Six Efficiency Hacks to Streamline Controls Testing

Without the right context, control owners can easily let their compliance responsibilities slide to the bottom of their priority list. One way to proactively combat this is to turn compliance into a collaborative process, rather than enforcing a testing methodology on your stakeholders.  

AuditBoard’s new ebook, The InfoSec Survival Guide: Achieving Continuous Compliance, uncovers opportunities where you can show your stakeholders you are their allies — and create efficiencies in the process. Download the full guide here, and read on below to learn six efficiency hacks to streamline controls testing. 

The following are tips to build efficiency and positive rapport with your stakeholders throughout policy development and testing:

1. Design control activities with the input of process owners. The goal of continuous compliance is to recognize that requirements always exist — not only during an audit but as a part of daily operations. If this is effectively conveyed, control owners will understand that at regular intervals, they will be providing evidence they have been maintaining — instead of scrambling to create or produce the evidence reactively. Utilize the control design stage to help your stakeholders improve and optimize their business processes. Not only does this help to embed compliance into their process as naturally as possible, but it also makes compliance a clear win for your control owners by adding value to their line of business.  
2. Ask for process owner feedback during requirement review. Oftentimes control owners can have limited insight into their applicable framework requirements because they have not been sufficiently briefed by compliance teams. Get ahead of this by requesting stakeholder feedback during your requirement review stage. Not only does this help to refine your scope, but it also can result in de-scoping something from a stakeholder’s world — creating more efficiency all around. This underscores the importance of truly understanding your stakeholder’s day-to-day process during discovery: you may learn something is not even applicable based on how their process actually works. 
3. Define the test procedures and share them with control owners. It is essential to create a defined and repeatable way to test controls. This is important because failing to establish the correct principles, information, and understanding of your compliance environment will render any automation or continuous monitoring efforts useless. Your test procedures should:
   1. Include prescriptive guidance on what evidence you will be requesting — and define what qualifies as evidence.
   2. Define the steps assessors are expected to follow in order to evaluate the effectiveness of a control. 
   3. Include the references to the systems, locations, and personnel that you will need access to in order to complete the test. (This is useful for automation and preventing loss of continuity if you have turnover on your team.)
   4. Be shared with control owners before testing to minimize any confusion or surprise during testing. 
4. When planning your testing schedule, take a proactive and risk-based approach. Aim to create efficiency and efficacy, not to boil the ocean all at once.
   1. Group your requirements by business function or overarching regulation, and specify the time frame when each of those groups will be tested (monthly, quarterly, etc). 
   2. Use a risk-based approach to stagger your testing to focus on higher-risk areas first, which may even result in de-scoping some areas.  
   3. Add the scheduled period as a data point within your risk assessment to ensure testing coverage of all necessary requirements. 
5. When building your common or baseline control set, start small. Focus on what is most relevant to your industry and organization — and most importantly, what the highest risks are. Biting off more than you can chew can result in ending up with an enormous control count that is neither efficient nor aligned with risk priorities. A better practice is to start small by taking a risk-based approach, focusing on the most urgent risks first, and then expanding. For example, consider starting with the CIS top 20 controls as your baseline rather than NIST 800-53.  
6. Lean on trusted industry peers and resources. There are peers in your industry — external and co-source auditors — who have gone through the work of designing control libraries and common control sets before and have insights into the process. Starting from scratch can be daunting — and inefficient — when you can access these resources instead. An expert’s knowledge and experience will benefit your control design process from a data integrity perspective, as they have vetted the process before and can provide best practices and proactive solutions to common pain points.