USD 18,000 a year for a Sofia co-working space that nobody on the team would ever visit, plus the auditor's USD 6,500 travel budget. Total spend on theatre: roughly USD 24,500 to satisfy a question the regulator did not actually ask.

We answered her questionnaire in four lines. The company has no physical office; the relevant control surface is endpoint, identity, and home-WAN posture; here is the compensating-control narrative; here are the seven controls that take the place of facility controls; here is the auditor's signed letter confirming the framework. The deal closed eight days later. The lease was cancelled before it was signed.

From 23 audits we have run or shadowed on fully remote companies between 12 and 380 people in the last 18 months, this is the long version of that response. The nine-domain framework, the seven traps that catch remote-first teams, the real budgets, and the 60-day plan to be audit-ready without booking a single flight.

🌏

Context

Why a Fully Remote Audit Is Not a Hybrid Audit With Two Boxes Unchecked

If a SaaS company has no office, four assumptions baked into the standard audit playbook break at once. The first is that there is a network perimeter that aligns with a building. The second is that there is a single ISP that the security team controls. The third is that physical access controls (badge, lock, alarm) gate device access. The fourth is that the people who hold the company's most sensitive credentials sit close enough to one another that lateral spread is constrained by floor plan.

None of those assumptions hold in a remote-first company. The compensating control narrative replaces all four, and a strong auditor will accept it. A weak auditor will issue findings for the absence of the original assumptions instead. Choosing the right auditor is the single highest-leverage decision in a remote-first audit. The second is making sure the compensating story is written down before the auditor opens the file.

The Shifted Control Surface for a Fully Remote Company How the Audit Surface Shifts in a Fully Remote Company 23 audits, 12 to 380 employees, fully distributed (2025-2026) What disappears (or shrinks) - Office LAN and Wi-Fi - Visitor logs, badge readers, CCTV - Server room and printer room - Single-ISP egress monitoring - Centralised paper records - Network-attached printers in scope What grows (and becomes load-bearing) - Endpoint as the perimeter - Identity as the access plane - SaaS as the data store - Home WAN as the new edge - DNS posture (DoH, malware blocking) - People controls (background, training) New questions auditors should be asking (and almost never are by default) - How do you enforce screen lock on a device that lives in a shared kitchen? - What is your policy on family members using the work laptop in a hotel room? - How do you classify "office printer" risk when there is no office printer? Where the typical hybrid-experience auditor goes wrong - Writes a finding for missing physical security review (compensating story not requested) - Asks for facility walkthrough photos, signs a finding when none arrive - Misses that MDM "installed" is not the same as MDM "enforcing"
Figure 1. The shifted audit surface. Six items shrink or disappear. Six grow to take their place. Three new questions appear. Most legacy auditors miss all three.

The single most under-appreciated point: a remote company's data lives almost entirely in SaaS. Office 365 or Google Workspace, plus Notion, Slack, Linear, Salesforce, HubSpot, Stripe, Snowflake, and 30 to 90 other applications. The auditor cannot point at a server room and say "the data is there". The data is in 47 vendor accounts, each with its own access model, each with its own audit log, each with its own breach disclosure clock. A real remote audit treats SaaS sprawl as a first-class domain. A weak audit treats it as an appendix.

The compensating control narrative is a document, not a posture

Write a one-page narrative that names every physical control assumed by the framework (visitor log, badge, locked server room, CCTV, fire suppression, clean-desk audit) and explains, for each one, the specific remote-equivalent control you operate. Hand it to the auditor on day one. The audit then runs against your story, not against the auditor's hybrid-default assumptions. This single document has saved every remote audit we have run from at least two unnecessary findings.

📝

The Framework

The Nine Domains That Define a Real Remote-Company Audit

Across 23 audits, the same nine domains keep showing up as either load-bearing or as the source of every finding. This is the structure we now hand to every engagement on day one. Each domain has its own evidence pack, its own SaaS-or-script source of truth, and its own owner. The shape matters: nine is enough to be honest about the surface, and few enough to keep the readiness sprint to one quarter.

