Demonstrating compliance

With thousands of industry standards, internal policies, and ever-changing regulatory requirements, optimizing coverage in a changing compliance landscape can be daunting. It's vital that organizations put the necessary processes and technology in place to appropriately identify, rationalize, prioritize, and mitigate compliance risk. In this article, we discuss how to demonstrate assurance over a compliance program using the Projects, Frameworks, and Compliance Maps apps.

This article illustrates how to demonstrate compliance with the COBIT® 5 Framework. However, the same workflow can also be applied to demonstrate compliance with:

  • regulations applying to financial institutions, such as Truth-in Lending, Anti-Money Laundering, or Depository Insurance
  • other IT security frameworks, such as ISO or NIST
  • Data Privacy regulations, such as the EU GDPR, GLBA, HIPAA, and FERPA
  • regulations applying to government or higher-education, such as Uniform Grant Guidance, Single Audit, or Title IV

What does it mean to demonstrate compliance?

Demonstrating compliance means that an organization is committed to conducting business in conformity with the regulations and standards that apply to them.

Demonstrating compliance isn't just about showing that compliance requirements have been met, but also demonstrating how the requirements are met, and what structured programs are in place to enable ongoing compliance.

Where do I demonstrate compliance?

At Diligent, we use the Projects, Frameworks, and Compliance Maps apps to attest to assessors and other interested third parties that a strong control environment exists. Our compliance program prevents us from exposing the organization to regulatory enforcement action and data breaches. It also allows us to collaborate with business stakeholders that are required to comply with various regulations and standards.

The big picture

  • Compliance Maps is where compliance teams can perform the initial compliance gap and risk assessment by mapping requirements to existing organizational controls contained in frameworks.
  • Frameworks are used in connection with Compliance Maps to centrally capture the master relationship between requirements and controls, manage changes to controls in an evolving regulatory and business environment, and build individual projects.
  • Projects is used to test the design and operational effectiveness of the control, and capture issues. If necessary, you can sync changes back up to a framework from a project as well.

When you map requirements to framework controls, testing results and issues from multiple projects are automatically aggregated to the Compliance Map, allowing you to track and report on compliance status in real-time.

Steps

Ready for a tour?

Let's take a closer look at these features in the context.

1. Set up the program

The first step in building out your compliance program is setting up your projects and frameworks. You can create frameworks to manage a structured set of information and use frameworks to build multiple projects. You can also customize the terminology and labels in the projects according to your organization's standards, and sync changes back to a framework from a project if you want to apply those changes to other projects.

Set up projects and frameworks

Frameworks are helpful for reducing manual efforts involved in setting up projects, and can be used to centrally manage information in evolving regulatory and business environments.

Configure project terminology

Terminology can vary widely between different types of projects, and also between organizations performing the same types of projects. Organizations can configure different project types so that the terminology used by each team is reflected in the relevant projects.

2. Identify authoritative documents

Once you have set up your projects and frameworks, the next step is to identify the authoritative documents that are applicable to your organization, and include these documents in your Compliance Map.

Authoritative documents may take the form of regulations published by a regulatory body, such as a government, professional standards published by a professional practice body or trade association, or internal policies or procedures published by executive management.

Tip

Certain standards and regulations are available as part of your regular subscription plan. Additional standards and regulations are available by subscribing to content suites offered through the Content & Intelligence Gallery , a central repository for industry-specific content that can be used in Diligent products.

3. Interpret and rationalize requirements

Once you have imported the relevant content into your Compliance Map, you can perform a compliance risk assessment, and begin the process of interpreting and rationalizing requirements. You have full control over the internal compliance process, including where on the spectrum you want to fall, and the level of compliance coverage you want to achieve.

Perform a compliance risk assessment

Organizations that implement high quality compliance programs engage in a systematic identification and assessment of risks. Compliance risk assessments provide the means of assessing standard or regulation applicability, prioritizing the standards or regulations that should be managed first, and informing which requirements may be applicable to the organization.

Identify applicable and covered requirements

Once you have completed the compliance risk assessment, you can begin the process of identifying applicable and covered requirements.

There are two primary methods you can use to interpret and rationalize requirements:

  • Address everything exactly as the requirement dictates and implement accordingly reduces non-compliance risk, but increases the burden to implement and manage compliance
  • Interpret requirements by applying professional judgment and rationalize optimal coverage sufficient for the organization reduces the burden of compliance, but may increase non-compliance risk to the organization

Tip

A good compliance strategy attempts to rationalize the required process and control changes in order to maximize compliance coverage by leveraging as many existing processes as possible.

4. Perform attestation projects

Using frameworks as a centralized repository of information, you can execute attestation projects to conduct operational risk assessments, work with control owners to centrally track compliance performance across all objectives, and capture issues. Performing attestation projects allows you to benchmark how well your organization is doing in managing compliance risk and requirements.

Perform operational risk assessments

Performing an operational risk assessment is a process that involves determining how much risk an organization faces. You can develop a common set of assessment criteria that can be used across operating segments, entities, or business units, and score operational risks based on the defined scoring framework.

Tip

To avoid manually scoring operational risks, you can use Assessment Drivers to automate different risk assessments. You can link a metric created in the Results app to a risk assessment in Projects in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges.

Document and evaluate controls

Control owners can help to document the existence of controls in place and evaluate their effectiveness through attestation and / or attachment of evidence, define action plans to implement missing controls to address instances of non-compliance, or explain why a control is not necessary.

Tip

Frontline staff in an organization can use the Mission Control app to manage the controls they have access to, outside of the Projects app. Mission Control is an app that presents control information from Projects in a simplified and centralized view.

Capture issues and actions

You can capture and assign flagged issues for remediation throughout the compliance review process, and delegate issues to control or issue owners to update the status and related action plans. You can also assign actions to any stakeholder for easy tracking, evidence capture, and resolution.

5. Report on the state of compliance

Ultimately compliance is the outcome of running a well-managed and well-controlled program. Compliance Maps provides the ability for all three lines of defense to quickly gain insight into the work each department is doing, and view aggregated information in real-time.

To demonstrate compliance progress, you can score compliance assurance with a single, overall metric (Coverage). This metric gives management an instant understanding of the degree to which the organization is compliant by regulation, business process, or entity. You can also, at any time, generate real-time reports that communicate the status of various control areas as well as the program's progress as a whole.

What's next? 

Learn how to implement and automate a compliance program

The Results app allows evaluators to capture incidents via data analytics, define triggered workflows for managing incidents, perform root cause analysis and remediation activities, and close cases once they are ready for reporting.

To find out more, see Implementing a compliance program.