Gathering Evidence Across the Enterprise ‘Pics or it didn’t happen.’ You’ve likely heard some form of this statement from friends joking about a road trip, vacation, or extreme sport, but in the compliance world, it’s nothing to laugh about. As you are well aware, the goal of an audit is to collect and convey information that proves past and current activity related to internal and external control objectives. Some examples might include logs files of backup operations or meeting minutes to prove that risk factors or vendor service level agreements were reviewed on a periodic basis.

Evidence proves that the organization is following procedures as written. Procedures provide a narrative explaining how policy is carried out. Policy is tied to controls. We can follow this logical path: Evidence -> Procedures -> Policy -> Controls to ensure that evidence gathered is related to the correct controls.

Evidence is generally expensive to gather. By expensive, I’m referring to the level of expertise and security clearance required to know how to access the appropriate (oftentimes sensitive) systems within the organization. This can include AWS dashboards, IAM permissions, AD user lists, backup logs, all areas where, in general, skilled professionals live. This means that your most highly paid technical staff are usually the ones doing the work. Some tasks may require screenshots or PDF downloads while others may be text files generated from simple scripts reaching out to well-defined API’s like those with AWS, Azure, and GCP.

Once evidence is captured, there is oftentimes no accepted place to store this information, so it’s typically placed on a file share, in email as an attachment, or in a ticketing system like Jira, etc. This presents several problems:

  • Different kinds of evidence are stored in different places based on a user’s own personal preference/workflow. For example, Sue may keep evidence in an email folder while John may use Jira to track evidence as “Issues”. Mark may put evidence into a SharePoint directory. This lack of structure leads to confusion, especially in larger enterprises.
  • When this evidence is stored, it fails to maintain a relationship with procedures, articles, and controls. It requires experts within the organization to know where each piece of evidence is stored and how that evidence relates to, ultimately, the control objectives within the organization.
  • This haphazard approach towards gathering evidence often means that evidence is gathered, but not reviewed. This creates the potential for evidence being gathered that does not satisfy the procedure or control objective. Oftentimes, this is discovered during the audit process requiring last-minute remediation efforts.

Having a system in place for gathering evidence is a critical first step. There are several roles responsible for ensuring coverage and accountability:

  • Author - The author is responsible for defining the nature of the evidence to be gathered. This person in the organization works closely with your information security team to define each piece of evidence to be gathered and at what interval. The author is also responsible for reevaluating the requirements over time as the organization grows or the auditor needs change.
  • Assignee - The assignee gathers the evidence. It’s critical that you choose the assignee based on their skill level and role in the organization. The assignee is held accountable for each piece of information gathered throughout the year.
  • Reviewer - The reviewer can double as the author in smaller organizations or can be independent of the author, but the reviewer should never be the assignee. It would clearly be a conflict of interest for the assignee to verify their own work as a reviewer.

In many organizations, this evidence has no direct relationship to the procedures, policies, or controls that they are designed to prove. This adds overhead to all organizations, one person placing the information into accepted temporary locations and a second person gathering it up and handing it to the auditor. Furthermore, the auditor is in the position of trying to interpret how things are related. In the logistics business, this is known as double-handling. Going straight from the rack to the truck is a much more efficient process.

The good news is that PolicyCo treats evidence in exactly this way. We allow you to capture evidence and maintain relationships to the policies, procedures, and control objectives present across your enterprise.