Hitesh – a Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, GDPR & HIPAA Assessor – has handled a number of ISO audit projects for companies large and small, across continents. Yet, across the board, he finds the challenges are the same.

Since 2019, Hitesh has led the infosec audit team at CertPro, given the explosion of interest in securing cyber ecosystems. “Security compliance is something more and more companies are looking to do – not only to protect their own interests,” he remarks. In fact, building an efficient, streamlined audit process is a mission Hitesh is personally committed to. Yet, traditional methods and manners leave little room for improvement.

“Audits demand human effort. Even though we are given all the framework documents ahead of the audit, they still don’t suffice. We still have to take the time to check if the controls and processes are working as said. And if the evidence is distributed across different teams – getting it all together is time-consuming, to say the least”

Compliance automation, the game changer

When Hitesh first came across compliance automation, he almost snubbed it as another fad. “Couple of years back, if you told any auditor that software can help you get compliant and audited – you’d be laughed off,” he says. “It’s almost unimaginable to conceive compliance implementation and audit without human effort,” he adds.

One of his biggest apprehensions was related to the integrity of the audit evidence itself. Traditionally, auditors were (and still are) required to sift through control evidence manually to verify them. On-site visits, manual reviews, and in-person interviews with key functional stakeholders are how auditors typically evaluate and validate evidence. “As an auditor, I was not sure how compliance automation can do this better,” notes Hitesh.

When he was introduced to Sprinto, Hitesh’s position turned almost immediately. What gave him confidence was the platform’s ability to continuously monitor and validate controls.

“Because information and technology systems are connected to Sprinto, the platform is keeping a check on whether the controls are working or not – continuously. This fundamentally removes the need for us to do a detailed check on each of the controls because everything is available in a single view,” Hitesh points out.

“Sprinto opened our eyes to what technology can do for compliance and audits. It’s a game changer!”

Building a leaner, faster audit process

Pre-pandemic, audit process, for Hitesh, involved a great deal of time spent on in-person interviews and scanning documentation. “This is mainly because organizations, especially the large ones, hosted servers in-house. That added layers to the audit process.” 

Post-pandemic, he has seen a fundamental shift in the way businesses operate. “In the last 2 years, most companies have moved to the cloud. They realize that they cannot sustain a business just off in-house servers. Of course, cloud-hosted businesses have their own unique set of risks,” he notes.

Since the new remote auditing directives have been issued by ISO, auditors have a lot more flexibility in achieving audit objectives. However, auditors are still required to give due consideration to risks and opportunities and define decision criteria for remote audits. “For auditors, there is the client on one side and certifying bodies on the other. We have to satisfy the demands of both,” Hitesh notes.

With a compliance automation tool, Hitesh finds remote auditing is more clear-cut. “With end-to-end control mapping, visibility into their status, and on-platform management reviews, it is possible to move fast with audits,” he indicates.

Using the evidence collected by Sprinto, Hitesh and his team have completed security compliance audits – ISO in particular – without one-on-one interviews with stakeholders and internal audit teams.

“Earlier we had to capture screenshots of interviewing people but that’s not happening anymore because the tool is taking care of it and we just show the dashboard as is,” Hitesh remarks. “The tool clearly showcases evidence in a way that is acceptable to certification bodies, this helps us compile our audit reports with ease,” he exclaims.

Recently, CertPro started offering audit support for compliances other than ISO, including SOC2, GDPR, and HIPAA, in partnership with Sprinto. “Now even the accreditation bodies have started seeing value in compliance automation. Especially in the USA.”

Since using Sprinto, Hitesh finds CertPro’s audit machinery has gotten more efficient. Instead of spending 3-5 months – on implementation and audit – CertPro is able to complete audits in a week.

“With Sprinto, clients’ framework implementation is done in a matter of days. The rest moves easily thereafter,” he notes. “In fact, recently we completed an ISO 27001 audit for a 14-entity business that used Sprinto in 3 days!”

“Sprinto is not just a tool to take care of compliance. In effect, it can help you scale. Because with compliance concerns off your head, you are free to focus on building your business.”