Editor’s note: The following is a sponsored blog post from AuditBoard:
Every organization has to comply with regulations and control frameworks. As assurance professionals, we are often tasked with understanding the compliance requirements, validating the compliance controls’ design, and then testing the control effectiveness. When we undertake this task, many control owners seem caught off guard and stress about providing evidence. To make this process work more efficiently, leading organizations are adopting continuous compliance. When looking for a place to start with continuous compliance, we target highly repetitive areas and involve well-defined parameters. IT controls are a great place to start the continuous compliance conversation. This blog post will use access controls as an example for continuous compliance.
What Does Continuous Compliance Mean?
Continuous compliance is a proactive approach to maintaining the requirements set by frameworks and regulations across your business environment on an ongoing basis. As a proactive approach, the goal in continuous compliance is to recognize that the requirements always exist, not just during an audit, but as part of daily operations. With this mindset, the compliance control owners understand that at regular intervals, they are providing evidence they have been maintaining instead of scrambling to create or produce the evidence reactively.
How Do We Achieve Continuous Compliance?
Building a common internal controls framework is the first step to achieving continuous compliance, especially in a multi-regulation environment. Building a compliance framework crosswalk allows you to map your controls to multiple frameworks or regulations at once and reduce or eliminate redundant testing. An effective crosswalk allows you to test more efficiently and reduce audit fatigue. In the illustration below, you can see an example of a control requiring the creation of an IT policy. This internal control is then cross-referenced to five different regulations, all with the related requirement. By testing this control once, we satisfy compliance with all the mapped frameworks and regulations, and we only had to ask for the documentation once.
For illustrative purposes only:
Example Internal Control |
ISO 27001:2013 (Access Controls) |
PCI DSS Requirements |
HIPAA 45 CFR § 164.308 - Administrative safeguards |
SOX 404 (a)(2) |
GLBA Sec 6801 (b) |
Establish a policy that defines rules, regulations and guidelines for proper usage and maintenance of technological assets to ensure their ethical and acceptable use and assure health, safety and security of data, products, facilities as well as the people using them
|
A.9.1.1 Access control policy: An access control policy should be established, documented and reviewed based on business and information security requirements. |
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. |
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management]. |
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. |
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards. |
For the second step, we look to technology enablement to facilitate the reminders and evidence-gathering. Implementing compliance management software to automate key processes will provide the ability to set attestation reminders at regular intervals to prompt the control owners to review the controls, make needed updates, inform others impacted about the change, collect approvals if needed, and finally to provide evidence of compliance. On the assurance side of the equation, the compliance team monitors exception reporting for missing data and reviews the provided supporting documentation.
A Change in Mindset
By enhancing our control documentation to include cross-references to multiple regulations and frameworks and then implementing continuous compliance automation software, we can reduce the stress on the control owners, streamline testing, and change the cultural mindset to one of proactive, continuous compliance.