Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: A Happy Assessor Means a Quick and Easy Annual Assessment
Quick Take
On this episode of Compliance Unfiltered, Adam gives the listeners an inside track on how to make annual compliance assessments as smooth as possible. Don’t worry, you’re not alone, most organizations have some work to do when it comes time for their annual assessments.
Adam walks through key elements of this yearly challenge, like the value of a consultant, pre-assessment assessor relations, the value of a compliance management tool, and much more!
All on this episode of Compliance Unfiltered!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Gosling.
Well welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the compliance sweet tea to your perfect summertime afternoon, Mr. Adam Goslin. How the heck are you, sir? I’m doing good, Todd. How are you? I can’t complain. I’m feeling pretty happy, and as a matter of fact, today we’re going to talk about why a happy assessor needs a quick and easy annual assessment.
So, in what circumstances do folks subject to compliance typically enter their annual assessment? Well, you know, getting through compliance is overwhelming in and of itself, but, you know, your annual assessment, that’s just stressful as hell. You know, the weeks leading up to the up to the audit, you know, that the team is feeling very much under the gun to get everything done, finalized, wrapped up with a bow. You know, the team has probably been working, you know, over time, you know, for at that point in the game, probably for months, you know, type of a thing, and, you know, the team’s basically walking into the engagement already kind of running on fumes, if you will. You know, during the assessment itself, you know, you feel like you’re under a microscope for, you know, for whatever duration it is, days, typically. And if it turns out that you’re not 100% prepared, then you get the joy of finding yourself in the hot seat with the assessor and trying to figure things out on the fly. The biggest problem is you don’t know how it’s going to go until you’re right in the middle of it. How cool would it be to confidently walk into the annual engagement with the assessor and you know that everything’s going to go smooth and it’s going to be pleasant and no bumps in the road and all that fun stuff. When it comes to being able to breeze through your assessor engagement and keep that assessor happy, there’s several things that have got to come together, if you will.
Yeah, I can definitely see that. Why is having your own compliance consultant helpful? Well, for… For many organizations, if your organization hasn’t worked with a third -party consultant for compliance, I would strongly recommend that they get that help as part of the normal compliance operations. What I found is that it’s very, very rare for an organization to have somebody in -house that already has all of the requisite knowledge and experience to walk into one of these engagements with an assessor and have it come off seamlessly.
It’s a very rare occurrence that, that happens. I’ve known a great many organizations that, I’ve used the expressions in various ways over the years, whatever. You happen to be the poor soul that was the last one to sit when the music stopped, that type of thing. The bottom line is that they’ll typically nominate somebody in IT because they figure, oh, there’s an IT thing, and nominate them to act as internal audit function. That approach is a gamble at best, and sometimes it implodes because the IT employee typically doesn’t possess the depth or breadth of experience to navigate one of these engagements and get through all the complexities of a compliance engagement and do it well in that broad -scope spectrum. You need somebody that can be a mentor, that has all of the requisite knowledge and experience that’s used to wrangling one of these types of engagements. It’s a lot tougher than many people realize. You don’t know what you don’t know, right? You don’t have everything on track. You’re simultaneously multitasking with… in some cases, you know, hundreds of different items across, you know, maybe dozens of different, you know, internal stakeholders, you know, type of a deal, you know, having somebody that can walk into that arena that’s been there before, that can also hold the team accountable that knows the kind of the dangers that lie ahead.
You know, it’s a huge, huge, you know, benefit the, the typical internal employee. They’re going to do their best, but boy, is it going to be amazingly rough, amazingly rough round one. And I don’t say this being, you know, kind of diminutive toward the, you know, toward the poor soul that gets nominated. And the reason I say that is that that’s the way that I walked into, into the security and compliance space was basically being the last one to sit when the music stopped and being nominated to, you know, go get an organization through compliance when I’d never done it before, nor had the experience. And so I’ve experienced this firsthand. That was a good, you know, couple decades ago at this point in the game. You know, good compliance consultants, they’re battle tested. They’ve been through a bunch of different scenarios.