The Nine Domains of a Remote Company Audit The Nine Domains of a Fully Remote Audit Each domain has its own evidence pack, owner, and SaaS source of truth 1. Identity and access - SSO coverage, MFA enforcement - Conditional access policies - Privileged access workflow - Joiner-mover-leaver SLA - Service account inventory 2. Endpoint security - MDM enforcement evidence - FDE on, screen lock 5 min - EDR live, alerts triaged - OS patch SLA (14 days) - Browser extension review 3. Network and home WAN - DNS posture (filtered DoH) - ZTNA or SASE in use - Public Wi-Fi policy - Home router hygiene survey - Egress monitoring (SaaS) 4. SaaS and OAuth - Application inventory (SSPM) - OAuth grant review monthly - DPA on every processor - Shadow-IT discovery - Tier 1 vendor list signed off 5. Data and DLP - Data classification policy - Email DLP (cloud-native) - Customer data egress controls - Backup and restore tested - Personal device data ban 6. Secrets and keys - Secrets manager in use - No long-lived AWS keys - Git secret scanning - Customer-managed keys policy - Recovery codes vault 7. Incident response - 24/7 escalation roster - Runbook tested quarterly - Forensic readiness kit - Legal hold workflow - Customer notification SLA 8. Vendor governance - Sub-processor list public - Vendor risk reviews annual - DPA inventory complete - SOC 2 of Tier 1 received - Breach-notification clause 9. People controls - Background check policy - Security training quarterly - Joiner kit (laptop, MFA) - Termination SLA 2 hours - Travel and high-risk-country policy
Figure 2. The nine domains of a remote-company audit. Each ships its own evidence pack. Each has a named owner. Each maps to specific SOC 2, ISO 27001, and HIPAA controls.

Two of these nine deserve special attention because remote-first companies consistently underestimate them. The first is SaaS and OAuth (domain 4). A 60-person SaaS we audited last quarter had 142 SaaS applications connected to its Google Workspace tenant, of which 38 had been granted "Read and write Drive" or wider scopes. Nine of those 38 had not been used in over six months. Three had no DPA on file. The second is people controls (domain 9), specifically the termination SLA. The median time from "let go" to "all SaaS access revoked" in the population we have measured is 38 hours. In a remote company, that 38 hours is the window where a disgruntled engineer can clone every repository to a personal device. The right SLA is 2 hours from termination notice to full revocation, executed by the joiner-mover-leaver automation, not by a human ticket.

The Traps

Seven Traps That Fail Remote Audits Even When the Controls Look Strong

These are the patterns that consistently produce findings even when the policy library is impeccable and the dashboards are green. Every one of them appears in at least 30 percent of the audits we have shadowed.

Trap 1. MDM installed is not MDM enforcing

A laptop enrolled in Kandji, Jamf, or Intune does not mean the policy is applied. We routinely find devices where the FDE policy is "installed" but the user has BitLocker suspended for a printer install three months ago. The right evidence is the live compliance report, exported to PDF on audit day, with a 100 percent line for every required setting. Anything less than 100 percent compliance triggers a finding.

Trap 2. The "personal device for personal use" workaround

Engineers swear they only use the work laptop for work. Half of them check Gmail and a couple of crypto wallets on it anyway. Auditors increasingly run a personal-account survey on audit day. A clean separation policy is impossible to enforce without browser-level controls (Chrome Enterprise, work profile isolation). If you do not have those, expect a finding on data leakage risk.

Trap 3. The SaaS application inventory that nobody runs monthly

A spreadsheet last updated 11 months ago is not an inventory. The auditor will pull the OAuth grant list directly from Google Workspace or Microsoft 365 admin and compare to your inventory. Mismatches above five entries trigger findings. The right approach is an SSPM tool (Nudge Security, AppOmni, or built-in Microsoft 365 / Google admin) with a monthly reconciliation owned by a specific person.

