Achieving Continuous Compliance and IT Control Automation
This article originally appeared on the ISACA blog.
Every organization has to comply with regulations and control frameworks. As assurance professionals, we are often tasked with understanding the compliance requirements, validating the compliance controls’ design, and then testing the control effectiveness. When we undertake this task, many control owners seem caught off guard and stress about providing evidence. To make this process work more efficiently, leading organizations are adopting continuous compliance. When looking for a place to start with continuous compliance, we target highly repetitive areas and involve well-defined parameters. IT controls are a great place to start the continuous compliance conversation. This article will use access controls as an example for continuous compliance.
What Does Continuous Compliance Mean?
Continuous compliance is a proactive approach to maintaining the requirements set by frameworks and regulations across your business environment on an ongoing basis. As a proactive approach, the goal in continuous compliance is to recognize that the requirements always exist, not just during an audit, but as part of daily operations. With this mindset, the compliance control owners understand that at regular intervals, they are providing evidence they have been maintaining instead of scrambling to create or produce the evidence reactively.
How Do We Achieve Continuous Compliance?
Building a common internal controls framework is the first step to achieving continuous compliance, especially in a multi-regulation environment. Building a compliance framework crosswalk allows you to map your controls to multiple frameworks or regulations at once and reduce or eliminate redundant testing. An effective crosswalk allows you to test more efficiently and reduce audit fatigue. In the illustration below, you can see an example of a control requiring the creation of an IT policy. This internal control is then cross-referenced to five different regulations, all with the related requirement. By testing this control once, we satisfy compliance with all the mapped frameworks and regulations, and we only had to ask for the documentation once.
For the second step, we look to technology enablement to facilitate reminders and evidence gathering. Implementing compliance management software to automate key processes will provide the ability to set attestation reminders at regular intervals to prompt the control owners to review the controls, make needed updates, inform others impacted about the change, collect approvals if needed, and finally to provide evidence of compliance. On the assurance side of the equation, the compliance team monitors exception reporting for missing data and reviews the provided supporting documentation.
Conclusion
By enhancing our control documentation to include cross-references to multiple regulations and frameworks and then implementing continuous compliance automation software, we can reduce the stress on the control owners, streamline testing, and change the cultural mindset to one of proactive, continuous compliance.
Tony Luciani is a Senior Manager of Product Solutions at AuditBoard. Prior to AuditBoard, Tony served as IT Risk and Compliance Manager at Sony Pictures. As a former InfoSec consultant, PCI QSA, and CCSFP Assessor, his experience ranges from performing gap/attestation assessments (i.e. NIST, ISO, CIS, SOC2, PCI, HITRUST, etc.) to facilitating IT risk management programs for customers across multiple industries. Connect with Tony on LinkedIn.