This article originally appeared on the ISACA Blog.
In our roles on the information security team at AuditBoard, we have the privileged opportunity to work with some of the largest, most sophisticated compliance teams on the planet. As a result of those relationships we are able to understand how the compliance function is changing to face evolving challenges like increased regulatory complexities, increasing institutional oversight, and the workplace’s digital transformation.
Here, we’ll share some of the key challenges we see compliance teams facing today, and outline a compliance automation journey that can help resolve bottlenecks, streamline workflows, and free up your team to focus on the activities that matter.
Current Challenges in Compliance Cause Friction
There are many factors creating challenges for compliance professionals in 2023. Central to all of the challenges is the fact that complexity in the world of compliance is on the rise and legacy processes hinder efficiency for both compliance teams and control owners.
These challenges include regulatory oversight expansion — changing requirements accompanied by the many transformations in today’s business. New regulations include the Cyber Security Initiative, the SEC releasing ESG and reporting on cybersecurity, and evolving state regulations around data privacy. The pandemic-forced digital transformation has enlarged the attack area for the ever-increasing number of cyberattack agents threatening today’s organizations.
To combat this, legacy compliance teams must reframe their processes. Old-fashioned, point-in-time audits miss things throughout the year, and control testing programs based on periodic evaluation lose the opportunity to enforce year-round compliance. In addition, industry requirements around third parties are increasing as regulators react to the evolving landscape. Queries interrupt day-to-day operations with the need to initiate purpose-driven evidence requests.
Parallel to compliance professionals, the recipients of requests (control owners and teams being assessed) are also burdened by the increase in requests or changes in environment. The recipients of requests often lack visibility to the larger ask and don’t receive credit. There are countless cases where an individual ends up supplying the same piece of support for multiple audits or assessments throughout the year, and audit fatigue can cause them to become an adversarial part of the process.
Compliance Automation Journey
Automating compliance helps to streamline processes, free resources, and improve cross-team relations and morale. A consistent, streamlined systemallows teams to have regular check-ins that can flag irregularities in a timely fashion, and gives teams the time they need to focus on priority projects. Here’s how to get started:
1. Inventory and Organize Needs: Create a controls inventory and catalog testing activities. From the inventory of controls and tests, identify the use cases where automation would benefit a process or compliance activity.
2. Identify Data Sources: Determine the data sources needed to enable automation. In some cases, this is the collation of various data sources, and in others it is enabling an integration to seamlessly pass data or artifacts between systems.
3. Evaluate Frequency and Look for Time-Based Risks: Increase the frequency of high risk assessments, eliminate business risks associated with time-based gaps in assessment, and build continuous monitors by automatically collecting artifacts and automating testing procedures.
4. Work in Stages: Start small. End-to-end continuous process automation is hard and should be taken in steps. Consider compliance needs in addition to technology needs. You may not have everything you need at the start, and that’s ok.
5. Practice Continuous Improvement: Ultimately getting to real-time assessment to reduce business risk is the goal.
Moving Forward With Compliance Automation
Take your business to the next level by automating your processes and clearing up team time. To move forward, teams should consider pursuing training and learning opportunities to encompass data engineering experience, empowering existing capabilities with continuous monitoring tools, and implementing purpose-built compliance management software. When your program is enabled by compliance automation, you’ll be well-positioned to get more out of team inputs, find efficiencies, and gain workflow improvements.
Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.
John Volles, CISA, is a Director of Information Security Compliance responsible for managing AuditBoard’s compliance, risk, and privacy obligations as well as helping customers understand AuditBoard’s security posture and position. John joined AuditBoard from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.