Trap 4. The "we use 1Password" credential management story without recovery

1Password Business or Bitwarden is necessary but not sufficient. The audit question is what happens when the owner of a critical secret leaves the company on a Friday afternoon. If the answer is "we change the admin password", you fail. The right answer is a documented break-glass process, a separate emergency vault, recovery codes printed and sealed in two geographic locations, and a quarterly recovery dry run.

Trap 5. The incident response runbook nobody has tested

A 40-page runbook in Notion that has never been exercised under a stopwatch is a planning document, not a control. The auditor will ask for the last quarterly tabletop minutes. If those do not exist, expect a finding. The right cadence is one annual full simulation, one quarterly tabletop, and one monthly 15-minute table check on a specific subsystem. Document each one with a one-page after-action note.

Trap 6. The termination workflow that takes 38 hours

In the audit population we measured, the median revocation time from termination notice to last SaaS account disabled was 38 hours. The right number is 2 hours, enforced by IDP-driven automation (Okta, Entra ID, JumpCloud). If you do automation right, "fired at 14:00" means "deprovisioned across 60 apps by 14:15". If the workflow runs by Slack message to IT, an auditor will catch it.

Trap 7. The home WAN survey that turns into a privacy fight

"Please confirm your home router has WPA2 or WPA3 enabled and the admin password is not the default" feels reasonable in a policy and feels invasive in a survey. The compromise that works: a self-attested annual survey (10 questions, 5 minutes) plus a mandatory ZTNA client that does not care about the home network. The point is not to certify the router. The point is to make the router irrelevant by enforcing identity-based access at the application layer.

💵

The Numbers

Real Budgets for Remote-Company Audits by Size

These numbers come from 23 engagements priced in 2025 and 2026. They do not include the auditor's opinion fee (which is a separate line, USD 18K to USD 45K for a SOC 2 Type 2 from a mid-tier CPA firm). They cover the readiness, the evidence collection, the internal time cost, and one quarterly cycle of program operation post-audit.

Company size Audit framework Readiness (USD) Time to ready Annual maintenance
10-25 employees SOC 2 Type 1 only 14,000 - 28,000 45 - 75 days 18,000 - 32,000
26-60 employees SOC 2 Type 2 28,000 - 48,000 60 - 100 days 36,000 - 62,000
61-150 employees SOC 2 Type 2 + ISO 27001 48,000 - 86,000 90 - 140 days 68,000 - 118,000
151-380 employees SOC 2 + ISO 27001 + HIPAA 86,000 - 164,000 120 - 180 days 125,000 - 218,000

Two numbers stand out. The first is that readiness for a 30 to 60 person remote SaaS hitting SOC 2 Type 2 for the first time is consistently USD 28K to USD 48K. Anyone quoting under USD 18K for that profile is selling a checkbox exercise and will fail the audit. Anyone quoting over USD 70K is double-counting evidence collection with policy authoring, which is what bad readiness firms do. The second is that the readiness window is 60 to 100 days, not 12 months. The myth that SOC 2 readiness takes a year applies to companies starting from no security program. A remote-first SaaS already running Okta, Kandji, and a secrets manager is 75 percent of the way there.

Where the auditor's opinion fee really lands

Big 4: USD 65K to USD 120K, the brand premium buys nothing technically. Tier 2 (BDO, Grant Thornton, Crowe): USD 35K to USD 65K, defensible across most enterprise customer reviews. Specialist boutique (Schellman, A-LIGN, Prescient Assurance, KirkpatrickPrice): USD 18K to USD 45K, the right choice for 95 percent of remote-first SaaS. The boutique brand is the operational answer for companies under 200 employees.

