When it comes to governance, risk, and compliance (GRC), there’s a lot to assess. But where do you start? We’ve outlined how to get started with audit evidence collection and best practices to keep in mind throughout the process.
How to prepare for audit evidence collection: 9 steps to getting started
1. Understand what auditors are looking for
A lot can get lost in technical jargon when it comes to audit evidence collection, especially when looking at your policies. What are the auditors actually asking to see? Policies, procedural documents, manuals, and other documentation makeup just some of the types of evidence auditors look for. But how do you know when you’ve covered all your bases?
One solution is to take inventory of all the types of evidence so you can organize the evidence and categorize it based on what needs to be collected and where it’s housed. But even then, things can get complicated. Whether you’re working in spreadsheets or multiple software programs, audit evidence collection gets convoluted quickly. With a SaaS solution, however, you can connect your disparate systems and do away with manual spreadsheet work, all with integrations that can automatically collect audit evidence for you.
2. Evaluate manual work vs. an automated SaaS solution
It takes hours of manual work to complete audit evidence collection. From manually flipping through page after page of policies to locating the most up-to-date assets in a world of disparate systems, it’s hard to collect evidence. Add in the time spent waiting for your various stakeholders to get back to you, and it becomes an arduous and needlessly complex process. With an automated SaaS platform, you can save hours of time and effort, allowing you to get back to the work that matters most.
Automated SaaS GRC platforms use integrations that automatically pull evidence from the systems they’re housed in, freeing up your time and energy. You can also cut out the middle man, making the process less reliant on humans and more efficient overall. However, not everything can be automated, so evaluate what will require manual work and what you can outsource to your software platform. Doing so will make your life a lot easier.
3. Gather policies
If you’re following certain frameworks, you have guidelines you can follow throughout your audit evidence-collection process that will simplify things for you.
Software platforms enabling audit evidence collection often include out-of-the-box supported frameworks that can pre-populate the rules and guidelines relevant to your risk management frameworks. These will help you retrieve the right information from the relevant policies and see what evidence you can reuse across multiple frameworks.
4. Complete risk management framework steps
To complete your risk management framework steps successfully, you’ll need to have evidence. But poorly labeled evidence stored in disparate systems is unhelpful at best and can slow the process down. Add in the fact that evidence often isn’t collected on a regular frequency and you’re facing a mountain of work ahead of an impending audit.
Having a SaaS platform that allows you to label evidence and reuse it across different frameworks can significantly reduce the amount of time you spend on evidence management. Ideal software tools have a central repository for all of your evidence so you can easily search for what you need by framework, evidence type, and more. With the right integrations, you can automatically pull evidence from those systems and avoid logging into multiple platforms to grab screenshots or PDFs.
5. Scope the objectives of the assessment
Understanding the scope of the overall evidence assessment takes a lot of work. Knowing exactly what evidence you need and where it should go is something that comes only with experience. If you’re going through an audit for the first time, audit evidence collection can be a daunting task. But it doesn’t have to be.
Instead of collecting evidence in spreadsheets — which are a pain for storing screenshots, PDFs, and the like — you can do so in a software platform. Gone are the days of wasting time sifting through sheets of evidence and matching it to specific controls. The right SaaS platform should include a Risk Register and Continuous Controls Monitoring, making evidence easier to retrieve than ever before. You can also set reminders to update policies and other timely assets by managing their freshness to collect evidence on a regular basis rather than waiting for an audit.
6. Identify common controls across frameworks
Often, controls aren’t set up intuitively and teams spend time repeatedly gathering the same evidence. To avoid this, identify and set up common controls across multiple frameworks (we call this control crosswalking). Finding these overlaps — i.e., “crosswalks” — allows you to expedite work by doing away with repetitive, arduous tasks, speeding up the overall collection of audit evidence.
An ideal software solution allows for crosswalking between frameworks and reusing evidence across them. SaaS platforms make these overlaps easily identifiable so you put effort in once to fulfill the requirements of multiple frameworks.
7. Open communication channels
When collecting evidence, it is essential to have open communication channels between the assessors — those testing the controls — and the stakeholders who are responsible for certain pieces of evidence. However, audit evidence collection is the priority only of the assessor, not those collecting it. This can cause a delay as other business objectives are the stakeholders’ priority. Plus, sometimes you have to notify them more than once before you even get a response.
You can consolidate these efforts into one messaging portal with a SaaS solution. No more long email threads and chats, but a centralized communication channel that everyone can use and collaborate in. Ideal software solutions also have the ability to automate reminders so you waste less time tracking down colleagues and spending more time on strategic tasks.
8. Establish time frames for assessments
Control assessments often operate on a strict schedule to prepare for audits. You’ll want all of your evidence collected in a certain time frame, but it can be hard to communicate a hard deadline across an organization. One of the biggest challenges with time frames is that stakeholders don’t know when evidence is due or what they should provide.
If you have the right software platform, you should have automated audit evidence collection and the ability to nudge stakeholders for any missing evidence when due dates are nearing. Keep your timeline under tight control with an ideal software solution that helps enable you, not distract you.
9. Prepare and select an assessor or team of assessors
You should either have a single assessor or a team of assessors for your controls. Deciding which depends entirely on the number of controls, the amount of time you have, and the size of your organization. If you have hundreds of controls, you want to make sure you allocate enough resources to enable your team to tackle audit evidence collection. That may mean more headcount or budget to purchase a software tool to help with overall control assessment and monitoring.
How assessors prepare for audit evidence collection
Assessors need to do many things when they get ready for evidence collection, and it can be hard to know where to start. According to the NIST Special Publication 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations, there are certain things assessors of controls should do to prepare for collecting audit evidence.
The assessors should understand the company’s operations, mission, and business processes, how the evidence supports those operations, and the system of security and privacy controls. They should also identify the stakeholders responsible for the common controls and meet with them to ensure they understand the objectives, rigor, and scope of the evidence assessment.
When assessors ensure that all stakeholders understand why evidence collection is important, they help alleviate pushback. When assessors prepare stakeholders for what’s ahead, everyone can understand why evidence collection matters and how it relates to the overall business.
Next, assessors should acquire all necessary artifacts, including “policies, procedures, plans, specifications, designs, records, administrator and operator manuals, system documentation, information exchange agreements, and previous assessment results.” Other vital documentation may also be essential to testing controls, as each organization operates differently.
Lastly, the points of contact to carry out the evidence collection should be identified. If software is being used to collaborate with the team of assessors, this is where its communication features would come into play. An ideal platform would notify each team member when evidence needs to be collected and allow them to upload evidence to the system directly. That way, everything is stored in one place, and communication is centralized, as mentioned above. No more manual emails and reminders.
More ways software solves audit evidence collection challenges
Audit evidence can be hard to keep track of, with its many forms and varying levels of scrutiny. Ideal software solves these challenges by offering a central repository for storing all evidence. Not only will your efforts be centralized in one system, but you can monitor the freshness of your evidence and receive alerts when updates are needed. With the right software solution, you’ll save hours and be able to focus on more important tasks related to risk management.
You can make testing your controls a breeze with a SaaS platform like Hyperproof, which has all of these features and more. Request a demo today.
Monthly Newsletter