Security and compliance auditors have a lot of plates to keep spinning. You’re collecting evidence from multiple members of the client team, collaborating with other internal auditing team members, keeping track of records, managing files, entering data into spreadsheets and generating reports. All while keeping an eye on the daily changing status of an engagement. If a client goes rogue or your team members miscommunicate, it can throw a wrench into the project and create extra work and major headaches. Especially as the report deadline nears.
Online Business Systems (Online) is no stranger to auditing challenges. Online is an information technology and business consultancy that helps enterprise customers improve their business processes. In addition to technology and business consulting, Online provides advanced solutions in information security, customer experience, and service management. Their clients represent a broad range of sectors, including finance, retail, hospitality, healthcare, energy, and agribusiness.
We spoke with Online principal consultant Sherri Collis about her experience navigating the PCI assessment challenges to learn how the Online team has mastered their audit processes. Here’s what she told us.
Handpicked related content: Make Your Compliance Auditor Your Ally
Navigating the Auditing Challenges
TCT: Tell me about your role at Online.
Sherri Collis: I’m a principal consultant for Online Business Systems. I am primarily in the PCI practice, although I’ve done some ISO 27001, Trusted Advisor Consulting, NIST 800-53, and GDPR. My role as our company’s primary contact with TCT is to get us a tool that works for our team so that we can do PCI, 27001, 800-53, or GDPR assessments and manage the process more easily.
TCT: What are the biggest challenges for most auditors?
SC: You’re using one set of tools to gather evidence and manually inputting everything into another tool—like Excel—and you don’t have good reporting. You go to a client site and do a lot of different interviews, and you’re capturing evidence and information, and you don’t have a tool that then produces a report.
You may have two or three people doing an assessment for a large client. Each of you is taking notes in OneNote or Word or in a spreadsheet. Then you combine them all and try to keep everything together and keep everybody updated on current information and the status of the client—all of those things are extremely difficult.
I’ve done reports in excess of 500 pages, so having a tool that lets your team collaborate and do reporting is extremely helpful. But some assessors are doing it with Excel, and that presents its own challenges.
TCT: What’s wrong with Excel?
SC: Excel doesn’t let you generate the reporting you need when you’re done with your process. It’s a lot of manual work, and it’s difficult to share the data among assessors without duplication and missed notes. Once the assessment is completed, with Excel, you have to manually take the client’s information from the spreadsheet to enter and format it into the required Word report.
TCT: How has TCT Portal helped you to do your job?
SC: TCT has been such a lifesaver for us, because it’s a huge timesaver. Our job is extremely complex, and we’re not accustomed to having any kind of a tool that will produce the report that we have to create. With TCT, I can collaborate on an engagement with other team members with one tool that we’re all able to use simultaneously. I can check the client status and know where we are in the process. TCT Portal also lets us push things back and forth between people working the account, including having the client work with us in the tool.
With TCT, once you enter all the information, you click a button and it generates the report of compliance that you have to provide to your clients and to the governing body. Multiple people can contribute to the same report. When you’re done, you click a button and you’ve got the report generated for you.
I just recently did a merchant assessment for a top Fortune company, and we had to do it without TCT. I was reminded how difficult it is to perform an assessment without any automation. I’ve had clients with 1100 documents as part of the assessment. Imagine having to type 1100 filenames. With TCT, you don’t have to do any of that.
And most importantly, when we need new functionality, the responsiveness of TCT is like having a developer on your team. They have such amazing customer service. I’ve worked with them throughout the evening, and even had responses from them at 10 or 11 o’clock at night.
TCT: Any advice to other auditors?
SC: Once you start using TCT Portal, you don’t want to use anything else, because it’s so easy. It provides capabilities that Word and Excel don’t have. If I were a merchant or service provider, I would ask my assessors to use TCT Portal and put our information into the tool. Because it would be really handy for any person who is managing compliance to be able to use the tool.
TCT: Thanks for your time, Sherri!
Quit Spinning So Many Plates!
Struggling to keep all your plates spinning? There really is a better way. TCT helps streamline the compliance management process, so you can focus on providing your expertise—not wasting time spinning plates and performing manual processes.