I’ve often heard auditors waxing poetic on the fact that ‘continuous controls monitoring’ and ‘automated compliance’ always seem to be ‘the next great thing’ – but as many have pointed out to me over the last several years, these are areas where it is difficult to gain traction.

I’ve often found myself asking, “Will we ever really get there?”

There are lots of different names for this and several versions of the truth, but essentially what I am discussing is the ability for a business solution (or control) to have an associated component that feeds compliance related information (such as test passes or failures) in an appropriate form to a governance, risk & compliance (GRC) solution. The GRC solution would then package the information appropriately, and provide it in an easily digestible and customized form to a requestor, such as internal or external audit, compliance executives, or similar roles.

A real world example of this may be something like this:

A company may have a policy which dictates that personally identifiable information (PII) not be sent via e-mail. This policy may in turn have arisen from some significant requirement, such as the Health Insurance Portability and Accountability Act (HIPAA). There will probably be an associated desktop procedure, and perhaps some manual control process.

If the associated control were to ensure this did not happen, the corresponding evidence may be difficult to acquire and produce. Let’s say, for the sake of this exercise, that the company has implemented a Data Loss Prevention (DLP) solution, geared to perform (or enforce) exactly this control. While the DLP solution may well be the enforcer of the control, and by itself have reporting or a dashboard showing the number of enforcement or prevention events, it may still be a manual process for an auditor to ‘discover’ this information, review it, opine on it, and provide the appropriate evidence along with the other appropriate documentation in an audit workbook or as a component of a control test.

Automating the compliance program in this case would clearly entail integrating the two systems: (1) the GRC solution receiving a feed of the appropriate information from the DLP solution, ensuring that evidentiary support was provided, potentially with metrics tied to Key Risk Indicators (KRI) – perhaps the number of attempts to send PII via e-mail; and (2) Key Performance Indicators (KPIs) – perhaps the number of times PII was successfully blocked from an e-mail.

The integration of these systems, and the associations that could then be formed between elements which may have previously been disparate – such as the links from the significant requirement, to the policy, to the desktop procedure which contains the key control, to the KRIs & KPIs, and ultimately to the actual evidence – ensures that the information can be packaged and collated and is quickly and easily found in the event of an audit.

A control that effectively audits itself? Oh really?

Of course – this is in an ideal world – and there are other investments such as the purchase, installation and configuration of complimentary systems… but this is now a more achievable goal than ever.

CA sees this integrated compliance approach as the future; as consolidation continues in the GRC world, it would seem that more and more companies agree.

In summary – I think the goal is much closer, and even more achievable than in years (and perhaps decades) before – but let’s face it – we seem to be adding new regulatory requirements as quickly as we can add solutions – so perhaps it will always be the Holy Grail?