Organizations contend with a long list of regulations, laws, and requirements that subject them to lots of external audits for compliance. Internal audit departments will overlay their own operational audits around the financial reporting process, project assurance, and other areas. Because of internal auditors’ role in scheduling such reviews and exchanging information with external auditors, they can help rein in the inefficiencies of back-to-back external audits.
One way internal audit departments can manage requirements and competing purposes is using a consolidated audit program (CAP) that provides audit efficiency and helps manage audit risk. A CAP weaves together multiple audits across many domains through detailed control mapping, audit plan development, and scope synchronization. Audit once and use for many is the basic principle of this approach. Appropriate use of technology helps make the large number of requirements and controls more manageable.
Before going out with a request for proposal for multiple consolidated compliance audits, internal audit should prime the organization to create a structure that is capable of using the CAP approach. This approach will require buy-in from all key stakeholders, including those who sign off on compliance reports and the control owners responsible for performing the controls.
Early in the process, internal audit should identify those control owners through a mapping exercise. Specifically, auditors should be aware of the precise origin of the control for each domain, as well as the higher risk controls that are common across one or more domains, because a failure of a common control would impact multiple compliance domains. Because access control, change management, logging, backups, and other IT processes cut across so many audits, the IT portion is often the area that receives the greatest number of repetitive audits.
A key aspect in this mapping is selecting one compliance domain to be the anchor for the process. In all multi-compliance audits, the various standards compete for attention, and it helps to have a structure with a clear leader.
Once the compliance audits begin, internal audit should be the central point of contact between the external auditor and the control owner. This can save time because the internal auditor is screening requests for both evidence and interviews before they reach the control owner. Internal audit should have a reporting dotted line, or a direct line, to the compliance manager to provide an escalation point when things get difficult. Finally, internal audit should control the pace of the CAP approach because it is closely attuned to the culture of the organization and can match the CAP objectives with the organization’s readiness.
The actual CAP begins by working with control owners to map controls, often aided by technology. For example, an appropriately formatted spreadsheet with the original citation from each domain can be mapped to controls, and vice versa. This data set may contain hundreds, if not thousands, of rows. It should label the IT controls that impact more than one domain. The IT controls form the foundation for many domains, and getting those organized can enable the process to go by quickly. This output also is key to explaining to stakeholders why the controls are required and provides supplemental information about where any common controls came from and what each domain may require.
However, this mapping exercise can drown organizations in a sea of documents, standards, rules, laws, and mismatched formatting that is prone to human error. The task should not be outsourced or conducted by someone who lacks knowledge of the organization — it needs to be a core exercise that obtains buy-in from the organization and forms the foundation of the CAP approach. When using existing IT frameworks, organizations should dedicate a minimum of three months to this endeavor. Some software tools can provide extracts across domains and ideally identify the common controls.
Aligning the Examination Windows
CAP builds on the control mapping by identifying the over-arching examination windows for each domain to align these as much as possible. Internal audit should consider the time period of examination (e.g., six months, 12 months, or rolling three-year periods), the sample sizes dictated by each domain, due dates for the compliance reports, and the type of credentials required to perform each audit. For example, ISO 27001 restricts how much of its audit output can be re-used by other audit teams, and the Payment Card Industry Data Security Standard (PCI DSS) prohibits work that is not performed by someone with the Qualified Security Assessor credential. Internal audit departments should treat CAP as they would any other audit plan.
Identify Audit Overlaps
Once internal audit has identified the eligible compliance domains, it should review the overlap of controls. This review should identify the common controls and consider the timing of those controls. For example, if a risk assessment should be performed annually, the control should occur when other domains can benefit from its timing.
All compliance domains must be mapped back to the controls required by each standard and harmonized controls should be rolled into the mapping. Harmonized controls are important because they are abstract enough to fit multiple compliance domains, but specific enough to be readable by control owners. The mapping should be detailed in a way that the source language can be traced to the harmonized control relationship. The overlap between compliance areas is usually between 8 percent and 24 percent, with most common controls coming from the IT area.
The CAP approach will require accurately identifying the time line required by each compliance domain and the reporting period. These need to be aligned as closely as possible to obtain maximum benefits. First, internal audit should evaluate each domain to understand whether it requires testing at a point in time, such as PCI DSS and Service Organization Control (SOC) Type I, or over a period of time such as the U.S. Health Insurance Portability and Accountability Act and SOC Type II. Not all compliance areas will test the full populations annually. For example, the U.S. Federal Risk and Authorization Management Program requires that an external auditor test all controls in year one to form the baseline, but only a subset of those controls — focused on monitoring the baseline — must be tested in subsequent years.
Saving Time and Money
Completing each stage in the CAP process can prepare the organization to reduce inefficiencies from multiple external audits. Investing 200 to 300 hours to develop the CAP can enable the organization to prepare for a single external auditor, as well as clarify requirements that can be documented in a bid process to ensure that it gets the best auditor capable of maximizing time savings. Organizations that undertake the CAP approach can save between 1,000 and 10,000 hours annually because the compliance auditors will use less of the organization’s time, which could save them as much as US$500,000.