Find Resources and Connect with members on topics that interest you.

Applications

Audit

Business Processes

Career Management

Cloud Computing/Virtualization

COBIT

Controls and Monitoring

Country

Databases

Fraud and Computer Crime

Governance and Management

Industry

Information Security

IT Service Management

Mobile/Wireless

Operating Systems

Privacy/Data Protection

Regulations

Risk

Standards

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

ME - Monitor and Evaluate

Application Controls

Process Controls

Please sign in to see your topics.

Subscribe to this discussion

Compliance Metrics

Hi All,

Am interested to know as to how many of you have defined and monitoring the compliance metrics. How do you present this metrics to top management?

I would also be interested in the dashboards which you present to your top management. Kindly share your experience.

Regards,

Bala Ramanan
Posted by Bala Ramanan on April 15, 2012 10:55PM
You must sign in to rate content.
(1 ratings)

Comments

RE: Compliance Metrics

This comment has been deleted by the administrator
SandyFadale at 4/15/2012 10:57:03 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

I am interested in creating a Compliance Cataloge and looking for a template to get started. One focus area would be internal compliance and the other would be external compliance.
jr1957 at 7/17/2012 11:48:09 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

This comment has been deleted by the administrator
Dorina Hamzo at 9/6/2012 8:56:10 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Hi Bala,

Recently, in our group,  we had to develop the audit reporting metric process.
I am not sure if you still looking for metrics. If you are, here are some ideas. These metrics are being reported to senior management on Qtr basis via power point presentation.

Efficient execution of the audit plan and individual audits:
• % Age completion of the Audit Plan
• Completion of audits within the standard time budgets

Work paper completion:
• Audit to be completed within 6 weeks of Announcement letter and final report issued within 8 weeks
• Work papers completed and audit closed within 2 weeks of CAE’s issuance of final report

Auditors time appropriately charged to audit projects:
• Goal of XX% of time charged to audits for directors
• Goal of XX% of time charged to audits for specified Managers and
• Goal of XX% of time charged to audits for all other staff

Allocation of audit time (Planning – 25%, Fieldwork – 55%, Report writing – 20%)

Staff Development and training:
• All staff to complete 40 hours of training to be tracked through time reporting in XXX tool
• Encourage certification process
• Track participation in e-learning opportunities

Good luck!

Dorina

Dorina Hamzo at 9/6/2012 9:26:01 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Thanks for the response Dorina.

I was wondering whether, have you defined compliance categories like Security compliance, Statutory Compliance, Policy compliance etc. In fact, I have developed a framework which is as below.

1. Compile the requirements for which compliance needs to be demonstrated. This includes information security, business continuity, operational , contractual, statutory, financial and regulatory requirements.
2. The excel sheet is then sent to the respective custodians for their response.
3. Any non-conformance shall have a remediation plan.
4. We have categorized the gaps into High, Medium and Low. The maximum timeline to implement the proposed remediation plan is pre-defined for High, Medium and Low entities.
5. The status of the remediaiton plans are monitored and reported on a weekly basis
6. The executive management is updated on a monthly basis
7. The framework provides a compliance rating for every function / process custodian and the RAG (Red, Amber, Green) report reflects the same.

The metrics we currently look at are:

1. No of gaps identified per function / process custodian
2. No of remediation actions closed on time
3. No of remediation actions delayed
4. Financial impact, if any, for any violation (in $)
5. No of policies defined / modified / removed
6. No of employees trained / No of awareness programs delivered

Well, this is how we do it. Any recommendations.

Regards,

Bala Ramanan
Bala Ramanan at 9/7/2012 12:18:34 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Hi Bala,

It looks like these are finding related metrics. They seem reasonable and in line with what I have experienced. On the reporting side, in my organization, we decided not to report medium and low findings (amber and green) to the audit committee since they are lower impact. However, business owners will still have to remediate them.

Dorina

Dorina Hamzo at 9/7/2012 8:27:51 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Hi Bala,

It looks like these are finding related metrics. They seem reasonable and in line with what I have experienced. On the reporting side, in my organization, we decided not to report medium and low findings (amber and green) to the audit committee since they are lower impact. However, business owners will still have to remediate them.

Dorina

Dorina Hamzo at 9/7/2012 8:27:51 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Thanks for the response Dorina.

I was wondering whether, have you defined compliance categories like Security compliance, Statutory Compliance, Policy compliance etc. In fact, I have developed a framework which is as below.

1. Compile the requirements for which compliance needs to be demonstrated. This includes information security, business continuity, operational , contractual, statutory, financial and regulatory requirements.
2. The excel sheet is then sent to the respective custodians for their response.
3. Any non-conformance shall have a remediation plan.
4. We have categorized the gaps into High, Medium and Low. The maximum timeline to implement the proposed remediation plan is pre-defined for High, Medium and Low entities.
5. The status of the remediaiton plans are monitored and reported on a weekly basis
6. The executive management is updated on a monthly basis
7. The framework provides a compliance rating for every function / process custodian and the RAG (Red, Amber, Green) report reflects the same.

