Continuous Audit for Tailored Audits

How continuous audit works for your tailored audit

OVERVIEW

Continuous audit progressively completes your audits over the industry standard 12 month reporting cycle. In contrast to traditional audits conducted at the end of the period:

You get feedback when it's relevant;
You can have increased confidence that your compliance is on track year-round; and
It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

It also reduces the disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies where evidence requirements are scheduled and can be planned for ahead of time for a smoother, more efficient audit experience internally.

CONTINUOUS AUDIT PLAN

Initial setup: Let us know when you're ready to start and we'll create your audit board.

Monthly topical focus: Tailored audits are designed to be based on the specific, custom controls in your environment, including various topic areas such as: risk management, change management and confidentiality. Depending on your control set, about 30 to 40% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas below to complete these areas. We've aligned a calendar of topical focus areas below to complete these topics.

Remaining controls: The remaining control areas not covered below can be covered anytime during your audit period. We can progressively test and sign off those controls throughout the period.

Audit queries: We will raise any audit queries when we conduct the testing of any items that require clarification. These will be logged in the Audit Queries section of the audit platform being used. The earlier these are addressed, the better, to close off those areas and if there any any issues it helps us get on top of them early, and ensure they're resolved to mitigate the impact.

Wrap up: We may have some top up testing in the final month of your audit period. The calendar view below is designed to minimise this, but we also need to ensure our audit can demonstrate reasonable coverage of the full audit period. We'll let you know where this applies and give you a clear view of what's remaining in that final month. Where you have large populations of occurrences (such as frequent new hires, incidents or manual changes), you prefer to have those sampled at the end of audit period. This can be discussed with your audit team.

Month

Control Area

January

Risk Management (risk assessments)

Business planning (ETC07)
Risk assessments (RAP05) and Risk assessment scope (RAP06_1)
Risk assessment of fraud (RAP06_5) and Risk assessment of operating changes (RAP06_7)
Approval of risk assessments (RAP07)
Risk mitigation strategies (RAP08)

Risk Management (control framework)

Control framework responsibilities (MOC01)
Control framework (MOC04)
Control framework mapped to standards (MOC05)
Control framework assignment to individual owners (MOC06)
Reviews of the control listing or framework (MOC07)
Internal control improvements (MOC08)

Control Environment (employee-focused)

Employee security awareness training (PNT05)
Employee training plans (PNT04_1)
Employee performance reviews (PNT01)
New hire employment contracts (RNR06)
Employee job descriptions (RNR02)
Annual review of job descriptions (RNR03)
New hire background checks (HNB05)
Approval of new hire candidates (HNB04)
New hire code of conduct acknowledgements (COC02)

Control Environment (company-wide)

Company-wide meeting minutes (MGT08)
Management meeting minutes (MGT05)
The documented Board of Director meeting minutes (MGT02)
Board of Director meeting records (MGT03)

February

System Security (policies)

Acceptable use policy (PMN01)
BYOD policies (PMN04_2)
Information security policies (PMN05)
Access control policy (PMN05_21)
Password policy (PMN05_22)
Network security policy (PMN05_7)
Vulnerability management policy (PMN05_15)
Infrastructure hardening (PMN13)
Policy enforced endpoint device requirements (EXT5)
Hard disk encryption (EXT5_1)

System Security (configurations and implementation)

Company device policy (BYOD restricted) (PMN04)
Endpoint device hardening (BYOD) (PMN04_1)
Endpoint device hardening (PMN04_3)
Security configuration review (PMN09)
Security patching process (PMN13_1)
Encryption of endpoint devices (PMN18 )
Infrastructure authentication (AUT01)
Authentication for employees (AUT02)
Authentication for customers and users (AUT03)
User listings showing unique IDs (AUT04)
Virtual private network (VPN) (AUT07)
Firewalls at access points (EXT03)
Antivirus installed on devices (EXT05)
Encryption of data-at-rest (EXT07)
Encryption of data-in-transit (EXT08)
Web application firewalls (EXT20)
TLS encryption (EXT3)

March

Vulnerabilities

Vulnerability management policy (PMN05_15)
Penetration testing (EXT02)
Vulnerability management program (EXT02_1)

Vendors

Vendor management policy (VSE01)
Vendor register (VSE03)
Annual vendor risk assessment (VMN01)
Vendors responsible owners for oversight (VMN04)

External Party Management (Customers)

