I fondly remember a time when “Audit Season” was just that — a season. Once a year, auditors would appear – with and without fanfare –- to thoroughly test our security controls. It was a consolidated, one-and-done process.
It was a magical time. But it wasn’t meant to last.
Before too long, driven by improvements in technology and consumer protections, Audit Season became every day. And I mean Every. Single. Day. The list of compliance standards, and their hundreds of seemingly unique requirements continued to grow, placing a strain on tried- and- true compliance processes.
The Pain of Surge Compliance
Surge compliance isn’t an industry term, but it paints a necessary picture. Whether it’s the constant burden of data requests, the lack of a defined, measurable, and repeatable approach to compliance, or actual issues found during the audit, those affected are trapped by the momentum of becoming or staying compliant.
Compliance attestation doesn’t have to work this way. Of course, you may never again see those halcyon days of an Audit Season, but you can at least break free of the surge and enact a continuous compliance program.
Breaking Out of Your Compliance Rut
To be continuously compliant means you’re fully aware of how your policies, processes and operations stack up against all your relevant standards. It means that your staff knows – and more importantly UNDERSTANDS – what is expected, how those expectations are addressed day-to-day and how to measure the effectiveness of those requirements. With a continuous compliance program, you’re ensuring that you’re ready for anything that is coming your way.
Seven Steps to Enacting Continuous Compliance
Know your business and your customers’ needs. What regulations or standards are each being held to achieving? How do those compare to one another?
Once you understand the needs of your business and your customers, consolidate those needs into a single control framework. Map the controls from all relevant frameworks against one another to better understand how performing an action once can achieve the requirements across many compliance standards.
When you know the full population of needed controls, bubble them up to the more stringent requirement. By aiming for and achieving the higher standard, you’ll be covered for all lesser standards too. This will be your baseline control framework.
Ensure that your policies and procedures align with your new internal control framework. I find it helpful to include references within policies and procedures that tie into specific controls.
Educate your control owners on continuous compliance, from how the framework came together, how periodic self-assessments will be required to make sure things work as expected (and if not, to bring that to light for remediation) as well as how this reduces the surge that comes with each audit.
It’s a beautiful thing when a control owner tells you “I don’t want to have to review 200 people with access to this system. I’m going to just remove access to all but those who REALLY need it.” Equally as endearing is the phrase, “You know, we have a tool in house than can be configured to look for non-compliance against these 10 controls. It’s repeatable and we can show completeness and accuracy to our auditors!” Excellent! By all means, let’s find ways to automate!
Continuous compliance requires diligent maintenance. Regular consideration of new control frameworks or regulations is critical to ensure your internal control framework is current and that you’re keeping pace with your customers’ needs.