You got to remember that these people, you know, they have, they’ve done engagements across a broad spectrum of industries. They’ve done engagements across a broad spectrum of kind of implementation styles. So in some cases, it’s companies that are hosting their own stuff on their own servers at their own facilities. Sometimes it’s a colo facility, they’ll, they’ll go put their things on. Sometimes it’s a, you know, self -managed cloud environment. Sometimes it’s in a public cloud environment, you know, and, and, and they’ve, they’ve seen all of these various scenarios, different companies, etc. You know, so they’ve got the backdrop, you know, experience they can then bring to the table, you know, and be able to, to really streamline. They have a great potential for streamlining time that you would otherwise spend internally, just trying to figure things out, you know, and you’re, and you’re doing it without the, you know, without that. The compliance consultants know how to get your organization ready for that assessor so that the engagement is going to go as uneventfully as possible. The other added bonus is if you aren’t in a position where you need an assessor or you haven’t yet chosen an assessor, it’s very likely that your consultant can either fulfill an internal audit function or find somebody that can be really good to work with. They can answer most of your questions, etc, and that means that you can ask those questions kind of in a safe space where you can be completely open with the consultant where there may be things you don’t necessarily want to expose to the assessor, if you will, while you’re trying to figure things out internally. It’ll make the assessor uneasy, if you will, as you go through that process. You don’t want to be trying to get the attention of the assessor and peppering them with basic questions. It’s just a really inefficient way to go about heading down that path.
Most assuredly. Now, why should companies engage with an assessor well before it? Well, I am a huge proponent of getting the assessor on board, connecting with them early, et cetera. Keeping in mind the bulk of the time before your compliance assessment is going to be spent with your consultant. But it doesn’t mean that you shouldn’t engage that assessor beforehand. Instead, I would connect with them at a high level very early on, well before your actual assessment. And the reason being that that initial onboarding, it gives the assessor, Assessor a basic understanding of the organization, what you do, how you function, things along those lines. It also helps to set expectations. Make sure that the assessor has all of the basics and basic information that they need. It enables the assessor to answer questions more specifically and provide better direction through the process. It also means that the better your assessor understands your company in advance of the actual assessment, then the smoother it’s going to go. It allows the assessor to get on the same page around the approach for the assessment, streamlining some of their future concerns about how or why things were done in a particular manner. Certainly as you’re going through the preparation work, if you will, you’ll also gain a really clear understanding of… Expectations of the assessor. What is it that they’re looking for? You know taking in any, any directional guidance they may have for you and your team early on Um, you know certainly when you come up against certain compliance requirements, which but you know Maybe there’s some variability in how you go about getting that particular requirement addressed You know, that’s where the, the assessor at the end of the day the assessor is the one that has to sign off on this Right. Um, so, you know kind of get it working with your consultant to kind of fully vet out. Um, you know your approach uh for resolution and be having the ability to breeze it by your assessor As you’re in the process of prepping up for the you know for the annual assessment It just means that you are getting their input early on they’re feeling like they’re part of the process. Uh, you are Yeah, there’s no surprises you do the last thing you want to find out is in the middle of the assessment the assessor says Well, you did that wrong. You know what I mean, right? That’s what you’re trying to avoid So what you want is you want to be able to get them get them a part of the process, um, you know Kind of as they’re going through it you know, it’ll give them a much stronger sense of you know, kind of assurance as they as they go through uh As you’re going through that, you know prep for um, you know for, for the assessment Well, how does really being make a difference? Well, you know you your consultant can certainly help with validating You know the preparation that you’re doing for the compliance assessment so that you’re not past you don’t want to be passing garbage up to your assessor um, there’s nothing that is going to cause you more pain than when you’re either handing up wrong evidence or Handing up incomplete evidence, uh, you know type, type of a deal I mean you want high you want high quality deliverables to, to, to you both impress and smooth the you know the assessment process It’s important to get it right as you’re going through your compliance process.
