Does anyone have experience standing up a central organization that is responsible for resolving findings from audits? I am tasked with intaking findings from audits, organizing remediation projects/programs/teams to remediate those findings and track remediation to completion.
Sort by:
Agree with what others have stated. You need to understand Enterprise Risk Tolerance and address issues that go beyond that by the most significant margin in risk to the company. They may manage in numerous ways, such as remediating, transferring risk, etc. Look at the COSO Framework, which is within SOC, ISO, and HITRUST to a small degree. NIST Risk Framework and others are built around COSO. Their 2023 Fraud Guidance was recently released. Link to their FREE documents: Guidance (coso.org)
Thank you, Rebecca, but the link doesn't work. It could be my VPN so I will try again later.
Sorry about that, may be the say they have the domain setup. This one works.<br>https://www.coso.org/SitePages/Guidance.aspx<br>
This isnt a project planning issue, but more of a business priority understanding. You need to make sure you have the mandate so the areas with identified audit issues will correctly prioritize the work. Any business area will prioritize normal business delivery over any compliance issue unless it is seen as a company mandate to do so. You will be prioritizing business delivery with remediation work. Understanding the real costs of the issue and the remediation is crucial.
Audits will have multiple findings based area of audit done.
prioritize based on business critical, customer facing applications, data criticality, reputation impact findings.
You may follow the typical Findings Remdiation process:
1. Identify the findings
2. Understand the findings
3. Determine the root cause
4. Develop an action plan that audits agree to make sure the action plan is on the right track
5. Implement corrective measures
6. Monitor progress
7. Validate effectiveness
8. Document and communicate
9. Continuous improvement/Follow-up audits
Others have already supplied great advice. I'll add a tip, that is very relevant when those who are doing the remediation, do not report to you and you have little to no influence on their performance reviews. Ensure that the action takers, those doing the remediation, have goals tied measurably to remediation in the HR system that will be used to evaluate their performance and pay raises. Likewise for their leadership. If their pay raise and performance are not tied to specific remediation measurables, and you don't control their performance ratings, you will not get anything done.