4.11. Compliance audit
The compliance audit measures the extent to which an organisation's IT systems meet a new requirement, such as a legal obligation. It highlights where additional action is required to achieve compliance.
Use the compliance audit when you have an urgent need to formally measure compliance to a new requirement or objective, such as a legal obligation.
In most cases a separate compliance audit is not necessary because the requirement can simply be included within the standard system governance criteria, and compliance to the requirement managed alongside all other criteria. New requirements can be included in the standard set of system governance criteria during the annual review. Only run a separate compliance audit when the requirement is too urgent to be included as part of the usual review processes.
Criteria are usually changed as part of the annual review, and then all system reassessed before the next annual review. If an annual review has just completed, it could theoretically be just under two years before a new requirement can be incorporated into the process and then compliance to it measured. It is, of course, possible to change criteria between annual reviews, and to bring this date forward, without resorting to a formal compliance audit. This less formal approach may well be appropriate, unless there is a formal need to measure the level of compliance in a relatively short time period.
The compliance audit is carried out by the system governance manager and their team. Because the audit involves a change to the criteria, the system governance committee are also involved.
The compliance audit will require input from someone who can represent the compliance requirement, and this role has been termed the compliance owner. The process assumes that there is a group of compliance stakeholders who are consulted on the new criteria. The compliance stakeholders act as additional members of the system governance committee, but only for the compliance audit.
The compliance audit will require additional work within the system governance team and across the IT organisation as a whole. Agreement must be sought from the IT decision makers and the system governance sponsor.
The compliance audit requires that you already have an established system governance process, including a list of systems that need to be audited.
If you do not have an established system governance process, then your audit requirements will be best met by initiating and rolling out system governance, with the explicit aim of measuring compliance. You will probably require the waterfall approach to roll out, as it allows an up-front definition of what will be audited. See Startup processes for an overview of the system governance initiation and roll out processes.
The compliance audit involves defining new criteria to represent the new requirement, adding these to the standard criteria, and then ensuring that all systems are reassessed against the new criteria. The compliance audit is not an independent process, but involves bringing forward activities that would otherwise be part of the ongoing system governance processes.
Initiate compliance audit
Define the objective of the compliance audit. Include an outline of the new requirement. Indicate the scope of the audit: must it apply to all systems, or only some systems? What level of coverage must be achieved? By when should the audit be complete?
Discuss with the system governance manager whether a separate compliance audit is required. Where possible, roll the compliance requirement into the ongoing system governance processes and do not run a separate compliance audit.
Recruit a group of compliance stakeholders who can help elaborate the requirement.
Gain agreement for the audit from the system governance sponsor, the system governance manager and the IT decision makers. (The compliance requires broad agreement because it will involve additional work from the system governance team and committee, and additional assessments across all systems in scope.)
Define compliance criteria
- Responsible:
- System governance manager
- Involved:
System governance committee Compliance stakeholders
Discuss and agree new criteria or changes to existing criteria to represent the new compliance requirement. Discuss and agree the placement of these new changed criteria in the standard structure, and the weighting of the criteria relative to the standard criteria. Discuss and agree grades, scores and rules for identifying issues.
Consider the degree of formality required to define the criteria. If the criterion definition is complicated, consider running a condensed version of the criteria development workshop.
When the new and changed criteria are agreed, add them to the standard template.
See:
Section 3.5, Criterion maintenance Section C.2, Criteria development workshop Plan assessments
- Responsible:
- System governance manager
- Involved:
IT decision makers Compliance owner
Plan the assessment of every system in scope for the new criteria, and the validation of the assessments. It is likely that most systems will need to be assessed specifically for the new criteria, but it may be possible to include the new criteria in some assessments that were to take place anyway.
Agree the plan with the IT decision makers and compliance owner.
Assess systems
- Responsible:
- System governance manager
- Involved:
- none
Assess systems according to the plan. Check with system owners that assessment responses are factually correct.
Validate assessments
- Responsible:
- System governance manager
- Involved:
- none
Validate assessments according to the plan. Address any issues with assessments that can not be validated.
See: Section 3.3, Validation.
Prepare compliance audit
Analyse the gradings for new criteria, and calculate the following:
- The planned and actual coverage achieved.
- An overall score for compliance to the new criteria. (This is the score using only the criteria that relate to the compliance requirement, scaled up to give a percentage score.)
- A list of issues that have been found, the impact of the issues, and the systems to which the issues apply.
See: Section 3.4, Analysis.
Write a compliance audit report which summarises the findings, together with any other relevant observations.
Discuss the report with the compliance owner, and when they are happy with the report, circulate it for information to the IT decision makers, system governance sponsor, system governance committee and compliance stakeholders.
Provided that the compliance owner has no objection, circulate to each system owner any finding relevant to their system. (The compliance owner might wish to leave this until after follow-up activity.)
Follow-up compliance audit
Discuss the compliance audit report with the compliance stakeholders, and plan follow-up activities. Inform the IT decision makers, system governance sponsor, system governance manager and system governance committee of the decisions.