Ask the Expert: What are ways we can balance / reduce the workload of the various audit and compliance exercises?

Cyber Risk

Michael DeLoach, Solution Consultant at Iceberg Networks and Mitch Blackburn, Global Head of Energy & Utilities Industry Solutions at ServiceNow discuss how organizations within the energy industry can balance the workload associated with audit and compliance exercises. The following is an edited transcript of the conversation.

Mitch Blackburn: As we talked about in the prior question, digitization and embedding the controls into the normal work process has some additional benefits as we talk about how we respond to the audit/compliance exercises. Now that data is part of the day-to-day work and it’s spread over time and it’s spread over more people so the burden gets lower for the audit exercises. As we move into the ongoing efforts, not only does this give us real-time capability, but we can snatch any point in time and say this is our audit evidence for this month, or the first quarter, or the annual reports that we need to do. It also gives us the ability to have continuous improvement as we find audit opportunities throughout that exercise.

Michael DeLoach: Yeah, I would agree with that. Really, the number one way to balance or reduce workload is to strive to be audit-ready at all times on a continual basis. To get there, organizations should be performing internal audits on a periodic basis. Doing so would lessen the burden associated with preparing for external audits. In the case of NERC compliance, I can tell you specifically, NERC-CIP, it can be a rather Herculean task to get ready for one of those audits. Being really audit-ready on an ongoing basis is the key and having systems that support that is very important.

Related Discussion: A Risk-Based Approach to Bridging the Energy Sector Security Gap (30 minutes)

Start your GRC journey.
We’ll be your trusted partner.

Start your journey