Divide and conquer has been the mantra of compliance in many organizations. Typically the finance department drives Sarbanes-Oxley compliance. The Information Technology department focuses on ISO 27000, COBIT or other IT-specific best practices. Other departments might be focused on privacy regulations such as state privacy or HIPAA requirements. And it doesn't stop there. Each industry has its own set of best practices.

Given this state of affairs, how can you reduce the cost of compliance?

Let's focus on the largest contributor to the ongoing cost of compliance: control testing.

Step 1: Consolidate ALL of your controls into one list.

For this to be effective you must get every compliance group to contribute. The easier you make it for these groups to participate the better your results. Gather all of those spreadsheets, word documents and diagrams into a central repository so you can visualize what you have. What is the minimum information you should gather about those controls?

• Control Name




• Brief Description




• Control Owner




• Related department, business unit, and/or business process, asset




• Why is the control there? (Supporting a regulation? Protecting a company asset?)

Step 2: Now that you have the controls in one place, start looking for similarities between them.

Look for opportunities to remove duplicates. Quite often SOX controls and IT controls do the same thing but for different regulations. Why have two (or more) when one will work? Combine similar controls into one. Modifying a control to be stronger may remove the necessity for a second comparable control. Getting the idea? Having fewer controls reduces the complexity of your control framework and makes it easier to manage. It also reduces the time needed to verify and test those controls.

To make this step easier consider using a control framework like the Unified Control Framework . They have already mapped nearly 350 regulations and best practices to a set of control objectives. This makes it much easier to rationalize your controls across a range of regulations, thereby helping to minimize redundant or highly overlapping controls. In addition, this approach makes it dramatically simpler to meet the needs of future or evolving regulations, since your existing rationalized controls are likely to be applicable to these new requirements.



Step 3: Determine the ideal testing frequency for your set of controls.

Now that you have a rationalized list of controls, how often do they need to be tested? How do you decide which ones get tested monthly vs. quarterly vs. yearly? Using a risk assessment of your controls will help you answer those questions.

A risk-based approach focuses testing on areas of greatest risk. It also reduces the unneeded work to implement controls for no/low risk areas. This avoids spending absurd amounts of time (and money) on low risk areas. The best way I have seen to identify your largest risks is using a bubble chart with likelihood and impact of the risks being the x and y axis. Each bubble represents a risk. The highest risks are generally in the upper right corner.



Step 4: Find ways to automate what you can.

In a previous step, we reduced manual labor by reducing the number of controls that need to managed and tested. Many controls are manual in nature, such as having someone manually review transactions. Automating some of the controls is another way to curb the cost of compliance. Continuous monitoring provides companies a means to transform manual process controls and automate them as system controls. Continuous monitoring saves labor costs associated with performing and testing the control while improving its reliability, which in turn minimizes the risk.

To recap, start the process by breaking down the silos between compliance groups and consolidate your controls into a central repository. Then, decrease the number of your controls by eliminating duplicates and combining similar controls. Next, use a risk-based approach to prioritize your controls testing activities. Lastly, apply automated controls where it makes sense to reduce the effort, while increasing speed and accuracy of your testing activities.