Customer support channels (CCM02)
Customer awareness of handling incidents (CCM03)
User guides and documentation (CCM04)

April

Privacy (policies and notices)

Privacy policy data collection (PRV01)
Privacy notices (PRV02)
Communication of the privacy policy (PRV03)
Privacy policy purpose and use (PRV06_1)
Privacy policy consent and choices (PRV06_4)
Privacy policy third-party processors (PRV06_7)
Privacy policy security practices (PRV06_8)
Opportunity to withdraw consent (PRV09)
Communication of consequences for refusing consent (PRV10)
Privacy policy disclosure of sub-processors (PRV06_71)
Privacy policy contact methods (PRV47_6)

Privacy (practices)

Basis of processing personal data (PRV05)
Consent from data subjects (PRV07)
Consent for sharing data with new sub-processors (PRV12)
Data Protection Officer responsibilities (PRV16)
Established responsibilities for privacy (PRV17)
Employee security (PRV19)
Employee privacy training (PRV20)
Defined procedures for handling requests from the Data Controller (PRV22)
Defined procedures for handling privacy requests (PRV23)
Denied privacy requests handling (PRV24)

Confidentiality

Data handling policies (CON01)
Confidentiality policies (CON03)
Acceptable use policy confidentiality terms (CON04)
User confidentiality guidance (CON06)
Data types and classifications (CON07)
Register of confidential data (CON08)
Retention period of data (CON09)
Protection from data erasure (CON13)

May

Availability

Disaster Recovery Site (ENV13)
System monitoring tools (SMN01)
Configured alerts for system monitoring (SMN03)
Auto-scaling configuration (SMN04_1)
Capacity forecasting (SMN04)
Capacity forecast approval (SMN05)
System redundancy (REC01_1)
Denial of service protection (REC01)
Load balancer (REC15)
Backup configuration and schedule (REC02)
Backup policy (REC13)
Failed backup alerts (REC03)
Backup restoration tests (REC04)
Business continuity plans (BCP) (REC06)
Annual BCP testing (REC6_1)
Disaster Recovery Plan (REC07)
Disaster Recovery Plan testing (REC08)
Environmental Policies (ENV01)
Sensors (ENV02)
Fire suppression and Fire Extinguishers (ENV03, ENV04)
Raised Flooring (ENV05)
Generators (ENV09)

June

Processing Integrity

Systematic data validation checks (DIN01)
Information processing objectives (DIN03)
Risk assessment of processing objectives (DIN04)
Processing integrity policies and procedures (DIN05)
Register of critical data variables (DIN06)
Data register classifications and details (DIN07)
Periodic review of information processing objectives (DIN09)
Reconciliations of data accuracy (DIN11)
Resolution of reconciling differences (DIN12)
Logging of data processing errors (DIN14)
User documentation of information processing (DIN15)

Frequently Asked Questions

How do I filter for the specific control area in my audit software?
- Pillar: Open your Pillar audit board. Near the top of the board, click the "filter" symbol and scroll to the "Sections" portion of the filter options. You can select the control areas here.
- Trello: Open your Trello audit board in "board" view. Near the top of the board, click the "filter" symbol. In the text box, search for the section name (e.g. "Change Management"). There isn't a specific filter option to select section names but this search option should give you a list; look for the card with the Section label matching the control area you've searched for. You can also search by control name.
How do I filter for the specific control area in my compliance software?
- Drata: Coming soon
- Vanta: Coming soon
There are controls in the table that aren't in my controls list. What should I do?
- Not to worry - every client's control list will look different. It's expected that some of these will not be applicable or not be in scope for you.
The schedule this month includes controls that are tested through sample evidence. Where or how do I share the population list (i.e. list of occurrences) for my auditor to select samples from?
- Pillar: Open your Pillar audit board. Near the top of the board, click the "filter" symbol and scroll to the "Type" portion of the filter options. You can select the "populations" to view the card designated for all populations to be uploaded.
- Trello: Open your Trello audit board in "board" view. Near the top of the board, click the "filter" symbol. In the text box, search for "population". This should display your Type 2 Population audit card where population files can be uploaded.
- Vanta: Coming soon
- Note: If you've agreed other preferences with your audit team, please confirm with them.
My control IDs are different than what's online. What do I do?
- Sometimes control IDs may be updated in your audit board by your audit team for clarity or to align with other platforms you use. In this case, use the control name as reference. When in doubt, reach out to your audit team.