How CertPro unlocked greater audit efficiency with Sprinto
Infosec compliance and audits are notoriously time-consuming. From setting up a compliance program to completing an audit – it can take as long as 6 months. “And this is assuming you have collected the right evidence against your framework,” remarks Hitesh Mittal, director of CertPro – a Bangalore-based global consortium of auditors, implementers, consultants, and associates. Since its founding in 2012, CertPro has committed itself to streamlining compliance audits for modern companies.
Time spent by auditors to complete security audits
Ready to get started?
Hitesh – a Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, GDPR & HIPAA Assessor – has handled a number of ISO audit projects for companies large and small, across continents. Yet, across the board, he finds the challenges are the same.
“No matter your size, you need to implement an airtight compliance program, collect high-quality evidence, and parse through each control and policy document to make sure you are doing things as per the directives set by the accrediting bodies and the standards themselves.”
Hitesh Mittal, Director & Principal Auditor at CertPro
Since 2019, Hitesh has led the infosec audit team at CertPro, given the explosion of interest in securing cyber ecosystems. “Security compliance is something more and more companies are looking to do – not only to protect their own interests,” he remarks. In fact, building an efficient, streamlined audit process is a mission Hitesh is personally committed to. Yet, traditional methods and manners leave little room for improvement.
“Audits demand human effort. Even though we are given all the framework documents ahead of the audit, they still don’t suffice. We still have to take the time to check if the controls and processes are working as said. And if the evidence is distributed across different teams – getting it all together is time-consuming, to say the least”
Compliance automation, the game changer
When Hitesh first came across compliance automation, he almost snubbed it as another fad. “Couple of years back, if you told any auditor that software can help you get compliant and audited – you’d be laughed off,” he says. “It’s almost unimaginable to conceive compliance implementation and audit without human effort,” he adds.
One of his biggest apprehensions was related to the integrity of the audit evidence itself. Traditionally, auditors were (and still are) required to sift through control evidence manually to verify them. On-site visits, manual reviews, and in-person interviews with key functional stakeholders are how auditors typically evaluate and validate evidence. “As an auditor, I was not sure how compliance automation can do this better,” notes Hitesh.
When he was introduced to Sprinto, Hitesh’s position turned almost immediately. What gave him confidence was the platform’s ability to continuously monitor and validate controls.
“Because information and technology systems are connected to Sprinto, the platform is keeping a check on whether the controls are working or not – continuously. This fundamentally removes the need for us to do a detailed check on each of the controls because everything is available in a single view,” Hitesh points out.
“Sprinto opened our eyes to what technology can do for compliance and audits. It’s a game changer!”
Building a leaner, faster audit process
Pre-pandemic, audit process, for Hitesh, involved a great deal of time spent on in-person interviews and scanning documentation. “This is mainly because organizations, especially the large ones, hosted servers in-house. That added layers to the audit process.”
Post-pandemic, he has seen a fundamental shift in the way businesses operate. “In the last 2 years, most companies have moved to the cloud. They realize that they cannot sustain a business just off in-house servers. Of course, cloud-hosted businesses have their own unique set of risks,” he notes.
Since the new remote auditing directives have been issued by ISO, auditors have a lot more flexibility in achieving audit objectives. However, auditors are still required to give due consideration to risks and opportunities and define decision criteria for remote audits. “For auditors, there is the client on one side and certifying bodies on the other. We have to satisfy the demands of both,” Hitesh notes.
With a compliance automation tool, Hitesh finds remote auditing is more clear-cut. “With end-to-end control mapping, visibility into their status, and on-platform management reviews, it is possible to move fast with audits,” he indicates.
Using the evidence collected by Sprinto, Hitesh and his team have completed security compliance audits – ISO in particular – without one-on-one interviews with stakeholders and internal audit teams.
“Earlier we had to capture screenshots of interviewing people but that’s not happening anymore because the tool is taking care of it and we just show the dashboard as is,” Hitesh remarks. “The tool clearly showcases evidence in a way that is acceptable to certification bodies, this helps us compile our audit reports with ease,” he exclaims.
Recently, CertPro started offering audit support for compliances other than ISO, including SOC2, GDPR, and HIPAA, in partnership with Sprinto. “Now even the accreditation bodies have started seeing value in compliance automation. Especially in the USA.”
Since using Sprinto, Hitesh finds CertPro’s audit machinery has gotten more efficient. Instead of spending 3-5 months – on implementation and audit – CertPro is able to complete audits in a week.
“With Sprinto, clients’ framework implementation is done in a matter of days. The rest moves easily thereafter,” he notes. “In fact, recently we completed an ISO 27001 audit for a 14-entity business that used Sprinto in 3 days!”
“Sprinto is not just a tool to take care of compliance. In effect, it can help you scale. Because with compliance concerns off your head, you are free to focus on building your business.”