Audit Management Software: Why You Need It and How to Put it to Work
Audits are everywhere for the modern CISO or compliance officer.
Maybe you need to undergo an internal audit in preparation for a SOC 2 audit of your security controls, or maybe you need to pass an external audit as part of HIPAA or PCI DSS compliance. Most likely, you need to survive both audits, plus a bundle of others too. The demand for security audits has marched inexorably upward in recent years, and that is not going to change.
This means the ability to manage audits is becoming more important for successful compliance programs; hence the need for audit management software. Compliance officers need a disciplined way to coordinate audit plans, control testing, evidence collection, and documentation. Otherwise the flood of audit demands could overwhelm your enterprise, leaving you struggling to keep pace with those demands and increasing the risk that you won’t pass those audits.
Let’s talk about audit management software, how to use it, and why you need it.
Why Audit Management Software Is a Must-Have, Not a Nice-to-Have
Perhaps the best way to justify the need for audit management software is to contemplate a compliance program that doesn’t use such software — a compliance program that still relies on spreadsheets, email communications, and “data diving” across multiple databases to find the information you need.
That approach is no longer tenable. Corporations today face numerous privacy and cybersecurity regulations, such as:
- HIPAA, to protect health information
- PCI DSS, to protect credit card data
- The Gramm-Leach-Bliley Act, to protect banking information
- Europe’s General Data Protection Regulation, to protect the personal data of EU citizens
- Dozens of state-level consumer privacy laws, such as the California Consumer Privacy Act
Most of those privacy and security rules are broadly similar. For example, they all require written information security policies and training for employees, and governance over third parties that handle confidential data on your behalf.
This is good news in the sense that you could use the same piece of evidence (say, records of employee security training) to satisfy audits for HIPAA, PCI DSS, and GDPR compliance alike. That would save you time and money — if you know where that piece of evidence is and how to use it efficiently.
With a manual approach to audit management, you’re not likely to capture that efficiency. Instead, you’re more likely to duplicate your efforts as you go through one audit after another, pestering employees throughout your enterprise and your third parties with repeated questionnaires or queries, asking for the same piece of evidence over and over. You’re also more likely to end up with duplicate data, which then increases the chance you’ll use wrong or outdated data.
The result of all this is less visibility into the true state of privacy or cybersecurity practices in your organization. That, in turn, leads to worse reporting of your compliance posture, because the data you’re using might be incomplete, outdated or unreliable. Ultimately that leaves you, the compliance officer, in a weaker position with the board or senior management as you try to discuss risk and compliance concerns.
Audit management software can help you avoid such predicaments; the trick is finding a software tool with the capabilities you’ll need.
6 Audit Management Software Features You’ll Need
We can divide the capabilities of good audit management software into two groups:
- Features that help you manage the tasks and data
- Features that help manage the people and relationships
Let’s explore the six features you’ll need included with your audit management software, starting with the ones that help you manage tasks and data:
Features for Tasks and Data
1. Framework Analysis and Mapping
As we mentioned, most privacy and cybersecurity regulations have overlapping requirements. Quality audit management software should be able to analyze the regulatory frameworks that apply to your business and map those overlaps, where one control or process could meet multiple audit needs.
2. Data Analytics for Gap Analysis
Spoiler alert: your current controls will most likely not meet all of your audit and compliance obligations. Your audit management tool should guide you through a gap analysis to bring those shortcomings to light so you can begin remediation work.
3. Tracking Remediation Work
Once the gap analysis is complete and your remediation work becomes clear (or, likewise, if you undergo an audit and it finds shortcomings you need to address), your tool should be able to let you see the progress you make toward fixing bad controls, implementing new ones, adopting new policies, and so forth.
Features for People and Relationships
Other important capabilities are more about how the compliance officer deals with people. For example:
4. Reaching Stakeholders for Evidence
With so many audits and so many requests for audit evidence, manually requesting evidence is impractical; you might forget a request or lose an email reply, and so forth. Instead, you should have a single dedicated system to interact with employees and third parties to streamline your request process and to keep evidence sent back to you in one data repository.
5. Collaboration with the Audit Team
Your audit team might span multiple offices, time zones, or countries. Your management tool should provide a single, secure means of communicating and collaborating; rather than people chasing each other with emails, Slack messages, voicemails, and so forth.
6. Task Assignment, Alerting, and Escalation
Go back to our point above about tracking remediation work. When tasks aren’t done by an assigned deadline, your tool should be able to “remind” people automatically to get the task done. Or, if remediation continues to lag, the system should escalate those concerns to you and other senior executives in the enterprise for more direct action.
When you have those capabilities, managing the details of numerous audits becomes much easier.
What Successful Audit Management Allows
Investing in audit management software is just that: an investment. So, it’s reasonable for senior management teams (and compliance officers themselves) to ask what the return on that investment would be. Well, let’s consider those benefits.
Above all, an audit management tool will let you get more productivity from your team and anyone else involved in the audit. They’ll be freed from tedious, time-consuming tasks, such as chasing down evidence or transferring silos of data from one spreadsheet to another because that work will be automated. Consequently, they’ll have more time for more complex issues such as control design or root-cause analysis — issues that are crucial to passing an audit, but ones that can’t easily be audited.
You’ll also have a better ability to collect evidence, track remediation, and measure improvements in your security regime. That paves the way for better reporting of your security posture, which is crucial to have productive conversations with your board, auditors, business partners, and other stakeholders.
Manual Approaches Aren’t Scalable
As the business environment becomes ever more regulated, the ability to pass an audit quickly and efficiently will only increase. More regulations will include audit requirements; more customers will demand that you pass an audit before starting a business relationship. Compliance officers will inevitably reach a point where manual approaches to all those audit demands are no longer feasible.
At that point, audit management software becomes a compelling choice. Compliance officers will still need to evaluate each tool carefully to confirm that it has the right capabilities for today’s risk assurance needs — but once you find the right tool, it can put you on a path to more efficient audits, stronger risk management, and better relationships with customers and stakeholders.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.