Tuesday, January 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Prepare to Be Audited: A Lesson and Case Study in Compliance Management

by Michael Becce
December 21, 2015
in Featured, Internal Audit
Prepare to Be Audited: A Lesson and Case Study in Compliance Management

The audit preparation process can be long and tedious, as documentation has to be gathered from departments that are unprepared or disinterested in the audit process. Confusion about what is actually required, who needs to provide it and when it must be completed is par for the course. Many people are guaranteed to forget whatever it was that they did to complete the prior request or think it is different from what was previously provided, generating multiple emails to get it clarified.

All the pieces of evidence that must be collected to document an organization’s compliance status are often stored in a disjointed collection of network folders, email inboxes, workstation hard drives and SharePoint folders. This can make collection and presentation to an auditor quite inconvenient. As a security administrator, the pestering nature of chasing up documentation from co-workers can make them want to hide when they see you coming. These headaches (and more) are all too familiar to a security administrator or compliance officer.

Approach

Frequently the audit-preparation process will be spearheaded by one or two people who work closely with department heads to collect the evidence needed to satisfy each audit requirement. These department heads are responsible for reviewing and approving each piece of evidence and this usually triggers requests to staff for log files, reports and other info for review before going to the compliance officer.

As a compliance manager, you might get a calendar reminder a week or two before each audit task is due. An email request goes out to the head IT guy. But he’s busy, and he’s probably not really sure what you need him to provide. So, he forwards your email off to one of the people on his team, who then send him back a report that he thinks fits the request, which he forwards back to you. But, unfortunately, it’s not actually what you were asking for, so you send a follow-up email with clarifications.

The problem with compliance management:

  • Endless collections of complicated spreadsheets that are used to track audit requirements and the evidence needed for each.
  • Email chains between you and multiple other parties requesting each piece of evidence… Perhaps you receive a few emails deferring responsibility… Maybe some emails asking for clarification about what is required… Emails with follow-up requests… Always more emails!
  • Tackling the inevitable dense forest of nested folders spread out on some shared network drive that are used to store (err…hide?) the evidence you worked hard to gather.

Vendorin, Inc. is an authority on electronic payment enablement based in Omaha. Focused on delivering cost savings, ROI and value to their own clients, Vendorin is acutely aware of the need for quick and efficient business processes.

When Vendorin’s Corporate Security & Quality Administrator, Michael Brodie, was faced with the stress of visits by outside auditors and the piling up of more work on already overflowing plates, he felt his choices were limited to very expensive or inadequate tools to help along the audit path. Looking for another solution, he decided to give KnowBe4’s Compliance Manager a test drive.

Discovering KnowBe4’s Compliance Manager marked a positively-impactful event in the development of Vendorin’s security and compliance program. All told, it took Brodie less than 20 hours to get KnowBe4 Compliance Manager (KCM) up and running in support of Vendorin’s PCI-DSS compliance program. That included mapping PCI controls over to other internal controls and requirements.

“Thanks to the pre-mapped compliance templates that are available in KnowBe4 Compliance Manager, the system was very easy to setup and start using to oversee our PCI-DSS compliance effort. Since KCM provides you with suggestions for industry best-practice controls that satisfy each PCI requirement, I was able to save at least 20 hours of work during the initial setup process. KnowBe4 also has pre-made compliance templates available for all of the major auditory frameworks such as HIPAA, NIST and ISO. So we can easily add additional modules as our business needs evolve over time.

KCM’s built-in ability to map a single piece of evidence to multiple auditory frameworks and requirements allowed us to save hundreds of hours a year simply by eliminating all the redundant work we had previously suffered from as we worked to obtain and provide evidence of compliance to different auditors each reviewing different audit scopes.”

With KCM, all of the pieces of evidence that are required for each audit requirement are individually tracked and described with examples provided. This completely eliminates the confusion and back-and-forth communications that used to plague the evidence request process.

Delegation made simple

The KnowBe4 Compliance Manager allows you to schedule each audit task, and a reminder email will automatically be sent to the person who is actually responsible for providing the evidence you need. That request will even link to examples of the exact information that you need to have provided to completely fulfill your request. The KCM portal allows each responsible party a location to directly upload the evidence you need while still allowing their supervisor the ability to review and approve the evidence that has been provided. Together these features help you to easily delegate responsibility for each audit task while preserving the ability for supervisors to review each piece of evidence before it is signed-off on in the system.

No more email cycle. No more confusion.

KCM substantially eliminates the inefficiencies of the old email chains that used to go hand-in-hand with many audit tasks. KCM also helps increase efficiency by clearly showing specific examples of exactly what must be provided for each audit requirement, eliminating the familiar request clarification communications that commonly follow requests.

“The KnowBe4 Compliance Manager is a powerful, and intuitive, content management system that has allowed us to store all of our compliance-related evidence in a single, centralized and secure system. We no longer have to go searching through a myriad of systems when we must locate a specific piece of evidence related to a specific control.”

Audit savings

“It can be very challenging to present your evidence of compliance to an auditor in an efficient and thorough manner. KCM has streamlined this process for us. We no longer have to spend significant amounts of time “holding the auditor’s hand,” guiding them through each piece of evidence and telling them which audit requirement the evidence is related to.

Our auditors can log directly into our KCM system (with a unique username and password) and easily review each audit requirement, along with the exact piece of evidence that has been uploaded to satisfy that requirement. I especially love that each auditor will only have access to review the controls and evidence that are directly related to the specific scope they have been hired to audit.

You can even allow an auditor to review your evidence of compliance remotely in a safe and secure manner, freeing up your team while reducing audit-related costs by minimizing or reducing the amount of time auditors need to spend on-site. And time is money!”

“An unanticipated benefit to KCM sending out the audit requests and prodding the procrastinators for any late evidence is that the general attitude toward the compliance department has become significantly more positive. Now our department is viewed as working together to improve the security posture of our organization as a whole. We are now free of the stressful and inefficient cycle of playing last minute catch-up each time the next audit period rolls around.”

The numbers below represent the effort required to gather evidence for just a single requirement at Vendorin – the periodic audit of user access and permissions. Although these numbers represent time savings for a single audit task, the trends they show are consistent for every task KCM was used for. The typical number of controls for PCI is 135. Some controls are shorter or simpler than others, but the average time savings you can expect for most audit-preparation activities is immense.

“I can’t speak highly enough about the level of personalized support that we found was provided by everyone on the KnowBe4 support team! The team at KnowBe4 is universally friendly, competent and responsive – you always get to speak with a real person when you call KnowBe4. And what’s more, they are not just sales people or software developers – most are actual certified security professionals who know what is needed to support your audit process.”

“When I first proposed that we consider using the KnowBe4 Compliance Manager, I faced some pushback because our current process was ‘working,’ and the system of emails, Excel sheets and network storage was ‘free.’  However, it only took a few months of using KCM before we realized the vast difference between merely ‘working’ and ‘working well.’ We are now free of the stressful and inefficient cycle of playing last minute catch-up each time the next audit period rolls around.”

Michael Becce headshotMichael Becce is a freelance writer covering the business impact of technology. He can be contacted at mbecce@techjournalists.com.


Previous Post

Key Changes in E-Discovery

Next Post

Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program

Michael Becce

Michael Becce headshotMichael Becce is a freelance writer covering the business impact of technology. He can be contacted at mbecce@techjournalists.com.

Related Posts

digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
illustration of man on ladder with binoculars, 2021 outlook concept

Financial Services Compliance in 2021

January 25, 2021
illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
Next Post
Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program

Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights