Controls testing and evidence collection can be burdensome not only for compliance and audit professionals, but also for the stakeholders they engage with. Teams can save time, improve consistency, and move closer to real-time results by designing automations to perform testing or collect evidence.
AuditBoard’s InfoSec Survival Guide: Achieving Continuous Compliance, explores what compliance professionals should consider when approaching automation. Download the full guide here, and read on below to learn how to begin optimizing testing and evidence collection using technology.
Controls Testing Foundational Elements
The most important consideration for your compliance program is your controls inventory (or controls library). A clearly organized controls inventory should provide traceability to your frameworks, requirements, and assets, allowing you to scope your assessments with ease. Traditionally, control inventories are built from a spreadsheet-based risk and control matrix. However, this method often yields data inconsistencies, especially when users forget to update their data, which can lead to repeating inconsistencies throughout the spreadsheet.
Building your controls library using a connected risk solution helps to establish an organized database where your controls can be inventoried by asset owner and framework — a dependency for any optimization you build into your testing program thereafter. Automating any process depends on having complete jurisdiction over your assets and their underlying data structures, otherwise, there will be breaks in the linkage between your data points as they start to change. An integrated compliance management solution is one of the best available means to ensure your data is organized in a meaningful and reliable manner.
In many cases, testing procedures are poorly documented or not documented at all. Maintaining testing procedures builds consistency in the approach taken by compliance professionals, but also level sets expectations when surfaced to stakeholders. Once you have built your testing processes, incorporating automation and technology is the next step to maximize the efficiency of your testing program.
For example, instead of manually checking if a password configuration meets a standard once a quarter or once a year, teams can build an automation to check the password configuration daily and produce a failing result on a control.
In cases where the testing requires more discretion by a professional, automation can be applied to other areas of the testing process such as pulling a population and sample selection.
Evidence collection is also an ideal area to begin optimizing using automation, which can eliminate the urgent fire drills of evidence collection to the benefit of both control owners and testers. Scheduling repeatable requests can save testers time following up manually. Some ways to achieve this are cloud-based collaboration and project management applications, including Slack and Jira.
Another way to achieve automated evidence collection is by using a compliance management solution to schedule evidence requests from a centralized location. The benefit of a centralized platform is that it provides a structured repository of evidence collected. Because your controls data is linked throughout the platform, the linkages between a control, its associated framework/requirement, and its evidence are clearly delineated. This allows testing workflows to be easily created, scheduled, and repeated. Furthermore, questions from control owners can be answered in the platform itself, relieving a huge administrative burden for testers in terms of following up over email. Other features of a modern compliance solution that optimize the evidence collection process include:
- Automated timestamps when evidence is submitted in the platform.
- Automatic notifications to reviewers when it is time to validate the effectiveness of a control.
- Record of prior year’s responses, allowing new team members to understand what was done the previous year.
- Consistent and standardized report formats.
- Real-time reporting, allowing for faster issue identification and longer remediation time.
To learn more best practices for optimizing your InfoSec compliance program, download the full ebook, The InfoSec Survival Guide: Achieving Continuous Compliance.
John Volles, CISA, is a Director of Information Security Compliance responsible for managing AuditBoard’s compliance, risk, and privacy obligations as well as helping customers understand AuditBoard’s security posture and position. John joined AuditBoard from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.