You want to walk into that annual assessment. You want everything buttoned up for that assessor, all the ducks in a row, being able to put your fingers on pieces of evidence right away so you can go show the assessor. We’ve done some prior pods talking about organizations that are basically sitting at the table with the assessor and they ask for fill in the blank and everybody’s looking at each other and struggling to find things. Your goal is that you want to be able to go into that block of time with the assessor and be confident that we don’t have any holes in our evidence coverage. We don’t have any unpleasant surprises that we could forecast, etc. You don’t want to get… You don’t want to get blindsided right while you’re sitting in front of your assessor. It’s just a horrifying feeling. As the date for the engagement is approaching, you’ll need to make sure you get on the same page with the assessor, understanding, re -familiarizing yourself with their process. What do they want? When do they want it? How do they want it? Etc. And just remember, you aren’t getting assessed for just a handful of requirements. There are hundreds of line items on a typical assessment, depending on which compliance standard you’re going up against. Every single line item at the end of the day needs to have connected evidence and appropriate evidence and the assessor’s got to be able to go through it. It’s a far stronger position. You know, go walk in completely ready to rock and just knock it out of the park.
Tell us how the right compliance management tooling can come into play for organizations out of it. Well, you know, we talked about basically being really ready for that audit. And the best way to do that is to have all those ducks in a row. Use the right technology solution for managing your compliance engagement. You know, there’s many organizations that are using spreadsheets or some type of a SharePoint to, you know, kind of get things organized. But those tools are. They’re clunky. They’re inefficient. They’re unreliable when you’re trying to locate things on a moment’s notice. Instead of organizing all of your evidence, they actually introduce chaos when you’ve got to show your assessor that you’re on top of everything. The big difference here is that compliance management tooling, it’s specifically designed to streamline your engagement and keep everything really well organized. The systems will make a huge difference in running your annual assessment. You’ve got everything right there, everything at your fingertips. Evidence is connected to everything. You’re able to migrate the evidence straight up to your assessor. You’re able to link the same element of evidence across a plethora of various controls and requirements without redundant copies, et cetera.
Normally, the assessor is going to mentally prepare themselves for multi -day on -site visits. Maybe it’s three, four days type of a thing as an atypical on -site. In many cases, it takes that long because they expect to deal with multiple delays through the process and people aren’t prepared and they can’t find their evidence and run their scheduling issues end to end. The more the assessor is tripping across issues, then the more that they’re going to feel the need to ratchet up their evaluations and inspections and go on and request additional evidence.
What’s it like when you see an assessor’s demeanor change like that? It’s not fun. When you realize that, oh gosh, we dropped the ball, we dropped the ball on this and we couldn’t put our fingers on that. You can literally kind of sense that demeanor change from the assessor where, you know, they’re going from, I’d say most assessors as they walk into that, you know, kind of annual, especially when they’re walking into it with, you know, organizations they haven’t worked with for, you know, a decade, you know, type of a thing, even if they’re two or three years in. I would qualify the general feel if the assessor is cautiously optimistic, you know, would probably be a good way to put it. However, you will you can you can almost like turn a dial as you start hitting these roadblocks and you watch them transition from cautiously optimistic to somewhat pessimistic, you know, if you will, that’s where they start digging more, right? I mean, you’ve got to remember, you know, the assessor is not there to just go in, check a bunch of boxes and rubber stamp this thing. At the end of the day, they’re putting their name on the line. Right? They are testing and signing off that, yes, this company is meeting these various requirements for this particular standard or certification. So it’s their name on the line, it’s their license on the line, it’s their livelihood on the line. So the less at ease they feel, the more they’re going to start digging in and asking for additional things and wanting to dig deeper. And the more painful the experience becomes for the target organization.
