Continuous Audit
      Back to home
      1. AssuranceLab - Knowledgebase
      2. Pillar
      3. Continuous Audit

      Continuous Audits for Tailored Audits

      How to continually manage your tailored audits

      OVERVIEW

      Continuous audit progressively completes your audits over the industry standard 12 month reporting cycle. In contrast to traditional audits conducted at the end of the period:

      • You get feedback when it's relevant;
      • You can have increased confidence that your compliance is on track year-round; and
      • It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

      It also reduces the disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies where evidence requirements are scheduled and can be planned for ahead of time for a smoother, more efficient audit experience internally.

       

      AUDIT PLAN

      Initial setup: Let us know when you're ready to start and we'll create your audit board.

      Monthly topical focus: Tailored audits are designed to be based on the specific, custom controls in your environment, including various topic areas such as: risk management, change management and confidentiality. Depending on your control set, about 30 to 40% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas below to complete these areas. We've aligned a calendar of topical focus areas below to complete these topics. 

      Remaining controls: The remaining control areas not covered below can be covered anytime during your audit period. We can progressively test and sign off those controls throughout the period.

      Audit queries: We will raise any audit queries when we conduct the testing of any items that require clarification. These will be logged in the Audit Queries section of the audit platform being used. The earlier these are addressed, the better, to close off those areas and if there any any issues it helps us get on top of them early, and ensure they're resolved to mitigate the impact.

      Wrap up: We may have some top up testing in the final month of your audit period. The calendar view below is designed to minimise this, but we also need to ensure our audit can demonstrate reasonable coverage of the full audit period. We'll let you know where this applies and give you a clear view of what's remaining in that final month. Where you have large populations of occurrences (such as frequent new hires, incidents or manual changes), you prefer to have those sampled at the end of audit period. This can be discussed with your audit team.

      Control Topic Control Area
      January: Managing Risk and Controls 

      Risk Assessments:

      • Risk Assessment Policy
      • Annual/Quarterly Risk Assessments
      • Risk Mitigation/Remediation Plans

      Controls Assessments:

      • Conducting Control Self-Assessments
      • Control Remediation Plans (as applicable)

      February: Managing System Security Controls

      System Based Policies:

      • One comprehensive policy document (e.g. an information security policy)
      • Policies for each type of safety measure;
        • Acceptable use policy
        • Access control policy
        • Password policy
        • Network security policy
        • Vulnerability management policy 
        • Infrastructure hardening policy).

      System Security Configurations and Implementation:

      • Bring your own device restrictions
      • Endpoint device hardening and encryption
      • Security configuration review
      • Patching
      • Infrastructure authentication
      • Authentication for employees, customers and users
      • Management of unique user IDs
      • Virtual private networks, firewalls and TLS encryption
      • Anti-virus
      • Encryption of data-at-rest and data-in-transit
      March: Managing Vulnerabilities and Vendors

      Vulnerabilities: 

      • Vulnerability Management Policy
      • Annual Penetration Tests
      • Vulnerability Scans (eg. quarterly)
      • Resolution of Identified Vulnerabilities

      Vendors:

      • Vendor Management Policy
      • Vendor Register
      • Vendor Agreements or Terms of Service 
      • Review of Vendor Attestation Reports
      April: Managing Privacy and Confidentiality

      Privacy:

      • Privacy policy and notice
      • Privacy practices

      Confidentiality: 

      • Policies and procedures
      • Logging and monitoring
      May: Managing Availability

      Availability:

      • Capacity
      • Environmental protections, software, data backup processes, and recovery infrastructure
      • Testing recoverability
      June: Managing Governance & BCDR Tests

      Board/Management:

      • Board Meetings 
      • Senior Management Meetings (if applicable)
      • All Hands Meetings (if applicable)

      Business Continuity and Disaster Recovery:

      • Disaster Recovery Plans
      • Business Continuity Plan
      • BCP/DR Tests Conducted Annually
      • Restoration Tests
      July: same as above in January 

       
      August: same as above in February

       
      September: same as above in March

       
      October: same as above in April

       
      November: same as above in May

       
      December: same as above in June

       

       

      Frequently Asked Questions

      • How do I filter for the specific control area in my audit software?
        • Pillar: Open your Pillar audit board. Near the top of the board, click the "filter" symbol and scroll to the "Sections" portion of the filter options. You can select the control areas here.
        • Trello: Open your Trello audit board in "board" view. Near the top of the board, click the "filter" symbol. In the text box, search for the section name (e.g. "Change Management"). There isn't a specific filter option to select section names but this search option should give you a list; look for the card with the Section label matching the control area you've searched for. You can also search by control name.
      • How do I filter for the specific control area in my compliance software?
        • Drata: Coming soon
        • Vanta: Coming soon
      • There are controls in the table that aren't in my controls list. What should I do? 
        • Not to worry - every client's control list will look different. It's expected that some of these will not be applicable or not be in scope for you.
      • The schedule this month includes controls that are tested through sample evidence. Where or how do I share the population list (i.e. list of occurrences) for my auditor to select samples from?
        • Pillar: Open your Pillar audit board. Near the top of the board, click the "filter" symbol and scroll to the "Type" portion of the filter options. You can select the "populations" to view the card designated for all populations to be uploaded. 
        • Trello: Open your Trello audit board in "board" view. Near the top of the board, click the "filter" symbol. In the text box, search for "population". This should display your Type 2 Population audit card where population files can be uploaded.
        • Vanta: Coming soon
        • Note: If you've agreed other preferences with your audit team, please confirm with them.
      • My control IDs are different than what's online. What do I do?
        • Sometimes control IDs may be updated in your audit board by your audit team for clarity or to align with other platforms you use. In this case, use the control name as reference. When in doubt, reach out to your audit team.