Well, it’s happened again. The framework you worked so hard to implement across your company needs updating. This typically occurs every 4-6 years to provide organizations with enough time to prepare. For example, Sarbanes-Oxley, GLBA/FFIC, FISMA, and HIPAA are frameworks associated with traditional computing. Traditional frameworks like these took a long time to update. Yet, in the last several years, frameworks covering new technology change every 2-3 years. Standards that cover cloud, mobile, encryption, and vendor management fit this new model. Thus, you will need to prepare to update your framework on an annual basis to keep up with all the changes.
Each change to your existing compliance framework will pose a challenge. First, you should understand the impact the changes will have on your audit program. Are the changes minor and only require rewriting controls? Are the changes in adding new controls that you need to anticipate?
Compliance specialists will have an advantage over most general compliance professionals. Specialists tend to focus on one or two standards only. They can spend more of their time focusing on a domain and know everything about it. Most organizations have many compliance needs and cannot just rely on specialists.
A compliance program should cover all aspects of compliance for an organization. It is best operated by a compliance professional that is able to manage company-wide compliance. Managing compliance requires someone who knows a lot about a lot of domains. It also requires someone who can rely on specialists. With each framework update, a compliance professional will need to approve the changes. Juggling the number of changes can be frustrating to manage. You should anticipate the challenges below and prepare for the inevitable changes to your compliance framework.
Challenge # 1 – Understanding the impact to your audit program
At first glance, updating your compliance framework may look like an exercise in copying and pasting the old text with the new text. This is rarely the case. Each compliance standard iteration will undergo a Q&A session by the compliance community. This will impact the interpretation of the new standard beyond the written controls. The impact to your audit program will require you to carefully review each change in detail. The reason this becomes so difficult is that your audit program may live in many places such as:
- Many Excel spreadsheets with controls specific to a business unit/division
- If the COSO/COBIT component was not updated, it will make it more difficult to apply the changes from the underlying domain.
- Existing audit timeline with agreed scope, or signed contract mapped to the now older framework
- Managing stakeholders, especially if their interpretations differ from the compliance team’s consensus
Many of these impacts can be better managed if you have a clear understanding of the net results in your audit program. If you can, use a tool that will evaluate each change and trace it through to your test plans, audit dependencies, and update the underlying data. Missing just a few updates can create unexpected audit gaps that can turn into audit findings. Although updating frameworks poses a risk to every audit, compliance professionals should be proactive. They should trace the changes and their impact.
Challenge # 2 – Updating the controls
If you store your controls in a central repository, you will be able to update the controls faster. Hunting down all the files across many locations will pose a bigger challenge. Every version of the file with your controls needs updating. Also, it can be common for updates to undergo updates too. You may need to go back and update the controls several times. As the compliance community implements the changes, they may find errors in it. This will produce more framework updates. Keeping a list of those changes and tracking version control is important. You want to update your controls across all instances.
Custom frameworks will pose more challenges. If you created a custom, best-of-breed framework that pulled from many domains, you will need to understand all the dependencies. If you used one domain as your foundation, you will need to trace those changes to all frameworks relying on that foundation. Each customization and each translation can magnify the amount of work. For example, any parent control or larger framework may need updating. That means that instead of just updating the controls within the new framework, you now need to update your internal inventory of controls that reference the new changes. For example, if you are updating controls form PCI 3.0 to PCI 3.1 that would be a somewhat straightforward update. But if your controls were built on SOC 2 or FedRAMP frameworks, you would have more to do. The changes to PCI 3.1 around vendor management, for example, may change the scope of your SOC 2. If you used FedRAMP, the area for key management would more attention. These granular impacts can add more work. That extra step becomes even more complicated when you use a COSO, or COBIT framework because they are not designed to be nimble.
Tracing the new changes and updating the controls will be an activity that will take at least 40 to 80 hours. Unless you have a tool. A tool can automate some of the menial tasks such as change control wording. It can also ensure all changes reach each instance where the controls live. It can also help in understanding the impact, such as before and after impacts. Without a tool to help, the changes will take longer to make and more likely to contain errors.
Challenge # 3 – Aligning your audit to the latest changes
Work with your external auditor, or assessor to understand the audit impacts. You should have a conversation early in the audit period. It would be ideal if you contact them at least 6 months before the start of their onsite activities. The reason for this is that you may need to prepare specific evidence that shows that you updated your framework. You may also need to add controls to your audit program that require a sample size of at least 6 months. The conversation should be straightforward because the external auditors will be fielding many of the same questions. They should also provide a specialist or a webinar where a specialist speaks to the changes. This way you will be better informed of the changes and have enough time to process them.
Ask the auditor to tell you about the challenges of other organizations. Learn from their mistakes where possible. Keep the dialogue open and apply what you learn so that you can prepare.
The reality is that new changes to frameworks will only increase in frequency. Technology and cyber risks are pushing the threshold of compliance frameworks. As attackers, breaches, and fraud methodologies evolve, the frameworks will need to adapt. Using a process and a tool that will help compliance professionals keep up with the changes will become even more important. Consider your solution and keep these challenges in mind when updating frameworks.
Photo Credit: John Mcsporran