Want to get more out of your controls assessment?

An integrated risk and control framework specific to your organization can help set up an efficient, centralized reporting process in four steps.

This blog is part of our ongoing SOC Insight series. Each piece focuses on a different area of SOC reporting and aims to answer the questions that are important to your business. Read more to learn why SOC reporting is about much more than checking a compliance box.

Many large companies have to satisfy a multitude of reporting requirements to provide stakeholders with trust and transparency over their control environments. And a single control can support many requirements—it can be included in the scope of a SOC 1 or SOC 2 report; meet regulatory obligations, such as GDPR; be key for Sarbanes-Oxley; comply with a security framework such as NIST, ISO or HITRUST; and help mitigate internal risks. As a result, some control owners who manage these common controls get bombarded with evidence requests repeatedly asking for the same things. And, these control owners may be spread across many teams, making it difficult to coordinate multiple reporting efforts.

The good news is it’s possible to set up an integrated risk and control environment and a consolidated project management office (PMO) to serve many different purposes. In other words, it’s possible to assess a control once, and report that assessment to many constituents. Governance, risk and compliance (GRC) processes and technology can automate the entire life cycle around assurance. This automation reduces the rework on testing controls to meet all reporting requirements.

Setting the path to centralized, efficient reporting

A centralized and integrated risk and control framework can strengthen trust and transparency among business partners, better address multiple reporting requirements and reduce audit fatigue. The journey to implement such a framework begins with four steps.

1. Know your reporting requirements

Understanding each of your reporting requirements is key to developing an integrated risk and control framework that addresses needs across the organization. Indeed, management should work with stakeholders across the enterprise to understand the scope of existing regulatory, financial, external and internal reporting and develop a consolidated inventory of risks and requirements.

2. Understand the overlap between your risks and controls

Once organizations create a comprehensive inventory of risks and requirements, management can evaluate and map controls to this catalog—likely the longest and most challenging step. Those responsible for reporting will also need to identify areas of overlap between various functions such as internal audit, external reporting, compliance and security groups. The PMO then uses the mapped common risks and requirements and the relevant controls to coordinate with all business and IT teams while working with management to complete consolidated reports where helpful. This process provides the insight needed to identify where there is no control linked to a risk and  how current controls effectively address multiple risks, and drives remediation from a control design perspective.

3. Initiate testing to “assess once, report many”

Depending on the reporting requirement, there may be different obligations for each control assessment to be reported. And it’s important to have the right people testing them at the right time—with the right testing frequency—to meet the coverage requirements for different reporting purposes. To verify that the testing can support each objective, look at specific reporting requirements to determine what testing approach will result in the most efficiencies and who should do it. Furthermore, the PMO should evaluate the scope and extent of the testing to make sure that they take a sufficient number of samples throughout the requisite periods and cover all required business processes and systems.

4. Prepare to automate

Even for those companies that have developed their own proprietary SOC reporting portals, other GRC automation can assist with integrating planning, scoping, collecting evidence and reporting, as well as issue remediation and management. A business and security-based process to meet market demand for reports and oversee distribution management can help manage a large volume of client requests for SOC reports. Most GRC automation integrates risks and controls into a common repository to facilitate governance, communication (such as who is responsible for which controls) and use of analytical dashboards. The technology enables users to continuously monitor the controls and identify top issues, including those repeated across geographies, business units and technologies, as well as other trends, making it easier to identify areas that require remediation.

A truly global view of controls

Reporting across multiple business units and service offerings is generally a complex undertaking but global reporting can also be enhanced by embracing it in your integrated risk and control framework as described above. To achieve a smart, simple reporting process, it’s necessary to review existing reports to find where processes might be refined and improved to enhance your ability to trace and control reports.

Companies that succeed not only stand to reduce the cost of audits but also set themselves apart from competitors by providing superior assurance to clients—and building trust.