💾

Evidence

How to Collect Evidence When There Is No Office to Walk Through

Evidence collection is the single biggest sink of internal hours during a remote audit. The teams that get it right run the audit on the same automation rails they already use for engineering: dashboards, dated exports, signed-off snapshots, all in a versioned evidence repository. The teams that get it wrong run it on Slack threads and ad-hoc screenshots, lose track of which version of which screenshot the auditor accepted, and burn 80 to 120 internal hours that should have gone to product.

The model that works for a 50-person SaaS: a private GitHub repository named "audit-evidence-{year}", one folder per domain (1-identity, 2-endpoint, 3-network, and so on), and a "collect.sh" script that pulls fresh exports from every relevant SaaS console at the start of the audit window. Every artifact is dated. Every artifact is signed off by the named owner. The auditor gets read access to the repo for the duration of the engagement.

Evidence Collection Workflow for a Remote Audit Evidence Collection Pipeline (No Office Required) From SaaS console to signed-off evidence pack in 5 steps 1. Source - Okta / Entra ID - Kandji / Intune - Google admin - AWS / Azure 2. Export - API or CLI pull - CSV / JSON - Dated filename - Auto-timestamped 3. Repo - Private GitHub - 9 domain folders - Versioned (git) - Branch per audit 4. Sign off - Owner approves - PR review - Hash recorded - Audit log entry 5. Auditor Read-only access during window only What the auditor accepts (in this order) 1. Native SaaS console export with a visible timestamp and admin user (gold standard) 2. Screen recording of an admin executing the query live, with the query visible and dated 3. Screenshot taken on audit day, with a visible date and browser URL in the chrome 4. A Notion or Confluence policy page (only valid for written policies, never for live state) 5. A Slack message from the owner (almost never accepted, asks tend to follow up with #1 or #2)
Figure 3. The five-step evidence pipeline. Same engineering discipline you already use for code. Auditor preference order shown for what gets accepted on the first pass.

One subtle point on auditor preferences: the gold-standard "native console export" is preferred not because it is fancier, but because the auditor can re-execute the same export themselves if asked. A screenshot can be doctored. A native export from Okta or Microsoft 365 with the admin user visible and the date in the chrome can be replayed by the auditor in five minutes. The same control evidence that lets you respond to a customer questionnaire in two days also lets the auditor close a control in 90 seconds.

📅

The Plan

A 60-Day Plan from Pending to Audit-Ready (For a 30 to 80 Person Remote SaaS)

If you start today with Google Workspace or Microsoft 365 already in place, an SSO of some shape, and a basic MDM rollout, this is the schedule that gets you to a defensible audit posture in 60 days. The constraints are calendar and senior engineering time, not budget. Roughly 70 to 120 hours of internal engineering, 40 to 70 hours of security advisory or vCISO time, and 15 to 25 hours of executive review.

60-Day Plan to Remote-Audit-Ready 60-Day Plan to Remote-Audit-Ready Weeks 1-2 (gap and scope) - Weeks 3-6 (remediate and document) - Weeks 7-8 (rehearse) Weeks 1-2: Gap and scope - Pick framework (SOC 2 / ISO) - Engage boutique auditor - Run 9-domain gap analysis - Name domain owners - Compensating-control doc - Set up evidence repo - Inventory SaaS apps (SSPM) - Lock down IDP integration - Sign engagement letter Weeks 3-6: Remediate - MDM 100 percent compliance - MFA on every account - Joiner-leaver automation - DPA portfolio complete - Secrets vault break-glass - Incident runbook tabletop - Patch SLA enforced - Policy library v1 - Sub-processor page live Weeks 7-8: Rehearse - Mock auditor walk-through - Evidence pack dry run - Owner interviews scripted - IR tabletop final pass - Customer questionnaire test - Trust portal v1 published - Kickoff with the auditor - Audit window opens - First evidence pull Day 60 outcome: defensible posture, mock audit clean, real audit opens, first findings list expected under 5
Figure 4. The 60-day plan. Two weeks to scope, four weeks to remediate, two weeks to rehearse. Day 60 closes with the audit window opening with a credible chance of fewer than five findings.

