Compliance audits evaluate the thoroughness of compliance evidences, security policies, user access controls and risk management procedures.
After spending the entire year preparing for the next audit, it’s now time for the auditors to review all the gathered evidences and documentation. The audit process could take up to several weeks or several months to complete depending on the size of your business and the information you provide.
So what do the auditors need to ensure the entire process goes as smoothly as possible?
First, make sure they have designated space to work uninterrupted.
Next, set up a meeting to set and review expectations. The easier you make it for the auditors, the better.
Create a schedule with your auditors to allow them to ask questions to company personnel who gathered information. The schedule may need to be created on a day-to-day basis depending on what has been accomplished.
Auditors need your help to do their job effectively. Every company should be prepared with all required documentation so auditors do not have to dig for the information they need.
“Evidence is key! Make sure all the evidence that you provide is clear and concise.”
If the auditors present a list of concerns during their review that may need further documentation, expedite their requests so the concerns can be addressed and everyone can move forward as quickly as possible.
Process and Procedure Documents should define the following:
- How you are collecting the evidence?
- What evidence is being collected?
- When are you collecting the evidence?
When preparing the documentation for audit review, remember the following:
- Systems documentation including diagrams of the systems architecture
- User access lists including who has access to what
- User role definitions
- Separation of duties including how the separation exists
- Each requirement with a link for the evidence that the requirement meets
- Evidence should clearly identify how the requirement is being met
- Evidence should contain the macro/report parameters used to obtain the evidence
- Testing evidence should be dated, and indicate who completed the testing
- Evidence including customer monitoring process and procedures if applicable
- Business Continuity Planning Documentation (BCP)
- Detailed plan
- How and the schedule of when the testing is completed
Evidence Gathering Best Practices:
- The parameters used to collect the evidence in macros or programs
- The associate that reviewed the evidence, date and time
- Document any issues found with the evidence
- Document any remediation steps required after evidence review
- Document approval of evidence and who approved, date and time
- Keep evidence organized, clearly understandable and consistently thorough
How Odyssey can help
According to Verizon’s 2019 PCI DSS Compliance Report, 80 percent of organizations are still non-compliant. If your company needs help navigating the ever-changing compliance landscape, reach out to us. Our team of experts will work with your IT team to identify gaps, organize all documents and create a proactive plan that have you prepared for an audit at any time. Click here to learn more.
About the Author