Management System Services
Information Security Services

Compliance Management

Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so. Software, for example, may be developed in compliance with specifications created by some standards body and may be distributed in compliance with the vendor's licensing agreement.

There is a common thread running through quality assurance, Privacy Act compliance, and company policy implementation. They all take their starting point as a document - internal or external - and use it to determine the actions of people within the organisation.

All of these are forms of 'compliance management': ensuring that the actions of a set of people comply with a set of rules.

All of these are forms of 'compliance management': ensuring that the actions of a set of people comply with a set of rules.

There are two compliance management models that you can use to ensure this:
  1. The ten commandments model: publish the set of rules, and punish people who transgress them.
  2. The quality management model: publish an intermediate set of policies and procedures    which comply with the rules, and ensure that people follow the policies and procedures.
Compliance management Standard
The 'ten commandments' model works well where there is a simple set of rules that everyone can understand. It breaks down completely where there is a complex set of rules (such as ISO9001, or the Privacy Act) which need interpretation, or are just too large to memorise or access.

The quality management model is widely used, and is actually specified by regimes such as AQTF, ISO9001, and the Financial Services Reform Act. However, each of these regimes looks at the model in the context of the implementation of a single set of rules (AQTF, ISO9001, etc). The problem facing most organisations now is that they have to cope with more than one set of rules.

Who is relevant to?
Many organisations have ISO9001 certification, and in fact we'll assume for the rest of this article that the organisations we're dealing with either have ISO9001 certification, or intend to get it, or have something equivalent.

On top of that, all organisations have to comply with the law. The Privacy Act is just the latest in a long line of legislation aimed at the actions of organisations. The Trade Practices Act has been around for a while, and is every bit as binding (and if anything, more complex) than the Privacy Act. There are numerous pieces of legislation covering the operation of companies.

Many industries have their own codes of practice or other sets of rules. Registered Training Organisations have to comply with AQTF standards. Companies that manufacture medical goods have to comply with TGA's GMP code.

In short, every organisation in the country has to comply with multiple, overlapping, sets of codes, requirements and laws.

The purpose of this article is to ask the question: how do you extend an ISO9001 system so that it becomes a general-purpose compliance management system, which allows you to track and comply with any number of laws and codes?

Standards and legislation register
ISO9001 is replaced with a register (really, just a list) of the various codes, legislation and standards that the organisation has to comply with.

Compliance Management Features & Benefits
Evaluate the effective design and operation of your internal controls, and respond to issues of non-compliance with remediation or waivers.

Tailor the Solution to Your Unique Processes
Archer Compliance Management provides a best-practice approach for automating enterprise compliance initiatives, assessing deficiencies and managing the remediation process. Your organization can implement the solution out of the box, or you can tailor it to accommodate your unique compliance management methodology. Archer’s powerful access control features enable you to control entitlements to each piece of information collected and managed in the system. You can also fully customize user input forms, adding custom data elements and modifying the solution workflow as needed

Document Your Control Framework
The Archer Compliance Management solution enables you to import your existing control framework, control activities and test plans and reuse this information in future assessment periods. Through Archer’s secure, version-controlled environment, you can modify your control documentation and cycle it through the approval process using integrated workflow functionality

Employ a Risk-Based Scoping Process
To determine which controls need to be tested during a given assessment period, Archer enables you to easily configure risk-based scoping at the business unit, account or regulation level using a top-down and bottom-up approach. For example, if you are testing controls for Sarbanes-Oxley compliance, Archer’s solution allows you to evaluate the criticality of general ledger accounts based on quantitative and qualitative measures. Once the account evaluation is complete, the decisions are automatically rolled down to the process and control level, allowing you to determine an efficient and effective testing program.

Manage Assessments
Archer’s questionnaire capabilities allow you to deploy continuous, automated assessments and certifications. Using a centralized Question Library housed within the Compliance Management solution, you can generate new questionnaires in a matter of minutes, or you can copy an existing questionnaire to build upon previous assessment periods. To facilitate control self-assessments, Archer enables you to inform testers of their tasks via rules-driven email notifications and “My Tasks” lists. You can also execute the test plans you manage within the solution. In addition, the Archer Data Feed Service enables you to integrate data from multiple scanning tools within your Archer environment, giving you a consolidated view into automated control testing processes.

Identify Deficiencies and Manage Resolution
The Archer Compliance Management solution automatically generates deficiencies based on failures noted within test results. These deficiencies are related to controls, operating entities, and the applicable policies, regulations and risks, enabling quick and powerful reporting. Through Archer, you can also manage the resolution of a deficiency by tracking remediation tasks and creating exception requests that identify effective compensating controls.

Monitor the Status of Compliance Initiatives
Archer’s dashboard interface allows you to view the status of compliance-related work quickly and easily. You can reference a graphical, consolidated picture of compliance efforts and remediation processes, and with a simple click of the mouse, you can expose the details of any area or activity. Archer Compliance Management provides a simple ad hoc reporting interface that allows you to deliver status and alert-type reports to users via email or to export the reports in a number of formats.

Integrate with Other Archer Solutions
To gain a complete and holistic view of your risk and compliance landscape, you can leverage the power of the Archer SmartSuite Framework to deploy Archer Compliance Management with other Archer solutions, including Policy, Threat, Asset, Risk, Incident and Vendor Management. These complementary solutions provide additional intelligence to support your enterprise business processes, risk management goals and compliance objectives.

Please ask for quotation