Is There Value in a Compliance Readiness Assessment?
If you’re a parent, you’ve likely had the debate in the car with your young kids—they want to stop for McDonalds and you tell them, “we’ve got food at home.” From their perspective, they want what they want, but from yours, you understand you’ve already made an investment in perfectly good food at the grocery store, and you’re not about to spend any more money that you don’t have to.
While we totally understand about the fast food, we think you should hear us out on a different kind of investment—one that may also be seen as unnecessary—the readiness assessment (RA).
You can opt for a readiness assessment ahead of several different compliance assessments—SOC, ISO, PCI DSS, FedRAMP. But many organizations, having been pushed by market demands or their customers to invest in compliance, believe they can jump right in, and that’s not always the best move.
Maybe you’re ready, maybe you’re not, but it could help to know for sure. As providers of a suite of compliance services for over two decades now—including readiness assessments—we’ve seen firsthand how our clients have benefited from doing an RA ahead of their audit.
We know that it potentially means paying more for this pre-assessment, but there’s more value in these than you might think. That’s why, in this article, we are going to lay out the four big benefits you can gain from investing in a readiness assessment, as well as what will happen during one and how you can prepare.
Maybe you really can “skip the stop at McDonald’s and just go home,” but after reading this, you’ll understand better if this investment is right for your organization.
What Is a Readiness Assessment?
For the uninitiated, you might be wondering what a readiness assessment even is. What happens during one?
Unlike the audit you will eventually undergo which has the objective of reporting on existing your controls, readiness assessments are designed to identify those controls that should be implemented or improved before an actual audit, as well as any gaps within your current control environment. Essentially, they’re available to you if you’d like to assess your preparedness and if you’d like to understand any shortcomings before they show up in your final audit report.
Performed well in advance of the audit, an RA typically involves conversations between your selected auditor with relevant personnel within your organization. There’s a mutual sharing of information before your auditors will then go on to test the controls you have in place.
Similar to the one you’ll get at the end of the service assessment, you’ll also get a report after the RA process is complete—it will contain a complete review of which controls would pass and which ones would fail.
4 Benefits of a Readiness Assessment
1. You’ll Establish Early Rapport Between Your Auditors and Your Team.
You can’t overstate the advantage of this. We understand the negative stereotypes surrounding audits and the burden they place on your internal personnel. That can often lead to more confrontation between organization and auditor, rather than collaboration.
A readiness assessment can provide a valuable opportunity to not only allow everyone to get into a more beneficial audit mindset but also for the two teams to gel their working styles better together before the heightened stress of the audit.
2. You and Your Auditor Gain Better Understanding.
In establishing that rapport during the readiness assessment, the conversations between your team and the auditors will also prove advantageous themselves. You’ll get to learn more about the standards and requirements you’re aiming to achieve and your assessors will gain an even better knowledge base of your environment, system, or services.
Plus, you’ll get everyone on the same page. If you work in an organization where some may not be fully bought into the idea of putting their time and effort into compliance, a readiness assessment can be useful in getting all your ducks in a row.
3. There’s an Opportunity to Review Gaps and Implement Controls.
Though a readiness assessment is not meant to provide the final results, it can still provide assurance to your organization internally. Given the significantly lower stakes, you shouldn’t hold back on pulling back the curtain, so to speak—take advantage of this less-pressurized situation and have candid discussions with your audit team regarding where your compliance stands.
If you feel like there are areas where the controls are insufficient, don’t hold back. One of the core objectives of the readiness assessment is to identify areas for improvement so that gaps are closed before your actual examination—if you know specifically where to look, you can implement any additional preventative security measures immediately (or at least, get the gears moving in the budget to accommodate this).
Better for a finding to turn up during an RA than during your audit where it will be officially noted and may require costly remediation that’s more of a surprise. Plus, it increases your chance of a favorable audit outcome when all is said and done. Consider it a trial run.
There’s also an added advantage in that your assessors—and their knowledge—will be in-house already. You’ll be able to leverage their experience and expertise as you fill in or strengthen any controls.
4. You’ll Get More Out of Your Audit.
To recap: though it is a less rigorous review, the RA provides an opportunity to align your teams, lay a solid foundation, and get pre-assessed means that when it comes time to pivot to your assessment, you’re already looking at a serious value-add.
That’s because you’ll spend less time:
- Worrying about any potential surprises that could erode the trust of your customers
- Chasing down evidence
- Squeezing in calendar time for your resources to be interviewed and recreating timelines when things need to be rearranged
We’re not saying that readiness guarantees audit success because things can and will happen, but getting audit ready sets you up well for two things:
- The Future:
- Having already been through a trial run, things in your assessment should progress at least a little more smoothly than had you not undergone an RA before, and that will give you more time to explore other options with your assessor.
- Maybe you only need the one assessment now, but you may need to expand beyond and with your process that much more streamlined, you’ll have more time to pick the brains of your audit team to see where your compliance journey might need to go next.
- Saving Audit Fees:
- Now we’ve likely got your attention, no? And it’s true—becoming assessment “ready” through an RA can help you avoid one of the biggest causes of audit overrun: insufficient documentation.
- When that happens, your assessors will be forced to either alter their methodology or delay timelines, both of which result in not only more fees but also a continued burden on your internal team. You’ll better avoid this possibility by investing in an RA.
How to Prepare for a Compliance Readiness Assessment
Knowing all that, you may be thinking that this strategic step is the right move for your organization. If that’s the case, there are a few things you should do. Even though a readiness assessment functions as a kind of preparatory period, you should still organize a few things before your assessors commence work:
- A brief knowledge of the standard you’re working towards: We mentioned how your conversations during the RA would involve this, but if you have at least a basic understanding, those discussions with your assessors will be more fruitful than if you came in cold.
- Documented policies, procedures, and processes: It may be that the RA reveals you have gaps in this area, but you should already have recordings of your cornerstones down, e.g., your information security policies and procedures, software development lifecycle (SDLC), etc.
Do You Need a Readiness Assessment?
Though mistakenly considered by many to be an optional first step, a readiness assessment can help you identify weaknesses in your processes and find gaps in your internal controls, among other things. Now you understand that this type of assessment is more valuable than you might’ve thought with four big advantages. It might even be healthy for your objectives, and that’s more than we can say for the cheeseburger and fries.
To learn more specifically about RAs as specific to different services, check out our other content here that can shed further light on the particulars:
About JORDAN HICKS
Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.