You just imagine the difference between the wheels on the cart start wobbling and the cart slowly teetering off the edge of the cliff type of thing. Instead of that feel, just imagine you’re sitting there with the assessor and on a moment’s notice I can pull up whatever document it is that they want. I can search for things within your compliance repository. I can ask the assessor, hey which, they’ve asked you some question, fill in the blank question. You can just say to them which requirement number is it that you are asking in regards to? And they say well you know 8 .2 point whatever. And so then you in your compliance management system can go straight to 8 .2 point whatever and you’ve already got the evidence sitting right there. It is so much easier to go through this process and the assessor sees it, you know. They see it when they walk in, they can see this kind of organization that the company has done. They can see that they’ve done their homework. They can see that they put a measure of care into what they’re walking into. It gives them peace of mind. They aren’t going to find a lot of unpleasant surprises every time they ask a question, etc. And if every time that the assessor is kind of asking you the oddball question and you’re able to facilitate it, you know, expendably it doesn’t give them that, you know, kind of Uh, you know urge to just to continue to dig deeper because they feel uneasy about it Um, so the easier you can make that engagement on the assessor Um, the more favorably in the grand scheme of things that it’s going to go That makes total sense.
Parting shots and thoughts for the folks this week, Adam Well going through the, the annual compliance assessment It’s, it’s kind of like going to a dentist for a for a scheduled checkup You know, if you’ve been brass, brassing If you’ve been brushing and flossing, uh, you know well every day You know Then you can go walk in knowing that you’ve done you’ve done the legwork and, and uh have a higher level of confidence Everything’s going to go, go find Um, you know if you don’t have your act together, you haven’t done your homework You aren’t organized as you’re walking in you know, you’re, you’re you know, are using worn out tools for caring for your teeth, you know, then you’re going to have a, you’re going to walk into that appointment and you’re going to be worrying about what are they going to find? What are they going to have? How many cavities do I have this time, doc? You know, so it’s, and it’s sure to be a long, painful visit with the dentist as they uncover issue after issue after issue that requires painful remediation. So, you know, in the same sense, you know, if you follow the best practices to keep your assessor happy, make them happy and keep them happy, you know, you can go into that annual assessment and feel confident about that it’s going to go well. It’s going to go smoothly. You know, I’ve experienced firsthand, you know, in my earlier days of organizations trying to manage this stuff manually and then moving into a more or far more organized approach to the annual assessment.
And I have literally witnessed for a single client over the course of, you know, kind of years of enhancements, etc., go from a, you know, three to four day, you know, style onsite to, in my mind’s eye, the assessor kind of struggling to justify being there for a day and a half, you know, type of a thing. Realistically, if everybody just had it, if everybody’s just hauling ass, they could peel it out in a day, you know, type of a thing. It makes a freaking huge difference when you’ve got it all ready to rock buttoned up and all of that fun stuff.
As you’re going into that annual assessment, it makes an absolutely enormous difference. You know, and the best part is that with that level of organization for your compliance management program, you know, now you’re ensuring that you’re practicing, you know, appropriate security hygiene when you’re doing what you’re supposed to be doing when you’re supposed to be doing it. Those activities, those are the activities that are going to actively protect, you know, your organization from a bad actor on a daily basis, you know, I’ve said it before, you know, the, you know, there’s a lot of organizations that, that, that, you know, kind of lean, lean heavily on, you know, they won’t find us or, well, we have cyber liability insurance or whatever it may be. And, and I just implore those organizations, if you would just do the things you’re supposed to be doing anyway, then that would be a far better shield for the company than the holy moly emergency parachute that should be, you know, some of those, you know, some of those other either wishful or, or, you know, emergency tools like, like your cyber liability insurance. Yeah, you want to be in a good place. You want to actively protect the company. That’s the kind of the whole point of this exercise, if you will.
And that right there, that’s the good stuff. Well that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
