How to Prioritize Audits and Certifications

Enhancing Internal Audit Programs through Risk-Based Auditing: A Strategic Approach Integrating Risk-Based Auditing (RBA) into internal audit programs enhances effectiveness and efficiency. Learn how to achieve this strategic approach: Understanding Risk-Based Auditing - Risk-Based Auditing (RBA) identifies and assesses key risks to an organization's objectives, allocating resources to high-risk areas for more relevant and timely insights. Key Steps to Integrate RBA - 1. Understand the Organization: Understand the organization's objectives, strategies, and risk landscape by reviewing key documents and consulting with stakeholders to identify critical risk areas. 2. Risk Assessment: Conduct a thorough risk assessment to identify and prioritize risks using tools like risk matrices and heat maps, forming the foundation of the RBA approach. 3. Develop the Audit Plan: Develop a dynamic risk-based audit plan that aligns with the organization's risk profile, allowing for adjustments as risks evolve. 4. Allocate Resources: Allocate audit resources based on risk assessment, prioritizing high-risk areas and adjusting resource allocation accordingly. 5. Coordinate with Other Assurance Providers: Collaborate with other assurance providers to avoid duplication and ensure comprehensive risk coverage. 6. Communicate the Plan: Communicate the risk-based audit plan to stakeholders to gain support and understanding of audit focus and priorities. 7. Continuous Monitoring and Updating: Regularly review and update the risk-based audit plan to reflect changes in the organization's risk environment and ensure ongoing effectiveness. Benefits of Risk-Based Auditing - i. Enhanced Focus: RBA focuses on high-risk areas, addressing critical issues and leading to more impactful audit outcomes. ii. Proactive Risk Management: RBA promotes a proactive approach to risk management, helping organizations to anticipate and mitigate risks before they materialize. iii. Improved Resource Allocation: Efficient use of audit resources by focusing on areas that matter the most, thereby increasing the overall efficiency of the audit process. iv. Better Stakeholder Communication: Clear communication of the audit plan and its focus areas enhances transparency and builds trust with stakeholders. Conclusion - Integrating Risk-Based Auditing into internal audit programs is not just a best practice but a necessity in today’s dynamic business environment. It enables organizations to stay ahead of potential risks, ensuring robust risk management and sustained success.

The Influx of Regulatory Changes Can Be Overwhelming New standards, updated MDCGs, adapted regulations— 2024 has already brought a flood of changes. Keeping up with the MDR is challenging enough. Add these updates, and it’s another layer of complexity. But ignoring them isn’t an option: → Missing regulations leads to legal noncompliance. → Overlooking standards or guidance creates problems during audits. As a regulatory expert, time is limited. The solution? Prioritization. Here’s my priority framework for managing incoming regulatory updates: → Regulations, Directives, or Laws with Immediate Effect ↳ These take effect immediately, leaving no room for delays. ↳ Noncompliance risks severe legal and business consequences. ↳ I read, analyze, and act on these right away. → Regulations, Directives, or Laws with a Transition Period ↳ These have set timelines before enforcement begins. ↳ Planning ahead ensures compliance within the required timeframe. ↳ I schedule these in my calendar for near-term action. → Harmonized Standards ↳ While there’s no official deadline, 1 year after publication is best practice. ↳ Early review of changes helps assess the impact on existing processes. ↳ I prioritize medium-term planning and implementation. → MDCG Guidance Documents ↳ Not legally binding but heavily emphasized by auditors and reviewers. ↳ Implementation is expected within 6 months to align with industry norms. ↳ Standards take precedence, but these are tracked and scheduled. → Other Voluntary Standards and Guidance Documents ↳ These are optional but add valuable insights to regulatory strategies. ↳ Implementation is flexible and happens after other tasks are complete. ↳ I address these only when higher-priority items are finished. Think of this approach as a modified Eisenhower Matrix: → If it’s important and urgent, act immediately. → If it’s not urgent or important, address it only when time allows. This framework doesn’t reduce the influx of updates. But it cuts the mental burden and boosts efficiency. P.S. What prioritization strategies do you use to manage regulatory updates? ⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡ The MDR journey is challenging, but there are smart ways to streamline compliance; with the right insights, tools, and guidance. I’m Tibor, passionate about helping you navigate the MDR with confidence! Let’s connect and make regulatory affairs smoother for everybody. #mdr #regulatoryaffairs #medicaldevices

Last week I spoke with a CISO looking for a GRC platform to manage SOC 2, ISO 27001, ISO 9001, CSA Star, and PCI DSS. These are dream projects for me because there is such a huge opportunity for ROI. 𝗖𝗨𝗥𝗥𝗘𝗡𝗧 𝗣𝗥𝗢𝗚𝗥𝗔𝗠 & 𝗖𝗛𝗔𝗟𝗟𝗘𝗡𝗚𝗘𝗦 - Today they have 2 audit firms: One for SOC 2/PCI/CSA and one for ISO 27001 - As a result they have two audit seasons and end up burning a lot of political capital with engineering teams and IT asking for the same audit evidence 2x per year - The audits drive all compliance activity and there is no visibility between audits -The business has aggressive plans to acquire 1-2 companies a year and they needs to be able to inherit and maintain new programs 𝗪𝗛𝗔𝗧 𝗪𝗘 𝗔𝗥𝗘 𝗚𝗢𝗜𝗡𝗚 𝗧𝗢 𝗗𝗢 𝟭. 𝗛𝗮𝗿𝗺𝗼𝗻𝗶𝘇𝗲 𝘁𝗵𝗲 𝗽𝗿𝗼𝗴𝗿𝗮𝗺 𝗶𝗻 𝗳𝘂𝗹𝗹𝗖𝗶𝗿𝗰𝗹𝗲 First we are going to harmonize all the frameworks and audit evidence in our platform fullCircle. This way they can slice and dice by framework, by control, by evidence, by owner, or however else they need to. This will enable gathering evidence once to meet requirements across multiple frameworks. They can also generate "audit packages" of evidence with a click of a button. 𝟮. 𝗦𝘁𝗿𝗲𝗮𝗺𝗹𝗶𝗻𝗲 𝗮𝘂𝗱𝗶𝘁𝘀 Next, we need to work with the external auditor to create a single audit season, understand mapped evidence, and buy in on the strategy. The best audit firms we work with are great partners in pulling off this strategy while also doing a thorough high quality audit. 𝟯. 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 We also have to get the team to a place where they aren't pulling everything manually and they have some confidence things are running well between audits. First, we did this is by automating a few big ticket items - focusing mostly on their AWS and GCP instances (access, secure configs, etc.). Second, we set up a cadence of internal audit spot checks on a monthly basis for high risk items. --- This will likely save the customer $1M and 1000+ hours a year of largely non-value add work. That's a solid project.