How are you Organizing your Audit Activities?
It looks like this user community is not very large. I've just started organizing our KCM instance and I'm curious how others are organizing their Audit activities within KCM.
My current plan is go create scopes relevant to particular Audits (i.e. SSAE SOC1, SSAE SOC 2, PCI DSS) as well as a scope for our internal audit program. From there I'll be creating Requirements that fit with a high level requirement of the Audit. So in example for the SSAE SOC 1 Scope - we would have "Control Objective 1: Controls provide reasonable assurance that security policies and procedures are in place and effectively ensure communication of information security practices."
Since the various Audits might have overlap and share similar controls/evidence; my plan is to create a single control in those cases that is not specific to the particular sub-objective within the SSAE SOC 1/SOC2, etc but then tag those controls with the relevant control within the particular audits. (see below). My hope is this will reduce the amount of duplicated work that needs to be done across the Various Scopes within KCM and provide a greater visibility as to what maps across different scopes.
I'm curious to see what others are doing to reduce duplicated efforts and streamline the effectiveness of KCM?
This is actually a great question for your Customer Success Manager! I've let Mike know to reach out to you to discuss your intended workflow and see if he has any better suggestions for your plan. Mike works with multiple customers directly on how to achieve their specific goals effectively in KCM GRC and would have more knowledge on this subject than support. If you do not feel that he reaches out in a timely manner, please feel free to let me know. Thanks!Comment actions
In general, controls should be generic and broad reaching. Which is what you are getting at. It sort of depends on what you are trying to accomplish with the KCM platform. For us, we are using the comments section in the requirement itself to specific how the mapped control is being used for the specific requirement.
That's exactly what I was wondering! Ideally we're looking to leverage KCM to help make our audit activities more efficient. For example one idea I'm looking at right now to help accomplish this is to leverage task assignments from KCM to ensure relevant samples & populations are delivered on time from non-audit members, as well as providing a more structured audit schedule. Another is to utilize KCM to effectively map controls between various audits where there is likely overlap. Beyond that we're still trying to understand how best to use the system.
If I understand what you're doing correctly, I think we're effectively trying to do the same thing as you with Tagging. I am curious are you running into scenarios where you have a single control mapped to multiple requirements across multiple scopes?
Please sign in to leave a comment.