Most organizations begin their path towards compliance using the tools at their disposal. Tools help organizations start their compliance journey, but they can cause some problems. You should take into account these compliance pitfalls so that you can have a smoother compliance journey.
Pitfall #1 – Ensure everyone is working off of the latest version
The first thing that a compliance team will do is identify the controls to test. To test a control you need to provide evidence. Evidence comes in many forms such as screenshots, archived emails, or system configuration. The list of controls that you compile for testing will evolve. For example, you may determine that some controls are “not applicable” and remove those. If you fail a specific control, you may need to add more controls to compensate. Control changes and evidence changes will make it difficult for everyone to stay synchronized.
Pitfall # 2 – Keep a simple method to track the evidence
Your first audit may lead you to believe that you will provide one piece of evidence for each control. This is true, but evidence usually applies to more than one control. For example, your IT Security Policy may apply to more than one control. Every evidence gap carries a potential domino effect. Fail one evidence request and you may fail more than one control. It is important that you keep track of the evidence and the controls it impacts. It is important that you understand the mapping of each evidence to the controls it impacts.
Pitfall # 3 – Write down what you discussed
You will have many interviews during the compliance audit. The interviews will go over the controls with the individuals who perform them. For example, server security controls will include an interview with the server administrator. Onboarding new employees will include an interview with the Human Resources team. Each interview will produce more evidence requests. You will need to write it all down and make sure you are proactive in tracking down the evidence. The evidence should fulfill the auditor’s requests. You should check with the auditor to ensure they receive what they requested. Your first compliance audit experiences will be more focused on answering interview questions. It can be difficult to also make a list of the evidence requests. But without the evidence, the audit will fail. This is why it is important that you keep notes and keep track of all requests.
Pitfall # 4 – Make sure everyone uses the same process
It is difficult to force everyone to use the same process. For example, storing evidence in the same location is difficult to do. If you create a common folder on the network drive, what do you do when someone does not use it? What is your backup plan when individuals begin to email the auditor instead? Keeping up with the paper trail can be the difference between passing, or failing an audit.
The pitfalls mentioned above occur in the majority of audits. When a company fails to avoid any of these potential problems, the result is a perfect nightmare. Record keeping is at the core of audits because both evidence and controls are records. An audit is about validating records. The records you track must be the latest version and you need to make sure you do not have any gaps. You are likely to fail your audit if you cannot provide all the requested records. Also, people can create a bit of a mess when they begin to deviate from the standard process. You will improve your chances on your first audit by focusing on record keeping. Find a way to explain your process to others and focus on staying involved with all the audit steps. You can avoid the audit nightmare when you use record keeping best practices.
Photo Credit: John Mcsporran