Compliance assurance

A few days ago I wrote about the debatable promises made by online training vendors stating that passing an online multiple choice test upon completion of a short awareness course not only demonstrated competence, but even demonstrates a firm’s compliance.

Assessing compliance is done through ‘auditing’ staff behaviour at the sharp end of the business. There are many ways to do this. But something quite disturbing is happening. With the compliance industry evolving there seems to be an ever increasing desire to automate everything. Whereas everyone really knew, deep down, that passing an online AML test does not really demonstrate competence, the vendors on the fringes of the industry, possibly did believe this. Now we have a massive GRC industry that gets bigger and bigger. In itself this is great, but the promises are getting more and more bizarre.

For example, there are very clever policy management systems, that track exactly who has access to which policies, when did these people last read them....hang on, last read them?? No, it tracks when they last opened the document and clicked on ‘understood’. What it does is provide you with documented evidence that a member of staff opened the policy and chose to state that he or she understood the policy, regardless of the truthfulness of this statement, and regardless of a desire to live by the objectives of said policy. Whether or not staff behaves in line with your systems, controls, policies and procedures still needs checking, testing and reviewing or you still risk not having any adequate controls whatsoever.