Compliance Assurance Framework

It has been our experience that often, simply fixing the identified issue will not always necessarily address the actual problem.  It has been our longstanding practice to perform a root cause analysis as part of our standard methodology.  Utilizing this framework, our goal is not to only correct the immediate issue identified, but rather determine the underlying cause of the problem and address it at that level.  Our experience has found that in doing so, the chances the same vulnerability manifesting itself is greatly reduced. 

NXTKey’s proprietary “Compliance Assurance Framework” was used to develop the External Audit Corrective Action Plan (CAP) methodology framework that had been implemented by NXTKey and has been in place at DOJ since 2008.   This framework which has been implemented at a number of DOJ components allows an organization to take the recommendations provided by the Inspector General Auditors and initiate a series of coordinated activities and completely address not only the symptomatic issues identified by the assessors, but more importantly the underlying root and contributing causes which led to the weaknesses.  The methodology we recommend be applied to support services to federal agencies in developing a proactive methodology to assess and strengthen internal IT controls and rapidly and effectively respond to, and resolve, findings from the Annual Federal Information System Controls Audit Manual (FISCAM) and Federal Information Security Management Act (FISMA) Audits of federal agencies.   Additionally, once audit FISCAM/FISMA findings are resolved through our CAP process, we want assist organizations in adopting the framework for Continuous Improvement Projects (CIPs) which are known areas of weaknesses that may have been overlooked by the auditors.

The framework is instrumental in the development of written responses to the auditors’ Notification of Findings and Recommendations (NFR) to include government-approved concurrence or non-concurrence, immediate corrective actions, risk mitigations or compensating controls, and develop any necessary Plans of Action and Milestones (POAM).

Additionally, our framework is optimal when the contractor serves as an independent body that performs overall assessment of IT controls for financial feeder and financial systems and, recommends and validates corrective action for deficiencies.  The contractor assigned personnel shall conduct, document, and provide an internal Audit Team report describing OCIO’s current compliance with FISCAM, FISMA, DOJ and other IT control standards and guidance.  This document shall include an executive overview, a weighted assessment of compliance and associated risk, and, recommendations to the OCIO to rectify any shortcomings or to develop improvements to IT controls.  The NXTKey team will develop a metric program to measure the effectiveness of the CAPs and CIPs and ensure that the organization maintains focus on the weakness areas that are commonly identified by the auditors.

The CAP process is best implemented by the role of the audit liaison which serves as the primary interface to the auditors on behalf of clients and the defacto project advisor on CAP and CIP project.  During the course of the audits, the audit liaison serves as the primary point of contract for the auditors facilitating all Provided By Client (PBC) and walk through requests.  Internally, the audit liaison will serve as a quality assurance reviewer to ensure that request of the auditors are delivered accurately, completely and timely.  During the course of the audit, the PBC audit requests are tracked and communicated to organization’s leadership.  As an added value, the NXTKey team will use its expertise to prepare client staff for audit interviews.  We realize that many individuals are uncomfortable being the subject of an audit and we think its advantageous to prepare the audit subject beforehand.  

Finally, we need to increase audit awareness and education throughout the organization.  Included in the is awareness is having client staff become aware of the audit process and how the assessment of internal controls occurs continuously through the year via the C&A activities, A123 assessment, OCIO reviews and the FISCAM and FISMA audits.  Additionally, client staff will be become familiar with the audit liaison support role as a year round function with the management of corrective action projects and the role of the internal assessors.

Contact NXTKey to have this implemented at your organization / agency.