The concept of continuous compliance monitoring has been around for many years. Continuous compliance monitoring can be stronger than traditional snapshot-in-time audits. Most traditional audits happen annually and auditors take the point in time evidence as well as evidence samples to gain assurance controls were in place over time. When auditors select samples, even the samples are just snapshots of a control’s performance. Continuous compliance tools can continuously assess controls performance, alert individuals to take action as required, and help facilitate the remediation of control failures.
What Are Automated Compliance Tools?
Historically, continuous controls monitoring was more customized to each company’s unique environment. Today, many companies are leveraging cloud infrastructure like AWS and GCP which allows for more consistent approaches to continuous controls monitoring. Consistent approaches and sets of controls lend themselves to automation. The trend towards more consistent SaaS tooling has created a unique opportunity for monitoring tools to attempt to deliver automated compliance.
AWS Security Tools: Can You Automate AWS SOC 2 Compliance?
Our firm has seen a variety of approaches to SOC 2 automation. Some start with the identification of unique risks in each company’s environment. Others include a set of best practice controls for monitoring performance in AWS and GCP. The right compliance automation tool may be different for each company. Considerations for which compliance automation tools to implement may depend on factors such as which tools and infrastructure they are leveraging internally, what industry they’re in, and what type of compliance they hope to achieve.
What Are the Benefits of Compliance Automation Tools?
Company Benefits: The value proposition of compliance automation is doing less with more. Let’s be honest, 9 out of 10 people hate compliance so the chance to make it less painful is a common reason to adopt a compliance automation tool. Compliance automation tools can allow fewer individuals to maintain an internal control environment and take action to correct control failures as needed. Compliance automation tools can also help create a more secure IT environment by alerting staff when controls do not function as intended.
Audit Firm Benefits: Audit firms leveraging automated compliance tools can also realize benefits. These benefits can include increased audit efficiency and fewer staff being required to complete an audit engagement. Similar to the automobile assembly lines which allowed fewer people to create more, automated compliance tools can help one auditor perform more audits.
Rather than rely on the work of a staff auditor to collect evidence, a senior auditor can pull the required evidence directly from the compliance tool. This minimizes the need to have back and forth with clients regarding requests and allows the auditor to focus their questions on the evidence provided in the tool. Similar to filling in the blanks rather than starting from scratch or the compliance tool setting up the bowling pins and the auditor knocking them down.
What Are Some Features of Different Automated Compliance Tools?
- Policy and procedure creation – Companies can develop policies and procedures required by compliance frameworks. P+P creation tools can be a great starting point for small businesses or startups that have processes, but no documentation yet.
- Agents running on servers and workstations reporting continuously into a dashboard (e.g., OS patch status, antivirus up-to-date, and hard drive encryption).
- Ability to adopt a vanilla set of controls to meet audit requirements or develop a customized set of controls.
- Ability to map controls to control frameworks and export different reports depending on the framework.
- Risk assessment creation and remediation task tracking
- Security awareness training tracking
- Policy and procedure sign-off tracking
- Vulnerability identification and remediation
- Alerts related to performing key controls (e.g., access not removed for a terminated employee)
Are Automated Compliance Tools Worth the Cost?
No two companies’ risk profiles are exactly the same. Also, no two companies’ regulatory requirements or controls will be exactly the same either. As a result, each company must assess the potential value that automated compliance tools may add in their unique environment. It’s not an apples to apples comparison to add the cost of an audit with automated tool subscription fees. The tools allow companies to maintain their controls and evidence in one place with fewer compliance resources. Automated compliance tools also help alleviate concerns that a company may not be ready for an audit. It’s easy for stakeholders to quickly log into tools and determine audit readiness status. For startups or small companies, a dedicated compliance resource is not always an option.
The number of companies using automated compliance tools is growing rapidly. Tools can allow startups and small businesses to focus more on growth and development while maintaining compliance without dedicating full-time compliance resources. Tools can also save money on audit fees if firms pass along savings for the efficiencies that tools create. That said, compliance tools may not work for every company’s environment.
From our experience, the tools lend themselves more to startups using consistent cloud tooling as opposed to larger more established companies with legacy tools still in use. If you have questions about automated compliance tools or are interested in a SOC 2 audit, please feel free to click the contact the auditor button on this blog post.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.