How to Speed Up Evidence Collection and Save Time on Audits
Evidence collection and management can consume weeks of work when a compliance team uses manual processes and ad-hoc tools (e.g., email, file storage system, and spreadsheets) or hasn’t kept meticulous records from previous audits. How do you know what to collect? How do you know when you’ve got everything you need?
At Hyperproof, our goal is to make evidence management easy. To do this, we created a new function called Labels in our compliance operations software.
How to Use Labels to Save Time
Labels in Hyperproof are similar to labels in Gmail or tags in other project management software. Think of them as file folders each containing a list of files, but with some additional bells and whistles that make them work for compliance workflows.
As a rule of thumb, if your auditor is going to ask for a piece of proof at audit time, you should label it to make things easier for you over time. Additionally, you can apply multiple labels to a single piece of proof — for instance, organize your evidence by the team, location, etc.
Below, we’ll discuss two examples of how you can use labels to save time.
1. Apply a label to any piece of proof that can be used to validate multiple controls.
What’s useful about labels is that you can link a label to a set of controls once and immediately make all proof associated with that label accessible to the control owners and compliance manager.
For example, “Signed employee agreements” is a typical label. This evidence often applies to several different controls because it covers the employee’s responsibilities around information security, the confidentiality of customer data, workplace code of conduct, etc. It’s not uncommon for HR managers to keep getting asked over and over for this same piece of evidence. This repetition leads to “compliance fatigue”: Employees get frustrated enough that they just stop responding altogether.
In Hyperproof, whenever a new employment agreement is signed, the individual responsible for maintaining that label (e.g., an HR Manager) can upload a PDF to the label and the file becomes instantly available in all the controls and programs that need it. Here’s an example label linked to three controls across two different compliance frameworks:
Automate reminders to people to review proof on a cadence
In Hyperproof, labels have a freshness feature. An individual can set a freshness policy for each label that will quickly tell every participant in a compliance program whether the evidence is up to date. For example, a compliance manager can set a freshness policy of 30 days on the “Signed Employee Agreement” label. Every time a new employment agreement is uploaded, the HR manager could mark the label as “Fresh”. If no employment agreements have been uploaded for 30 days, the label will expire.
In this example, Hyperproof shows that the “Signed Employee Agreement” label is not fresh – it expired 24 days ago.
This tells control owners and compliance managers that they should check in with the HR manager to find out why they haven’t uploaded any signed employee agreements in the past 30 days. Is it that the company didn’t hire anyone in the past month, or are there some signed employee agreements that our HR manager hasn’t gotten around to uploading?
With Hyperproof, compliance managers no longer need to send emails to their HR manager to ask for up-to-date signed employee agreements. Instead, they can take advantage of the collaboration feature within “Labels” to get the job done faster.
This feature allows users to add the team members that need to participate in a label, such as compliance managers or people from HR. Any label members can view the activity feed to see who uploaded what documents and when, and can @mention people to start a discussion or to ask them to provide evidence.
In this example, we can head into the activity feed and ask our HR manager to upload the latest batch of signed employee agreements from the last 24 days since that label expired. And once she has done the job, we can mark the label as “fresh” again.
As you can see through this example, we’ve used a label to simplify an HR manager’s job. Instead of having to respond to random emails from the compliance team, the HR manager simply has to keep one label “fresh”. Whenever a new employee is hired, she just needs to upload the signed employee agreement to this label. This not only makes the HR manager’s job easier but also takes repetitive administrative work off the compliance team’s plate.
2. Apply Separate Labels to Evidence Files That Have Different Update Cycles
Another use case for labels is around managing different types of proof needed to validate a single control.
For example, let’s say you need to show 1) A security policy and 2) background checks for all users who have access to production servers to validate a single security control. These two types of evidence need to be updated on different cycles: Your employee handbook should be reviewed annually, and the background checks should be updated monthly.
If you just added all the proof to the control directly, the employee handbook might get lost within the continual update of background checks. You can use labels to keep those two groups of files separate.
Labels provide enhanced visibility into work that needs to be done
From the compliance manager’s perspective, labels solve a lot of problems. They can easily see what evidence is needed for a particular control and whether it is fresh.
Additionally, they have access to all the proof in the labels:
Finally, compliance managers can browse the full list of their labels, filter by person, freshness, etc., and easily see which labels need attention and updating. When everything is fresh, they know they are ready for whatever audit is coming up.
This function provides another tool to help you ensure that at audit time, labels match up with the auditor’s document requests. Hyperproof makes it easy to tie document requests to labels, and then re-use them for audit after an audit, making it simple to find the evidence your auditor is asking for. Once you have your labels all set up, audits will be easier for your team to prepare for and carry out.
To learn more about how Hyperproof can help you manage compliance projects more efficiently and effectively, sign up for a personalized demo.
Get the Latest on Compliance Operations.
Bob is the Vice President of Program Management at Hyperproof.
Bob led software innovation teams at startups and large companies, including: Microsoft, Sony, Wildseed, Aol, and Azuqua. He has 28 years of experience incubating and building new software platforms that surprise and delight customers. Bob is obsessed with building a software platform that makes compliance easier for everyone.