The critical path for every audit is evidence collection. You can’t test controls until you gather the evidence – and with each piece of evidence tied to one or more controls, it can get complicated. So, how do you make it easier, more efficient and less expensive to run an audit?
Build good control testing habits.
The key to building good control testing habits – and simplifying the audit process – is to leverage technology to make it easier on you and your teams. Tools like Reciprocity’s ZenGRC platform enable teams to easily gather evidence required by the controls.
ZenGRC’s usage-based benchmarks provide meaningful insight into how your organization compares to your peers. In particular, the Audit Efficiency benchmark shows comparisons of the average time to complete an audit by framework, issue count by framework, and level of effort dedicated to manage and support audits including evidence collection and reuse. This level of detail enables you to more easily build efficiencies within your audit processes.
Another critical step in simplifying your audits: don’t wait for an audit to test your controls. Security isn’t a “point in time” event, so why would testing IT controls be a “point in time” activity? Continuous control monitoring gives you real-time control status, while reinforcing to the appropriate owners that they need to perform the control. Good control testing habits are built by continuously performing the control and producing the resulting evidence. This provides you with better, more real-time visibility into your controls and security posture, and builds up the evidence you need for your audits. Ultimately, you’ll need less effort and fewer resources to manage and support your audits, which will lower your costs.
With the latest innovations in GRC solutions, it is easier than ever to automate a good amount of evidence collection work. One of our most recent partnerships is helping customers do just that. Neverfail offers a continuous control monitoring RPA solution that makes it easy to capture and test IT control evidence automatically. For example, their automated user access review (UAR) solution automatically pulls data from both your HR system and ActiveDirectory, synthesizes the two to data sets to identity exceptions (e.g., terminated employees with active user accounts), and then pushes the synthesized findings, raw evidence, control testing summary and full chain of custody into the ZenGRC platform for review by internal or external auditors. All of this is packaged in an evidence request in ZenGRC and mapped to relevant controls automatically, greatly reducing the effort required to test and validate this control.
Building good control testing habits – and simplifying your audits – doesn’t have to be difficult. The right tools will enable you to continuously monitor and manage your frameworks – easily and efficiently.