Compliance testing, also known as conformance testing, is a periodic, independent, and objective assessment of compliance-related processes or controls. As the name implies, you’re testing those controls to see how well they actually work.
Compliance testing plays a major role in identifying vulnerabilities in existing compliance risk management controls; many regulations also require testing as part of an organization’s compliance obligations, and testing should follow an established process, as well as a risk-based approach.
All that said, testing can be a complicated endeavor. This article will unpack the best practices typically involved, so that you can understand the issues here and plan your own testing program wisely.
What Are the Benefits of Compliance Testing?
Compliance testing has multiple benefits that help to assure your IT systems work as planned. For example, testing can identify which of your employees might not understand compliance obligations that your business has, and then you can follow up with extra training as needed. Testing might also uncover defective technical controls around, say, encryption; which you could then correct with new controls.
Continued testing through a monitoring program means you’ll find potential threats and weaknesses before a cybersecurity risk comes to fruition. You can think of compliance monitoring and testing as preventive measures, such as visiting the doctor annually, even if you don’t feel sick.
Steps to Effective Compliance Testing
To minimize risk and make certain that your compliance management system is working correctly, you must have an effective compliance testing program in place. These tests will help your company to avoid legal violations, which can be complicated and costly to resolve. By following the steps below, you can create a testing process that will catch potential problems before they occur. Consider employing automation for some of these steps to give your compliance officer or compliance team stronger tools.
- Create a requirements library Whether your company already has a small compliance testing program or you’re developing a new program, the first thing you have to do is build a requirements library. That library establishes the requirements that apply to your company. You will use it to identify the existing controls (or lack thereof) that mitigate your company’s compliance risk.
A requirements library is an inventory of in-scope requirements that you will use to identify the compliance risks to your organization. To establish the library, you must identify all the statutory, regulatory compliance, or contractual requirements that apply to your company’s operations.
You might want to first consider consulting with a subject matter expert in your industry who can help you identify the in-scope requirements. Then work with the executives from each business unit, including your legal team, to assure you capture all applicable requirements.
Next, map the requirements to their applicable business functions and work with the business unit executives to define the compliance risks. This can take the form of an internal audit. You should also validate the applicability of the requirements with the business owners to help them clearly understand the importance of each requirement and what could happen if it’s not met.
Once you’ve mapped the requirements and identified the risks, you should identify the controls you have in place to mitigate the compliance risks. This is a great opportunity to determine how many controls mitigate each compliance risk; it’s also where you should focus on compliance testing in the future, to minimize duplicate testing.
Ultimately the requirements library should be a “single source of truth” for your company’s compliance requirements. Maintaining the requirements library within a governance, risk, and compliance (GRC) software tool assures that you preserve the integrity of that source of truth. You can also implement compliance controls to prevent unauthorized users from making unintended additions, deletions, or other changes that could compromise the requirements library.
- Conduct a compliance risk assessment Begin this step by defining the parameters of the compliance risk assessment, including the categories, risk profiles, and factors you will measure, as well as the data sources that will be used to conduct the risk assessment.
The next step is to evaluate the inherent risk for each risk – that is, the risk of violating a requirement when your business process has no controls to prevent that risk at all. Then evaluate the effectiveness of the control that does mitigate this risk, and consider what’s left over: the residual risk that still exists even after the control is in place.
Use the residual risk to prioritize which controls should be tested first or most often. The higher the residual risk, even after a control is in place, the more often you want to test that control.
- Develop the compliance testing methodology After performing the risk assessment, develop a compliance testing methodology to determine how you’ll test in-scope requirements or their associated controls.
To develop the testing methodology, you have to define the following:
- Testing approach, including purpose, scope, and objective.
- Sampling method that you’ll use when performing testing.
- Process you’ll follow when you identify compliance violations or issues.
- Remediation methods when you find defective controls.
- Reporting requirements, including stakeholders.
- Communicate the testing methodology Communicate the testing methodology to the business unit that’s being audited as well as to the relevant parties and member firms that perform the testing to reduce duplication of efforts.
Communicating a clearly defined methodology early in the testing process can minimize resistance from the teams being audited, by letting them know what they should expect and when.
Your methodology may evolve every year as your compliance program becomes more mature. For example, your objective for the first year may just be to assure that all areas comply with the applicable laws by testing all the requirements in the library. In succeeding years, you won’t need to limit compliance testing just to verify compliance. You may also want to test the controls that mitigate the compliance risk.
- Establish the testing schedule
Use the residual risk established in the compliance risk assessment to determine how often you should test for each requirement. The schedule will vary depending on the size of your team and the company’s objectives. For example:- High residual risk: quarterly (or more frequently)
- Medium residual risk: semiannually
- Low residual risk: annually
- Group the requirements by business function or overall regulation, and state when each of these groups will be tested. Add the established timeframe as a data point in your risk assessment to confirm that you have testing coverage for all requirements. Once you’ve completed the schedule, communicate it to the business units so they all understand when you’ll be testing them and what you’ll be testing against.
- Perform testing Notify the business units about the planned audits well in advance, and include what you’ll require of process owners and department heads. Allocate enough time to submit document requests and review the evidence you’ve gathered.
Obtain the data and materials you’ll need to perform testing against the regulatory requirements. Then test per the established testing methodology you’ve communicated to the audited business unit. This ensures that your testing process stays consistent by eliminating confusion and frustration for the leaders of your business units.
Document the testing programs and preserve evidence of the results of the testing. Follow up on findings to assure that the issues or control gaps you’ve identified aren’t false positives.
Communicate the final results to the business units and obtain the approval or agreement from the affected business function on any issues you’ve identified. When you’ve completed all the testing steps, draft and issue the final report of your results to the relevant parties, such as the audit committee.
- Implement an issues management process Once you’ve identified and confirmed the issues or control gaps, you must follow an issues management process to manage those issues from identification through remediation. Start by entering the issues you’ve identified in the issues management system (JIRA, for example). Then assign ownership by determining which business function is responsible for the compliance violation based on the mapping you did when you were creating the requirements library.
Determine the severity of the compliance violation on your company. When you rate violations of law, you should also assess the pervasiveness, duration, and severity of the violation.
Be sure to document the underlying cause of each issue and work with the affected business units to document the remediation plan to address that underlying cause, including milestones you want to achieve and when you want to achieve them.
- Validate remediation When you’ve completed the milestones of the remediation plan, validate that the plan worked as intended. Validation should assure that the corrective actions addressed the immediate issue and that the long-term remediation prevents the issue from recurring. You may be required to perform the test again to validate that the remediation plan worked. You will also need evidence that you completed the remediation plan.
- Monitor sustainability You should establish a period of sustainability that must be achieved before closing the issue – for example, the compliance violation should not occur again for at least two months. Based on the organization’s risk appetite, you could increase the number of months.
At the end of the sustainability period, you must gather and maintain evidence that the issue did not recur. If the issue does not recur, then you can close the issue. However, if the issue did recur during the sustainability period, you’ll have to reestablish the underlying cause and adjust the remediation plan accordingly.
RiskOptics Offers a GRC Solution for Compliance
If you operate in a regulated environment, you’re expected to have a compliance management system. If you want your compliance management system to be effective, you must perform testing against the statutory, regulatory, or contractual requirements that affect your company.
Performing compliance testing in an ad-hoc manner can lead to increased regulatory scrutiny since you won’t be able to provide evidence that you have a fully functioning compliance testing program.
By following these steps, you’ll be able to get your company’s compliance testing program off the ground.
Contact RiskOptics today to get a demo and see how we can help you with your compliance needs.