As I mentioned in the RSCA Methodology overview, there are many tools on the market to help you perform tracking and reporting for regulatory compliance. I strongly suggest you invest in one of these tools and share it with your Internal Audit, SOx Audit and IT Compliance organizations. Having a single source for your tracking and reporting needs saves a great deal of time, and will cut down on the miscommunications between these organizations.
Most audit software companies have tools that will track all these data types and more. They also provide multi-user authenticated signon where project leaders and managers who own actions plans can update their the status of their assigned remediation items directly.
If however, your organization simply cannot afford these tools, you can perform the tracking and reporting through a manual process using MS Excel spreadsheets. If that’s the method you chose, there are specific data types to keep track of. Continue reading →
The Risk, Security & Compliance Assessment (RSCA) approach is used to evaluate the current state of security and compliance activities for SOx remediation initiatives. RSCA is a three-step methodology that covers Planning and Data Collection, Risk and Security Assessment, and Tracking and Reporting.
Each organization has their own Audit process to define the scope of an audit, the methodology for implementing that audit and how findings are reported. When findings fall into the realm of GRC, they should be handed off to a RSCA team for tracking and oversight for remediation.
See my IT Governance section for more information about IT Audit, and Governance, Risk Management & Compliance (GRC) and Risk, Security & Compliance Assessments (RSCA). Continue reading →
The RSCA approach is used to evaluate the current state of Security and Compliance activities for SOx remediation within a business. RSCA is a three-step methodology designed to manage and provide oversight for business risk and compliance. But keep in mind that neither SOx nor RSCA are designed to eliminate all risk. They are designed to ensure risks are known and either corrected or accepted.
To that end, RSCA addresses your companies governance through:
Planning and Data Collection
Risk and Security Assessment
Tracking and Reporting
These steps have been implemented at many large corporations facing large remediation initiatives. But it’s a method that can be easily scaled to any size business. These steps help to ensure both your business and IT processes are being adhered to, identifies gaps or risks that need to be resolved, tracks those resolution efforts and provides a method of reporting through each chain of command necessary for Governance, Risk Management and Compliance (GRC) Assessments.
See my IT Governance section for more information about IT Audit, and Governance, Risk Management & Compliance (GRC) and Risk, Security & Compliance Assessments (RSCA).