Figuring out compliance is overwhelming, but the annual assessment is stressful as hell. For weeks leading up to the compliance audit, you’re under the gun to get all your items finalized and wrapped up with a bow. You’ve probably been working overtime for months straight, and you enter the engagement running on fumes.
During the compliance assessment itself, you’re under a microscope for days. If it turns out that you weren’t 100 percent prepared, you could find yourself in the hotseat with your Assessor. But you won’t know for sure until that moment happens.
What if you could confidently walk into your annual engagement with your Assessor, knowing it was going to go smoothly and pleasantly?
When it comes to breezing through the Assessor engagement, several things need to come together. Get these right and you’ll have a happy Assessor who makes your annual compliance audits much easier to endure.
Related: 7 Common Mistakes You May Be Making with Your Compliance Assessor
Hire a Compliance Consultant
If your organization hasn’t worked with third-party Consultants on compliance, I would strongly recommend that you get help as part of your normal compliance operations. It’s extremely rare for an organization to have someone in-house with all of the requisite knowledge and experience to walk into an engagement with an Assessor and pull it off.
I’ve known many organizations that tried to rely on IT personnel to act as the internal audit function for the company. Such an approach is a gamble at best and sometimes implodes, since the IT employee typically doesn’t possess the depth or breadth of experience to navigate an organization through the complexities of a compliance engagement.
You need someone who can be a mentor that possesses the requisite knowledge and experience, someone who can hold your team accountable, and someone who knows what dangers lie ahead. An internal employee typically won’t have those capabilities.
Good compliance consultants are battle tested. They’ve been through every scenario you can imagine. And they know how to get your organization ready for the Assessor so that the engagement goes as uneventfully as possible.
As a bonus, if you don’t already have an Assessor, a Consultant can either fulfill an internal audit function or optionally help you find someone who is great to work with. They can also answer most of your questions, without the need to continually pepper your Assessor with basic questions.
Engage with Your Assessor Before the Assessment
The bulk of your time before the compliance assessment will be spent with your Consultant, but that doesn’t mean that you shouldn’t engage the Assessor at all beforehand. Instead, connect with your Assessor at a high level early on, well before the actual assessment.
An initial onboarding will give them a basic understanding of your organization — what you do and how you function. This helps to set expectations and to make sure that they have all of the basic information they need. It also enables them to answer any questions more specifically and provide better direction as needed.
The better your Assessor understands your company before the assessment, the smoother it will go. This approach will also ensure the Assessor is on the same page about the approach to the Assessment, and will streamline their future concerns about how or why the organization approached certain requirements in a particular manner.
Be 100 Percent Ready for the Assessor
Your consultant can help validate all of your preparation for the compliance assessment so that you don’t end up passing garbage up to the Assessor. You want to send a high-quality deliverable that will impress your Assessor.
It’s important to get this part right as you go through the compliance process. You want to walk into the engagement having everything all buttoned up for the Assessor. All your ducks should be in a row. You should be able to put your finger on any piece of evidence instantly and show it to your Assessor.
Your goal should be to go into your time with the Assessor confident that you won’t have any holes in evidence coverage or other unpleasant surprises that blindside you while you’re sitting right in front of them.
As the date for the engagement approaches, you’ll need to get on the same page with the Assessor. Be sure you understand their process — what needs to happen, when, and in what order.
Remember that you aren’t just being Assessed for a few requirements, but for hundreds of line items. Each line item needs to be submitted with the appropriate evidence, and the Assessor has to review it all. So walk in completely ready to blow their socks off.
Related: Your First Compliance Audit: Will You Crush It or Get Crushed?
Use the Right Compliance Management System
The best way to be prepared and have all your ducks in a row is to use the right technology solution to manage your compliance engagement.
Most organizations use spreadsheets or some kind of share point to keep everything organized. Those kinds of tools are clunky, inefficient, and unreliable when you need to locate a file at a moment’s notice. Instead of organizing your evidence, they actually introduce chaos at the moment that you need to show your Assessor that you’re on top of everything.
On the other hand, compliance management tools are specifically designed to streamline your compliance engagement and keep it highly organized. These systems make an enormous difference in the running of your annual assessment. Everything is at your fingertips and you continually communicate to the Assessor that you’re a company that has its act together.
Normally, an Assessor will steel themselves for a multi-day on-site visit — as many as three or four days. It takes that long, because they expect to deal with multiple delays throughout the visit: people not being prepared, struggling to find evidence, running into scheduling issues, and more.
Unfortunately, the more the Assessor trips across issues, the more they feel they need to ratchet up their inspections and requests for additional evidence. Basically, the less at ease they feel, the more they feel the need to dig and the more painful the experience becomes for your organization.
Imagine the impression you’ll give your Assessor when you can pull up any random document at a moment’s notice. That kind of organization shows your Assessor that you’ve done your homework and you have your act together. And it gives them peace of mind that they aren’t going to find tons of unpleasant surprises every time they start digging around.
The easier you can make the engagement on your Assessor, the more favorably it will go for you.
Compliance Confidence You Can Count On
Going through your annual compliance assessment can be a bit like going to the dentist for a scheduled checkup. If you brush and floss well every day, you can go into that appointment with a much higher level of confidence that it will go smoothly and quickly.
Neglect your daily routine, or use worn out tools to care for your teeth, and you’ll approach your scheduled appointment with fear and trepidation. It’s sure to be a long, painful visit and your dentist is likely to find problems that will require painful remediation.
In the same way, if you follow these best practices to make your Assessor happy, you’ll be able to go into your annual audit feeling confident about a quick and easy visit with the Assessor. Best yet, you’ll be practicing appropriate security hygiene that actively protects your company from bad actors on a daily basis.
Get equipped with insider expertise
Subscribe to the TCT blog