Cut Compliance Engagement Scoping to Five Minutes

For Compliance Assessors who are tired of going through hours of scoping activities at the start of each new engagement, TCT has good news for you. Our latest innovation is just for you.

TCT’s new Scoping Tool removes annoying busywork at the start of client engagements. We’ve reduced the slog of an engagement setup, stripping out hours of manual work so you can get to the meat of the engagement right away.

At the beginning of each new client engagement, you need to conduct a scoping exercise to determine which requirements are (and are not) applicable to the client. If your client just needs a SAQ-A assessment, they only need to go up against about 30 out of roughly 900 items. That’s a ton of N/As to fill out — and hours of work manually going through and writing rationales for individual requirements, one by one. 

Or let’s say you have a client that’s doing a P2PE and they don’t have wireless, so they have different reasons for stating “not applicable.” A third client may have some inheritance coming in from corporate, in conjunction with circumstances that denote how their scope needs to be set. That requires a lot of time going through round after round of grabbing the right items, entering the right explanations, and getting those set and moved into the right state.

These are just a few examples of engagements that create an enormous amount of up-front work. Scoping may not be an arduous task, but it is mind numbing — and you haven’t even begun the actual project work yet.

Until now, there’s been no quick and convenient way to initially configure your clients. TCT Portal’s Scoping Tool changes that.

Assessors: Speed Through Client Onboarding with TCT’s Certification Tracks

Automated Intelligence Client Scoping in TCT Portal

TCT’s brand-new Automated Intelligence Scoping Tool now gives you the ability to quickly scope client engagements in just a few minutes. The tool gives you a scoping questionnaire with your own customized series of questions. Use the questionnaire to categorize your clients, and the Portal automatically scopes the engagement down so that only the requirements that apply to your client remain active.

Better yet, the scoping tool works for any security standard or certification across the 85+ different standards on the TCT Portal. The scoping tool will allow different questions on your questionnaire for each of the different standards or certifications that your firm works on for your clients. 

(As a friendly reminder, for paying TCT customers, if your firm has a new industry standard you need added to the TCT Portal, just let our support team know and they will add for you.)

Using the PCI DSS as an example, if your client isn’t a service provider, TCT Portal can automatically declare every requirement that’s unique to a service provider as “Not Applicable.” The system can also apply a pre-drafted rationale to each relevant item and move those items up the workflow.

Your engagement’s scope is now drastically reduced, and you can automate handling of many requirements simultaneously — all based on a single response in the scoping questionnaire. 

This tool reduces every client engagement scoping exercise from hours to about five minutes.

How the Scoping Tool Impacts Your Firm

TCT’s Scoping Tool promises immediate and measurable benefits to your business and your sanity.

• Reduce scoping time from hours to minutes
• Streamline the QA process
• Increase the profitability of each engagement
• Clarify scoping decisions through precise questions and multiple choice answers
• Standardize scoping decisions and rationales across all Assessors within the firm

By automating the scoping activities that bog down your Assessors’ valuable time, you ensure that every engagement starts with a focus on high-value productivity instead of low-value data entry.

How the Scoping Tool Works

TCT’s Scoping Tool has two components: 

• A highly customizable back-end editor, which is used to create (and maintain) the scoping questionnaire. This editor allows you to determine what scoping actions TCT Portal will perform, based on responses to each question.
• The scoping questionnaire, which is filled out during the scoping phase of each engagement. The Portal automatically scopes the engagement based on responses to the questionnaire.

The Scoping Editor

The back-end scoping editor lets you generate your list of questions to generate an initial scoping questionnaire. Once completed, the scoping questionnaire is available for all of your engagements. 

The scoping questionnaire that’s generated is YOUR scoping questionnaire, only for use with your staff for your organization. The editor lets you customize it entirely to meet your specific needs and workflow preferences. You determine what questions to include, how they are worded, what terms are leveraged, what responses to select from, and the report text to provide on the ROC. 

During configuration, in the editor, your team can assign follow-on actions for the Portal to take based on the responses you select in the questionnaire. It’s entirely under your control.

With TCT Portal, engagement scoping is entirely automated — like having an assistant do all of the scoping-related tasks for you.

