This is the THIRD blog in our series that explains how to leverage Service and Change Management for Compliance by capturing all the information necessary to process change approvals and establish auditable records. In our first blog post, we explain why Business Process Compliance is a key part of the foundation for building a successful organization. Our second article explains how Regulatory Compliance Across Industries provides important guidance for organizations as they strive to attain their business goals. In this third and final article, we explain how Auditing for Compliance is used not only to evaluate whether your company is following external regulations, but also determine whether it is following its own internal procedures and policies.
When organizations across various industries are required to pay massive fines for non-compliance, some C-level executives are left wondering whether their current approach for achieving compliance is really “good enough.” Organizations need more robust programs that will enable them to manage compliance with regulations and internal policies, improve information security practices, and streamline audits and remediation activities.
As more rules and regulations are created, companies face a constant barrage of new guidelines that need to be followed and new initiatives for mitigating risk. Risk and compliance teams are finding it increasingly difficult to keep up with everything, on top of concerns surrounding growing cybersecurity threats. While organizations are faced with a myriad of problems, auditing for compliance can help ensure that everyone stays on the right track. An audit is a formal, detailed examination carried out by an internal group or an independent organization to assess your company’s compliance with specifications, standards, contractual agreements, or other criteria. The primary purpose of an audit is to prove conformity to these internal or external requirements.
In-house compliance audits should be conducted regularly to review your organization’s adherence to regulatory guidelines. These in-house audit reports should closely evaluate compliance processes and their associated policies, such as user access controls. In-house audits also help prepare for externally conducted, formal compliance audits that are conducted by independent third parties. These audits are required under some regulatory compliance mandates and are designed to measure if an organization complies with specific state, federal, or corporate regulations.
Many companies treat each of their business processes and regulations as independent sets of requirements, which leads to extra (otherwise avoidable) auditing, redundant testing, and repetitive gathering of evidence. A better approach involves using a centralized repository that maps all the components that your company uses to deliver IT services against all operational and regulatory requirements. This approach allows you to audit once to confirm your compliance with many different requirements.
Your Configuration Management Database (CMDB) provides immediate access to information about the configuration of your IT environment and changes that have been made. It is a source of reliable, detailed, current, and historic data about your business. When properly federated, a CMDB can provide accurate evidence that proves your business practices comply with regulatory controls, so you can breathe a little easier during those kinds of audits. A federated CMDB utilizes a centralized database, which is linked to other data repositories using a common data model, to carry information from one point to another without having to rewrite any code.
Think of a CMDB as the central repository through which workflows throughout your organization can exchange information. The CMDB is a place where unique data sources provide information about changes, releases, configuration, assets, incidents, and more. A well-architected CMDB maintains important information that helps your IT team understand the relationships of the components in the IT environment versus the business processes they support. It identifies a set of configuration items and maintains all IT resources—technology assets, processes, and people—as Configuration Items (CI). The CMDB maintains important details about those items and their relationships, which helps your IT department track and report on the CIs that are needed to prove compliance.
Manually collecting compliance evidence through one-on-one interviews, walkthroughs, screenshots, and random questioning takes a lot of time, and managing that information via spreadsheets and email is very inefficient. Manual methods of collection also lead to version control issues and even more problems because the process is not standardized and not repeatable. A better approach is to develop and employ a workflow-driven audit process with automated evidence collection, which allows you to:
An accurate, up-to-date CMDB is the foundation of your IT Asset Management (ITAM) system. When implemented correctly, it provides you and auditors with an accurate and efficient view of company assets, where they are located, what they are running, and interdependencies on other organizational assets. The CMDB helps you understand how well your business processes are working, while helping you achieve your regulatory compliance requirements.
A major component of compliance is that business activities must be tracked and reported in such a way that a detailed audit trail is automatically created. Tracking and reporting should be conducted using a holistic approach that ties together all the processes that support a particular audit requirement. Audit findings are provided in an audit report that describes what action is required to correct a problem or deficiency in a process or its related controls. There are five main attributes of an audit finding, which are explained in the table below.
Attributes of an Audit Finding
|Condition||The auditor’s “finding” is a statement of the problem or deficiency, which may relate to operations, control, or non-compliance with a business process or regulatory requirement|
|Criteria||Statement of the requirement and identification of the baseline that was used to justify the audit finding|
|Cause||Explanation of the specific reason for the condition, which in this case would be non-compliance with a business process or regulatory requirement|
|Effect||Description of the risk and impact that the condition will have on the business, such as a hefty fine, decreased customer satisfaction, etc.|
|Recommendation||Suggested corrective action to eliminate the problem or deficiency that is noted in the condition|
The purpose of tracking audit findings to closure involves much more than just avoiding legal issues and hefty fines. It is about management following through on the commitments that they made not only to themselves, but to their entire organization. Failure to track audit findings to closure will cause your senior management team to lose credibility in what they are trying to accomplish. Auditors will also lose motivation and become careless at the expense of stakeholders’ interests, which will—eventually—cause your processes to fail.
A significant amount of time is committed to any internal audit. Scheduling, planning, information requests, questionnaires, walk-throughs, interviewing, testing, and documenting are all part of the audit process. Although most of the total hours are allocated to these aspects of the audit, the main part (sometimes the only part) that stakeholders will remember is the communication of the results. The way that findings and observations are communicated written and verbally by the auditor will impact the perceived quality and value of the audit.
Effective communication of audit results helps foster a constructive relationship between management and internal audit, increases the rate of resolution of observations and recommendations, and improves the efficiency of the internal audit department. For managers, reports serve as a window into daily operations. They provide a way to evaluate operating performance, a source for objective information about controls and operations, and a mechanism for gaining support from upper management for issues that require attention. For internal auditors, reports provide an effective way to track and follow up on findings, teach and help staff members improve themselves and their processes, and summarize the results of audit work.
Once an audit has been thoroughly conducted, the auditors will meet with you (or whoever the process owner is) to discuss their findings. The highlights of this meeting will be to discuss the errors that were found and the tactics that can be used to improve those areas. Finding hard evidence of what processes are not producing and uncovering the paths for improvement are just a few of the things that can be accomplished through an audit. The reports will also help save resource costs by showing you how to utilize team members more efficiently, as they identify the areas where more time and energy should be spent.
Continual Service Improvement (CSI) is a type of process that utilizes techniques from quality management to learn from prior successes and failures, with its purpose being to constantly increase the efficiency and effectiveness of IT services and processes. CSI uses a metrics-driven approach to identify opportunities for improvement and measure the impact of the improvement efforts. It can be effective only if it is integrated throughout the lifecycle of a business or regulatory process, thereby creating a culture of continual improvement. CSI should ensure that all stakeholders in the process understand that identifying opportunities for improvement is their responsibility.
Every now and then, you should reflect on the results of the audit and issues that were found and addressed. You should review this information with those who provided you with the audit. Compare your standards from before your audit to after to see if there have been any significant changes in performance based on recommended adjustments. Repeat this process over time, as success is not a permanent condition and changes will need to be made from time to time to ensure that things keep getting better.