Unfortunately, as hard as it is to create a compliance framework for your government department in the first place, it also needs updating frequently to keep it in line with changing standards. Because of the introduction of new technology like the cloud, mobile and encryption, requirements like those from FISMA can change as often as every two years, but it pays to be prepared to update yours annually to keep abreast of all the new additions.
In order to begin the changes, it helps if you have a specialist on hand as the updates shouldn’t cause them too much trouble. However, most government departments have a range of standards that they must comply with which usually requires a compliance professional in order to encompass all the changes needed. There is software than can be used to simplify these procedures and manage any updates. If this route is preferred then the programs chosen should offer a centralized dashboard and compliance system of record so that any updates and therefore control can be kept in one place to make auditing easier. Ideally, they should also include risk assessment, streamlined workflow and unified control management.
The major challenges that you will encounter with the framework updates can be boiled down to three areas and anticipating them will help you deal with them more satisfactorily.
Overall Impact to the Audit Program
Any alteration will be challenging, but the best way to begin is to figure out the impact and net result that changes will have on your audit program. Will you need to create completely new controls or is it sufficient just to alter the ones you have?
Firstly, you should review each change in as much detail as you can so that you know what will be affected and where, as your audit program will not necessarily be in just one place on your system. In order to make sure that you don’t miss anything, it can be useful to use a tool that will evaluate and trace each change. This should take into account plans for testing and any dependencies that will affect an audit, as the smallest gaps can lead to a failure.
Some of the issues that need extra consideration include any specific controls for a team or department that may be stored on Excel spreadsheets, and any contracts that have already been signed that refer to the previous framework. COSO/COBIT should have been updated regularly, as this can cause complications if it has been missed. Finally, you need to manage your stakeholders so that they are on board and in agreement with your compliance team.
Storing your controls in one place is paramount if you want an update to be more secure and to be completed more quickly. It is still possible to update many files containing these controls if they are stored in different locations, it is just prone to error and will take longer.
If you have a custom framework that encompasses many domains, you will have to establish the dependencies yourself to make sure nothing is missed, as the controls and the inventory of controls will both need to be updated. This is particularly important as any changes to one of your compliance frameworks may involve changes to another, for example FedRAMP changes will probably affect the scope of your SOC2 reporting.
As mentioned above, it is possible to use a software tool that can automate some simpler tasks and trace both changes and updates. This means that it is far more accurate than manually updating and will take into account controls that reside in multiple places.
Consulting Your Auditors about the Changes
It is a good idea to call in your external auditor before an audit is due so that you can establish exactly what they will require with regard to the changes you are making to your framework. They will be fully aware of the updates that are expected and may even make more information available to you or give you access to a specialist so that you are suitably informed about the requirements. If you involve them a few months before your audit is scheduled in case any of the controls need to be reported on for a certain amount of time, you should be left with the requisite time to prepare.
Changes will always need to be made to compliance frameworks, and because of cybercrime and the rise in complexity of commonly-used technology the frequency is likely to increase. Always look to the future so that you can streamline your framework as much as possible and use tools to automate and track changes as much as you can. The frameworks will always need to be updated as situations change, make sure yours is as simple to update as possible.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.
This is an article provided by our partners’ network. It might not necessarily reflect the views or opinions of our editorial team and management.
Founder Dinis Guarda
IntelligentHQ Your New Business Network.
IntelligentHQ is a Business network and an expert source for finance, capital markets and intelligence for thousands of global business professionals, startups, and companies.
We exist at the point of intersection between technology, social media, finance and innovation.
IntelligentHQ leverages innovation and scale of social digital technology, analytics, news and distribution to create an unparalleled, full digital medium and social business network spectrum.
IntelligentHQ is working hard, to become a trusted, and indispensable source of business news and analytics, within financial services and its associated supply chains and ecosystems.