Two notes on calendar. First, weeks 3 to 6 are calendar-bound, not effort-bound. You cannot compress them by adding people. MDM rollout to 50 endpoints takes a week of nag-and-chase regardless of how many engineers you have. DPA portfolio completion depends on vendor response times. Joiner-leaver automation needs a clean test cycle. Second, the mock auditor walk-through in weeks 7-8 is the single highest-leverage activity in the entire plan. A two-hour mock with a real ex-auditor will surface every weak control narrative two weeks before the real audit, when you can still fix it.

FAQ

Frequently Asked Questions

Do we really need to "lease an office for the audit period" as our previous auditor suggested?

No. SOC 2 trust services criteria, ISO 27001 Annex A, and the HIPAA Security Rule all accept compensating controls when a control is "not applicable" because of the operating model. The right document is a written compensating-control narrative signed by the named owner of each domain. If your auditor refuses to accept this for a fully remote operation, find another auditor. Two of the four boutiques we name in section 4 have done dozens of all-remote engagements without a physical walkthrough.

SOC 2 Type 1 first or straight to Type 2?

If your largest pending deal is six weeks away and procurement says "SOC 2 will do", Type 1 first to unblock the deal, then Type 2 on a 6-month observation window. If your largest deals are 12 months out and you have an open runway, skip Type 1 and go directly to a 3-month or 6-month Type 2 observation. Type 1 is a snapshot of control design; Type 2 is operating effectiveness across a window. Buyers care about Type 2 in the end. Type 1 is the bridge that buys you the time to get to Type 2 honestly.

Can we use Vanta, Drata, or Secureframe as the entire program?

For roughly 70 percent of controls, yes. They are excellent at evidence collection from cloud APIs, MDM, and the major SaaS apps. They are weak at: compensating-control narrative authoring, vendor risk reviews with substance, incident response tabletop facilitation, and customer questionnaire response. The right configuration for a remote SaaS is the compliance automation tool for evidence, plus a vCISO or boutique advisor for the four weak spots. Tool-only programs walk into audit with green dashboards and 8 to 12 findings on average.

How do we audit a team distributed across five countries?

The framework above is jurisdiction-agnostic for endpoint, identity, and SaaS. The places where geography matters: data residency (Snowflake region, RDS region, Vercel deployment region), GDPR data subject rights workflows for EU employees and customers, local employment law for background checks and termination, and travel policy for high-risk countries. Document the country list in the compensating-control narrative. Pick one cloud region per critical data class and stick to it. Most auditors accept a single multi-country posture if the data residency is consistent.

What about BYOD? Some of our contractors use their own laptops.

BYOD is the single biggest scope booby trap in a remote audit. The clean answer is: company-owned and managed laptop for any account that touches customer data, period. If a contractor will not accept this, they should not be in scope. If you must allow BYOD (rare, expensive), use a Citrix or Cloud PC virtual workstation pattern so the customer data never reaches the personal device. Treating BYOD as "we just enroll the MDM" produces findings every time, because the user can deny enrollment, uninstall the agent, or factory-reset and you have no recourse.

Our auditor wants to fly out to interview the security lead. Is that required?

No, and you should push back. Every SOC 2 and ISO 27001 auditor we have worked with in the last 18 months has been comfortable with video interviews recorded with consent. The auditors who insist on travel either have a billable-hours model that depends on it or have not refreshed their methodology for remote-first clients. Politely decline the travel line item and offer a calendar of structured video interviews instead. If the auditor refuses, that is a signal to switch.

Talk to a human

Remote company facing an audit and a 38-page security questionnaire?

We run audit-readiness programs for fully distributed SaaS companies between 25 and 250 employees. We have shipped the nine-domain framework across 23 engagements in the last 18 months. Bring your existing quote (auditor or readiness firm) and we will read it against this framework for free in 30 minutes.

Book a 30-minute remote-audit triage call
Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.