You know the drill: It's audit time and the entire security and compliance team drops what they're doing to dive head first into collecting, organizing, and submitting evidence to prove that security protocols have been followed for the last 12 months.
Evidence collection tasks are mundane and exhausting. It’s like if a really sad scavenger hunt met and married whatever data job Peter had in the movie Office Space. Audit time is high stress, and for many B2B SaaS organizations, it doesn't happen just once a year. If you're managing multiple frameworks, this chaos can occur once a quarter or more frequently.
Although collecting evidence is mundane and exhausting, it’s critical to passing an audit and proving compliance. If you can’t prove compliance, you can’t build trust with your prospects and customers. Ultimately, evidence is what enables you to be trustworthy.
When a compliance manager has to take four days of vacation just to recuperate after overseeing evidence collection for one audit (true story), it’s high time to invest in processes, tools, and automation to lighten the load. It’s exhausting sprinting non-stop for three weeks while playing “Go Fish” with an auditor—and doing it four times a year.
The Basics of Evidence Collection
Evidence collection is the process of creating artifacts that prove the effectiveness of a given internal control and provides auditors confidence that the company is compliant. Artifacts can include proof of everything from employee background checks and security training to user access and security reviews.
Each security framework has a unique set of requirements, which means that some evidence applies to many frameworks and some evidence is collected only for one framework. Chasing down all the proper evidentiary artifacts is a time-consuming, manual process.
The Challenges of Evidence Collection
Compliance professionals face many common challenges when it comes to organizing, storing, and retrieving evidence.
- Managing back-and-forth communication between GRC and other teams to determine what evidence is required and how to successfully retrieve it.
- Collecting evidence from dozens of sources (third-party vendors, internal teams, various SaaS platforms, spreadsheets, etc) spread throughout the company.
- Since processes are manual and painstaking, evidence collection is often done less frequently than it should be.
- Varying degrees of auditability in different third-party tools and being at the mercy of external vendors for evidence availability.
- Repurposing evidence efforts across security frameworks when each one has slightly different reporting requirements.
- Tracing and capturing evidence of remediation events to show the full story of the fixes.
- Reporting on the status of collection, available artifacts, and gaps in evidence.
Organizations growing and scaling their GRC activities need to have evidence collection processes and procedures that grow and scale as well.
Take user access reviews, for example. When you have 10 employees and a handful of SaaS tools you’re using, user access reviews are painful but possible. However, when you have 100 employees and 100 SaaS tools to audit, user access reviews become unmanageable.
Here’s some back-of-napkin math to show just how quickly a task like user access reviews can get out of control.
Every company is different, but it’s likely fair to say that most B2B SaaS companies don’t have the time (or people or patience) to run 10,000 user access reviews monthly. And that’s just one type of evidence. By leveraging evidence collection automation and proactive processes, companies can ace evidence collection and level up their compliance maturity. Let’s talk about practical advice to get you there.
Evidence Collection Maturity Model
Evidence collection processes and procedures, as well as the team and tools used to manage them, must evolve with the organization. Organizations have the opportunity to level up and streamline evidence collection, making it easier to prove the implementation of their controls.
Evidence Collection at Level 1 of Maturity
Organizations at Level 1 of evidence collection maturity are the definition of “reactive.” Evidence is collected only when requested from auditors, and it’s often a game of hide-and-go-seek to find artifacts. Often, whoever is assigned the responsibility of passing an audit will start down the path of tracking down documentation, sometimes for the first time.
Evidence Collection at Level 2 of Maturity
Companies at Level 2 of evidence collection maturity typically have been through audits before and have created processes around how they collect artifacts to satisfy compliance documentation requirements. However, collection is still entirely manual, and often the work is compounded as the company experiences growth, adds additional frameworks, or uses new systems that introduce new evidentiary requirements.
Evidence Collection at Level 3 of Maturity
Organizations that have reached Level 3 of evidence collection maturity have established processes, checklists, and team collaboration that ease the process of evidence collection. Low-value, high-cost evidence collection activities have been automated, while more complex controls like user access reviews are still manual and time consuming.
At Level 3, some companies consider using engineering resources to build homegrown integrations and automations. This is a build/buy decision where companies need to consider the cost of a purpose-built software and its implementation compared to the cost of an engineer, the opportunity cost of taking resources away from customer-facing needs, and keeping up with long-term maintenance.
Evidence Collection at Level 4 of Maturity
At Level 4 of evidence collection, companies are intimately familiar with their control environments and understand the artifacts needed to prove their high level of security and compliance. Much of the evidence is collected automatically, with ongoing quality checks to maintain confidence in evidence fidelity. Even hard-to-automate evidence collection—like password policies, HR compliance, and mobile device management—is streamlined and simplified.
High maturity organizations have elegant, proactive evidence collection processes in place that minimize surprises. Remediations are tracked, completed quickly, and reportable. Their smart GRC platform provides a single source of truth and evidence collection mainly relies on automated tools and processes, not people performing manual tasks.
How to Reach Evidence Collection Maturity
Identify where your organization falls, from Level 1 to Level 4, in evidence collection. Based on your current status, here are steps you can take to level up.
Evidence collection is a baseline compliance issue for every B2B SaaS company. Maintaining security standards and meeting (or exceeding) compliance framework standards requires continuous collection of proof of performance.
Aptible Comply is a customer trust platform that helps B2B SaaS teams automate compliance work, including the routine work of evidence collection.
To learn more about Aptible Comply and how it can help you as you level up your evidence collection maturity, you can check out this on-demand webinar or click here to sign up for a free trial of Aptible Comply's Audit module, which gives you step-by-step guidance on how to get audit ready in hours rather than weeks.
If you'd like a PDF copy of this guide to automating evidence collection, submit your email on this page and we'll email you your copy.