For each response, you can configure the actions taken and the report text that you want to appear. When you’re filling out the scoping questionnaire, TCT Portal will perform the actions you’ve configured — for example:

1. Set the designation to Not Applicable
2. Enter a specified report text in the ROC for that item (e.g., “N/A – the organization is not a service provider.”)
3. Move the item to the next stage of the workflow

Create as many questions as you like, and pick and choose which scoping questions you want to answer per engagement. Questions must either be Yes/No questions or multiple choice questions, because the answers must be selectable from a dropdown menu. This establishes a rigorous scoping process that leaves no room for gray areas.

Sample questions:

Is this ROC assessment using a reduced scope based on an SAQ?

• SAQ-A
• SAQ-B
• SAQ-P2PE
• SAQ-A & SAQ-P2PE

Is the client a service provider?

• Yes
• No

Is this engagement for a colocation provider?

• Yes
• No

Does the organization leverage POI Devices?

• Yes
• No

Does the organization have wireless in their CDE?

• Yes
• No

The scoping questionnaire is also editable after it goes live. If you need to refine a question or include additional response selections, or add more questions, you can make the changes at any time. 

Changes are automatically available within the scoping tool for  all of your engagements. You can optionally update the scoping questionnaire then immediately leverage the benefit of that automation on your engagements with a second pass of the scoping questionnaire to layer the additional documentation over the client engagement in question.

The Scoping Questionnaire

When you start a new engagement, use the scoping questionnaire to quickly pare down the applicable compliance requirements. Fill out the questionnaire any time you have a new engagement and get started on your real work right away.

For each question, you’ll see a list of possible responses to choose from. Simply select the appropriate response for each question. TCT Portal scopes or descopes all of the requirements that are related to the question and fills in the rationale for you, as appropriate. 

A typical questionnaire can be completed in just a few minutes.

When you submit each response, TCT Portal automatically handles each item based on a set of preconfigured instructions.

For example, your questionnaire might include the question: Is this client a service provider? Yes/No

If you select YES, typically nothing would change in the system. However, you could choose to configure the Portal to drop in a specific report text for those items, so that you don’t have to type that text yourself.

If you select NO, TCT Portal automatically finds and selects all of the compliance requirements that are relevant only to service providers. It then sets all of those items to “Not Applicable” and enters default report text that explains why each item is not applicable (e.g., “This item is N/A because the organization is not a service provider.”).

Depending on how you’ve configured the Scoping Tool, TCT Portal can also automatically move those descoped items forward in the workflow — for example, to QA. There’s no need to ever touch those items, because the system does it for you automatically.

Faster, Easier QA

One of the biggest pains for QA teams is the element of consistency across engagements. If your firm has 15 QSAs and 50 clients, the amount of variability across the spectrum of engagements is enormous. Different Assessors will make different declarations for the same scenario, creating more work for QA. 

But with TCT’s Scoping Tool, the declaration is already preconfigured. Better yet, involving your QA team in the definition of the scoping questionnaire will ensure their approval, and assurance of what they expect for these items. QA’s work becomes more streamlined, far more consistent across engagements, and virtually eliminates the opportunity to miss an Assessor’s error.

How to Get the Most Out of the Scoping Tool

Follow these best practices to get the most value from TCT’s Scoping Tool.

Use your reporting outputs and CSV exports as starting points when configuring your questions. Your previous engagements are a great source of potential scoping questions.

Whenever possible, use questions that will allow you to reduce the scope of your engagements. This will save you an incredible amount of time.

Make sure questionnaire builders are collaborating closely with your QA personnel as they write the questions to determine approved actions and report text. Your QA personnel have plenty of lessons learned that will be invaluable to lean on.

Set up a testing instance of your Scoping Tool before rolling it out to your live environment, so you can review it thoroughly before applying it to your clients’ engagements.

What Customers Are Saying

TCT Portal’s Scoping Tool is being released in a few days, but we’re hearing a lot of excitement from customers as they preview this new capability. They see a lot of use cases for it, and they’re anticipating the positive impact it will have on streamlining their assessments. 

We’ve received many comments saying users are thrilled about the opportunity for TCT to help optimize yet another cumbersome aspect of client engagements. Our customers are expecting to save a ton of time, and they’re excited to get their hands on it.

Start Scoping Now

The scoping capability is available to all TCT customers. Just contact us with a request to enable the functionality and we’ll give you a quick demo.

TCT leads the compliance industry with tools that make compliance management suck less. We’re continually introducing new innovations that streamline the workflow and free up teams to accomplish more with less effort. If there’s something you want to see in TCT Portal, let us know!