The metrics we currently look at are:

1. No of gaps identified per function / process custodian
2. No of remediation actions closed on time
3. No of remediation actions delayed
4. Financial impact, if any, for any violation (in $)
5. No of policies defined / modified / removed
6. No of employees trained / No of awareness programs delivered

Well, this is how we do it. Any recommendations.

Regards,

Bala Ramanan
Bala Ramanan at 9/7/2012 12:18:34 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Hi Bala,

Recently, in our group,  we had to develop the audit reporting metric process.
I am not sure if you still looking for metrics. If you are, here are some ideas. These metrics are being reported to senior management on Qtr basis via power point presentation.

Efficient execution of the audit plan and individual audits:
• % Age completion of the Audit Plan
• Completion of audits within the standard time budgets

Work paper completion:
• Audit to be completed within 6 weeks of Announcement letter and final report issued within 8 weeks
• Work papers completed and audit closed within 2 weeks of CAE’s issuance of final report

Auditors time appropriately charged to audit projects:
• Goal of XX% of time charged to audits for directors
• Goal of XX% of time charged to audits for specified Managers and
• Goal of XX% of time charged to audits for all other staff

Allocation of audit time (Planning – 25%, Fieldwork – 55%, Report writing – 20%)

Staff Development and training:
• All staff to complete 40 hours of training to be tracked through time reporting in XXX tool
• Encourage certification process
• Track participation in e-learning opportunities

Good luck!

Dorina

Dorina Hamzo at 9/6/2012 9:26:01 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

This comment has been deleted by the administrator
Dorina Hamzo at 9/6/2012 8:56:10 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

I am interested in creating a Compliance Cataloge and looking for a template to get started. One focus area would be internal compliance and the other would be external compliance.
jr1957 at 7/17/2012 11:48:09 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

This comment has been deleted by the administrator
SandyFadale at 4/15/2012 10:57:03 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

This comment has been deleted by the administrator
SandyFadale at 4/15/2012 10:57:03 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

I am interested in creating a Compliance Cataloge and looking for a template to get started. One focus area would be internal compliance and the other would be external compliance.
jr1957 at 7/17/2012 11:48:09 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

This comment has been deleted by the administrator
Dorina Hamzo at 9/6/2012 8:56:10 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Hi Bala,

Recently, in our group,  we had to develop the audit reporting metric process.
I am not sure if you still looking for metrics. If you are, here are some ideas. These metrics are being reported to senior management on Qtr basis via power point presentation.

Efficient execution of the audit plan and individual audits:
• % Age completion of the Audit Plan
• Completion of audits within the standard time budgets

Work paper completion:
• Audit to be completed within 6 weeks of Announcement letter and final report issued within 8 weeks
• Work papers completed and audit closed within 2 weeks of CAE’s issuance of final report

Auditors time appropriately charged to audit projects:
• Goal of XX% of time charged to audits for directors
• Goal of XX% of time charged to audits for specified Managers and
• Goal of XX% of time charged to audits for all other staff

Allocation of audit time (Planning – 25%, Fieldwork – 55%, Report writing – 20%)

Staff Development and training:
• All staff to complete 40 hours of training to be tracked through time reporting in XXX tool
• Encourage certification process
• Track participation in e-learning opportunities

Good luck!

Dorina

Dorina Hamzo at 9/6/2012 9:26:01 PM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Thanks for the response Dorina.

I was wondering whether, have you defined compliance categories like Security compliance, Statutory Compliance, Policy compliance etc. In fact, I have developed a framework which is as below.

1. Compile the requirements for which compliance needs to be demonstrated. This includes information security, business continuity, operational , contractual, statutory, financial and regulatory requirements.
2. The excel sheet is then sent to the respective custodians for their response.
3. Any non-conformance shall have a remediation plan.
4. We have categorized the gaps into High, Medium and Low. The maximum timeline to implement the proposed remediation plan is pre-defined for High, Medium and Low entities.
5. The status of the remediaiton plans are monitored and reported on a weekly basis
6. The executive management is updated on a monthly basis
7. The framework provides a compliance rating for every function / process custodian and the RAG (Red, Amber, Green) report reflects the same.

The metrics we currently look at are:

1. No of gaps identified per function / process custodian
2. No of remediation actions closed on time
3. No of remediation actions delayed
4. Financial impact, if any, for any violation (in $)
5. No of policies defined / modified / removed
6. No of employees trained / No of awareness programs delivered

Well, this is how we do it. Any recommendations.

Regards,

Bala Ramanan
Bala Ramanan at 9/7/2012 12:18:34 AM
You must sign in to rate content.
(Unrated)

RE: Compliance Metrics

Hi Bala,

It looks like these are finding related metrics. They seem reasonable and in line with what I have experienced. On the reporting side, in my organization, we decided not to report medium and low findings (amber and green) to the audit committee since they are lower impact. However, business owners will still have to remediate them.

Dorina

Dorina Hamzo at 9/7/2012 8:27:51 AM
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.

« Return to All Discussions « Return to Topic