Project leadership gets PCI and SOX audits back on track
Snapshot
Kalles Group stepped in to manage a global fashion retailer’s PCI and SOX audits after their Compliance Manager left the company. Not only did Kalles Group ensure the audits were successfully completed, the team also improved reporting and organized requirements to start on the path from point-in-time audit to continuous compliance.
Challenge
In the midst of the client’s annual Payment Card Industry (PCI) and Sarbanes-Oxley (SOX) audits, their Compliance Manager left the company. The PCI audit alone involved the coordination of more than 100 tasks across six separate teams, and both the internal and external SOX audits were also in progress. With deadlines approaching and the team thinly stretched, the client reached out to their trusted advisor, Kalles Group, for help organizing and completing the PCI audit.
Approach
Kalles Group initially took on the PCI audit tasks, while other client team members primarily continued on the SOX audits. Kalles Group began with the client’s existing task checklist, which had become unwieldy due to the volume of tasks and the method of organization. As a result, the client’s management teams were having a difficult time seeing where the PCI audit really stood. Kalles Group added features to the checklist to provide management with a summarized view of the project, including:
- A graphical representation of overall task status
- A team scorecard showing task counts by team/status and flagging overdue items
- Autogenerated views of outstanding tasks for each team
Kalles Group also redesigned the weekly project dashboard to be more easily maintainable and visually useful. Kalles Group adapted these PCI management tools to also accommodate SOX tasks to track SOX status more easily.
Kalles Group assumed responsibility for communication with the PCI Qualified Security Assessor (QSA). One challenge of conducting a PCI audit during COVID-19 is that the pandemic significantly complicated the schedule of “onsite” visits. Typically, the QSA conducts a condensed onsite visit, where they can talk with stakeholders as frequently as needed. Instead, Kalles Group needed to coordinate roughly 50 remote meetings and audit walkthroughs with various teams. Kalles Group tracked the scheduling and maintained a cross-referenced list of meetings, QSA agenda items, and requirements to manage the process
Additionally, Kalles Group proactively looked for ways to streamline and standardize both the PCI and SOX processes for future audits. The client planned to implement a compliance management tool within the next couple of years, so Kalles Group focused on where they could organize the process, both to define requirements for the upcoming tool implementation and to more efficiently conduct audits until the implementation could be completed.
Results
Kalles Group’s project management ensured that the audits were successfully completed. Kalles Group was able to quickly assess the current state of the audits, bring the tasks under control with various teams, and provide visibility to leadership on status and remaining work. This helped free up the rest of the client’s teams to work on additional compliance initiatives. It also gave the client’s leadership peace of mind regarding the status of audit tasks.
By clearly mapping tasks to controls, Kalles Group enabled the client to quickly assemble evidence and interviews for future audit cycles. This mapping created the foundation for defining a common control structure, implementing a compliance tool, and moving the organization toward continuous compliance.