How are you Organizing your Audit Activities?

c laprise

17 de setembro de 2020 15:39

It looks like this user community is not very large.  I've just started organizing our KCM instance and I'm curious how others are organizing their Audit activities within KCM.

 

My current plan is go create scopes relevant to particular Audits (i.e. SSAE SOC1, SSAE SOC 2, PCI DSS) as well as a scope for our internal audit program.  From there I'll be creating Requirements that fit with a high level requirement of the Audit.  So in example for the  SSAE SOC 1 Scope - we would have "Control Objective 1: Controls provide reasonable assurance that security policies and procedures are in place and effectively ensure communication of information security practices."

Since the various Audits might have overlap and share similar controls/evidence; my plan is to create a single control in those cases that is not specific to the particular sub-objective within the SSAE SOC 1/SOC2, etc but then tag those controls with the relevant control within the particular audits.  (see below).  My hope is this will reduce the amount of duplicated work that needs to be done across the Various Scopes within KCM and provide a greater visibility as to what maps across different scopes.

I'm curious to see what others are doing to reduce duplicated efforts and streamline the effectiveness of KCM?

 

 

-Thanks

Curtis

1

• Comentário oficial

  

  Ariel Escalante 18 de setembro de 2020 17:59

  Hi Curtis,

   

  This is actually a great question for your Customer Success Manager! I've let Mike know to reach out to you to discuss your intended workflow and see if he has any better suggestions for your plan. Mike works with multiple customers directly on how to achieve their specific goals effectively in KCM GRC and would have more knowledge on this subject than support. If you do not feel that he reaches out in a timely manner, please feel free to let me know. Thanks!

  Ações de comentário Permalink
• 

  c laprise 24 de setembro de 2020 14:21

  Hi Ariel,

  By all means that would be great; but I'd also like to see how other actual users are using the platform to achieve cross-audit objectives.

  1

  Ações de comentário Permalink
• 

  Walter Nelson 24 de setembro de 2020 15:59

  Hi Curtis,

  That would also be something that your CSM Mike would be able to assist with. Mike can definitely go over how best to use the platform and how other customers are using it. I will follow up with him today on your behalf.

  0

  Ações de comentário Permalink
• 

  Ryan St Germain 21 de outubro de 2020 13:50

  Hi Curtis,

  In general, controls should be generic and broad reaching. Which is what you are getting at. It sort of depends on what you are trying to accomplish with the KCM platform. For us, we are using the comments section in the requirement itself to specific how the mapped control is being used for the specific requirement. 

  Ryan

  2

  Ações de comentário Permalink
• 

  c laprise 24 de outubro de 2020 03:16

  Thanks Ryan,

  That's exactly what I was wondering!  Ideally we're looking to leverage KCM to help make our audit activities more efficient.  For example one idea I'm looking at right now to help accomplish this is to leverage task assignments from KCM to ensure relevant samples & populations are delivered on time from non-audit members, as well as providing a more structured audit schedule.  Another is to utilize KCM to effectively map controls between various audits where there is likely overlap.  Beyond that we're still trying to understand how best to use the system.

  If I understand what you're doing correctly, I think we're effectively trying to do the same thing as you with Tagging.  I am curious are you running into scenarios where you have a single control mapped to multiple requirements across multiple scopes?

  -Thanks

  Curtis

  1

  Ações de comentário Permalink

Por favor, entrar para comentar.