Managing your Tailored Audits on Pillar

How to continually manage your tailored audits

OVERVIEW

Continuous audit progressively completes your audits over a 12 month reporting cycle. In contrast to traditional audits that are conducted at the end of the period, with continuous audit you get:

Faster feedback, when it's relevant;
Increased confidence your compliance is on track year-round; and
It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

It also reduces the business disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies from breaking down the audit tasks into monthly focus areas.

AUDIT PLAN

Initial setup: Let us know when you're ready to start and we'll create your audit board.

Monthly topical focus: about ~40% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas below to complete these areas.

Remaining controls: The remaining control areas not covered below can be covered anytime during your 12 month audit period. If you use a compliance platform like Drata, we can progressively test and sign off those controls throughout the period.

Audit queries: We will raise any audit queries when we conduct the testing of any items that require clarification. These will be logged in the Audit Queries column of Pillar. The earlier these are addressed, the better, to close off those areas and if there any any issues it helps us get on top of them early, and ensure they're resolved to mitigate the impact.

Wrap up: We may have some top up testing in the final month of your audit period. The calendar view below is designed to minimise this, but we also need to ensure our audit can demonstrate reasonable coverage of the full audit period. We'll let you know where this applies and give you a clear view of what's remaining in that final month.

Control Topic	Control Area
January: Managing Risk and Controls	Risk Assessments: Risk Assessment Policy Annual/Quarterly Risk Assessments Risk Mitigation/Remediation Plans Controls Assessments: Conducting Control Self-Assessments Control Remediation Plans (as applicable)
February: Managing System Security Controls	System Based Policies: One comprehensive policy document (e.g. an information security policy) Policies for each type of safety measure; Acceptable use policy Access control policy Password policy Network security policy Vulnerability management policy Infrastructure hardening policy). System Security Configurations and Implementation: Bring your own device restrictions Endpoint device hardening and encryption Security configuration review Patching Infrastructure authentication Authentication for employees, customers and users Management of unique user IDs Virtual private networks, firewalls and TLS encryption Anti-virus Encryption of data-at-rest and data-in-transit
March: Managing Vulnerabilities and Vendors	Vulnerabilities: Vulnerability Management Policy Annual Penetration Tests Vulnerability Scans (eg. quarterly) Resolution of Identified Vulnerabilities Vendors: Vendor Management Policy Vendor Register Vendor Agreements or Terms of Service Review of Vendor Attestation Reports
April: Managing Privacy and Confidentiality	Privacy: Privacy policy and notice Privacy practices Confidentiality: Policies and procedures Logging and monitoring
May: Managing Availability	Availability: Capacity Environmental protections, software, data backup processes, and recovery infrastructure Testing recoverability
June: Managing Governance & BCDR Tests	Board/Management: Board Meetings Senior Management Meetings (if applicable) All Hands Meetings (if applicable) Business Continuity and Disaster Recovery: Disaster Recovery Plans Business Continuity Plan BCP/DR Tests Conducted Annually Restoration Tests
July: same as above in January
August: same as above in February
September: same as above in March
October: same as above in April
November: same as above in May
December: same as above in June