Continuous Audit in Pillar

How continuous audit works in Pillar

OVERVIEW

Continuous audit progressively completes your audits over a 12 month reporting cycle. In contrast to traditional audits that are conducted at the end of the period, with continuous audit you get:

Faster feedback, when it's relevant;
Increased confidence your compliance is on track year-round; and
It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

It also reduces the business disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies from breaking down the audit tasks into monthly focus areas.

CONTINUOUS AUDIT PLAN

Initial setup: Let us know when you're ready to start and we'll create your audit board.

Monthly topical focus: about ~40% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas below to complete these areas.

Remaining controls: The remaining control areas not covered below can be covered anytime during your 12 month audit period. If you use a compliance platform like Drata, we can progressively test and sign off those controls throughout the period.

Audit queries: We will raise any audit queries when we conduct the testing of any items that require clarification. These will be logged in the Audit Queries column of Pillar. The earlier these are addressed, the better, to close off those areas and if there any any issues it helps us get on top of them early, and ensure they're resolved to mitigate the impact.

Wrap up: We may have some top up testing in the final month of your audit period. The calendar view below is designed to minimise this, but we also need to ensure our audit can demonstrate reasonable coverage of the full audit period. We'll let you know where this applies and give you a clear view of what's remaining in that final month.

Month	Controls
January: Risk and Controls	Risk Assessments: Risk Assessment Policy Annual/Quarterly Risk Assessments Risk Mitigation/Remediation Plans Controls Assessments: Conducting Control Self-Assessments Control Remediation Plans (as applicable)
February: Employees New Joiners and Current Employees	New joiners: Background Checks Sign-Off on the Acceptable Use Policy Sign-Off on the Code of Conduct Approval of System Access Employee Contracts (NDA) Current employees: Annual Performance Evaluations Job Descriptions Security Awareness Training
March: Vulnerabilities and Vendors	Vulnerabilities: Vulnerability Management Policy Annual Penetration Tests Vulnerability Scans (eg. quarterly) Resolution of Identified Vulnerabilities Vendors: Vendor Management Policy Vendor Register Vendor Agreements or Terms of Service Review of Vendor Attestation Reports
April: Access and Assets	Access Control: Quarterly Access Control Review Termination/Offboarding Checklist Asset Management: Asset Inventory Disposal of Sensitive Data on Hardware
May: Incidents and Changes	Incidents: Incident Management Policy Tracking and Resolution of Incidents Lessons Learned/Root Cause Analysis Annual Incident Response Tests (if applicable) Incident Response Plans Changes: Change Management Policy Testing of Code Changes Approval of Code Changes Change Release Management and Communications
June: Governance & BCDR Tests	Board/Management: Board Meetings Senior Management Meetings (if applicable) All Hands Meetings (if applicable) Business Continuity and Disaster Recovery: Disaster Recovery Plans Business Continuity Plan BCP/DR Tests Conducted Annually Restoration Tests
July: Risk and Controls	As above in January.
August: Employees	As above in February.
September: Vulnerabilities and Vendors	As above in March.
October: Access and Assets	As above in April.
November: Incidents and Changes	As above in May.
December: Board & BCDR Tests	As above in June.