VComply Named a High Performer in the GRC Platform Category on the G2 Grid for Winter 2021
Dec 22, 2020

We are thrilled to announce that peer-to-peer business software review platform G2 has again placed VComply as a High Performer in the GRC Platform category in their Winter 2021 announcement. Organizations rely on research firms like G2 to help them analyze and compare business software products, and we are excited about the recognition.

We are thankful to our valued customers for this validation. We consider user feedback as a great technique to stay in close contact with our customers and get up to speed on improvements and provide value.

In case you missed it, here’s the score that our customers have given us:

  • More than 96% users gave VComply 4 or 5 stars
  • 95% users said they would recommend VComply
  • Majority of the users started just last year and found immediate value


Besides this, VComply also stands out in the following areas:

Ease of use

VComply received 8.7 score on a scale of 1-10 for ease of use, outranking many competitors in the GRC category and became a preferred choice for customers.

Quality of support

At VComply, we take great pride in serving our customers. We talk to our customers and help them find the quickest way to solve their problems. And the results speak for themselves! VComply received a score of 8.7 in the quality of support category.

Ease of setup

VComply scored 8.7 in the ease of setup category. VComply is intuitive and it is very easy to create an account on VComply. On an average, our customers have gone on-live in less than 2 weeks.

How did VComply reach the top spot?

At VComply, our goal is to make the easiest and the most useful GRC software for organizations. Ever since we started in 2019, we have adopted a customer-centric approach. We have made meaningful changes to our compliance, risk, and audit product range to meet the evolving requirements of our customers. Now, VComply helps teams across compliance, risks, audit, human resources, and legal in varied industry sectors to manage their individual responsibilities, while making it easier for leadership to coordinate organization wide compliance activities.

What customers speak about VComply?

It was simple, it was easy to engage with, and it had a little bit of light-heartedness as well as a very easy to use Dashboard and reports. With VComply, our teams can quickly and easily comply with responsibilities, and our ability to provide oversight across the agency, in one central location is achieved.

Way Forward 

We recognize that there is a lot of work ahead. And, we are committed to the vision of making the world’s most trusted GRC platform for our customers. We continue to add robust features and enhance existing features in our platform to help you strengthen the compliance and integrity of your organization.

Read our reviews here on G2!  

Devi Narayanan
5 steps to easy and effective policy communication
Jul 27, 2021

It is said that change is the only constant, and in the context of an organization, a crucial catalyst of change is policy. Company policies promote and sustain change, ensuring that new standards and ways of working trickle down to every level of the organization. Moving from policy to practice, however, demands strategic communication. You not only need to reach out to the right persons at the right time but want to get all aboard and rowing in synchrony.

Depending on the mediums used, policy communication can range from archaic to automated, and in today’s tech-driven work environment, most companies have some digital means of communicating their policies. However, creating awareness is just the starting point of policy communication. Awareness must lead to understanding and acceptance if workplace policies are to truly translate into practice and have a lasting impact on the organization. This is why it is wise, and sometimes necessary, to couple distribution with training. Likewise, to boost employee buy-in and promote transparency, it is advisable to inject a healthy dose of facetime into your policy communication ritual.

Having established that policy communication is more than bulletins and emails, take a look at 5 important elements of communicating a company policy.

Communication is dialogue

Priming your employees before a rollout of a new policy is a great way to gently usher in change. You could do this through anything from a news bulletin update to a series of desktop alerts. The goal is to give your employees time to:

  • Evaluate the impact of the policy
  • Understand the motives behind it
  • Prepare for change at the workplace

However, such ‘soft launches’ do not really constitute ‘communication’, which should ideally be a two-way street. Hence, the recommendation is for facetime, be it in the form of videoconferencing or group meetings. Here, transparency is king, with live meetings providing a platform for doubts to be cleared. Another upside to having meetings with team leaders, for instance, is that you also build a group of ‘policy champions’, strong advocates of the policy and the logic that undergirds it.

While such facetime is crucial before and during a policy rollout, dialogue also includes feedback, an element that occurs all through the lifecycle of the policy. In fact, while policy guides practice, it is practice that informs policy. Think, for instance, of a BYOD policy that is overly restrictive on access, permissions, and types of devices allowed. Implementing an effective BYOD policy may require some give and take if productivity isn’t to take a major hit. To reach such a compromise, while owning risks as they arise, there is a need for efficient feedback channels.

The medium is the message

Owing to the advancements of information technology, there are a variety of means of communicating a policy once it is written:

  • Displayed on a public noticeboard
  • Uploaded to the company intranet
  • Hosted on a gated section of the company website
  • Included in the company newsletter
  • Inserted into the employee handbook
  • Sent through email
  • Added to the policy manual
  • Conveyed via departmental/ global conferences
  • Shared through social media or productivity suites
  • Publishing policies on organization's policy portal

The best approach is a multi-media approach, wherein you pick and choose a mix of the communication tools at your disposal, depending on the importance of the policy. A policy that reflects changes in labor laws may find itself communicated through all of the above channels, whereas a remote work policy, affecting only a section of your workforce, may be better suited for targeted channels.

A tiered approach can generate positive results too. For instance:

  • Issuing a single-statement desktop alert through your internal communications platform
  • Sending out a quick, brief summary through email
  • Publishing policies on organization's policy portal

When picking from the different communication mediums, you need to consider questions like ‘who?’, ‘what?’ and ‘when?’. A policy meant for senior management only may call for business emails and a departmental meeting. Likewise, not every policy should find itself on a public noticeboard. Similarly, if you need to communicate a quick change in your remote work or leaves policy, you would not wait for your weekly newsletter to do its round. Finally, it makes sense to be consistent with your modes of delivering policies and policy updates. The danger is that tinkering too much with the delivery strategy can lead to employees missing crucial updates.

Train to succeed

For policy to translate into practice, policy communication must aid comprehension. This step of training employees can not only help you get your organization thinking alike but may also come in good stead should you need to furnish proof that your employee actually understands your policy during a legal tussle.

Workshops are a great option, but it may not be possible to facilitate long training meetings, especially if the impact of the policy is organization-wide. The attractive alternative is microlearning, which can happen in the form of online quizzes and games. The goal of policy communication training should be two-fold:

  • Equipping employees to practice the policy
  • Illustrating to employees what’s in it for them

Acceptance is crucial

Sometimes there is a level of opacity involved in policy communication. Even when emails are sent, they can get lost within a pile of other less-important messages. The best way, to avoid legal loopholes, is to have your employee read and attest to a policy. This can be done digitally using a policy management platform. Certain policies, which have frequent updates, may call for recurring acknowledgments. Having a platform that facilitates digital acknowledgment and acceptance can greatly minimize manual work.

Accessibility promotes change

Lastly, it is vital to store your policy in a place that is easy to find. Policies that should always be on people’s minds, like the anti-harassment policy that warrants a permanent place in communal areas. Your policies should go into a policy manual and certain audits may require you to furnish physical copies. Nevertheless, it is ideal to have a policy repository where your employees can access the policies easily.

For the greatest accessibility, ensure your online policy platform supports:

  • Easy to search
  • Policy updates notifications

Having considered these 5 important elements of policy communication, it’s easy to see how technology plays a key role in going from policy to practice. VComply’s Policy Management Software has inbuilt modules for effortless policy distribution, testing, and attestation. You can analyze policy understanding, establish policy checkpoints, restrict access to certain individuals, keep track of policy changes, set up real-time alerts, and more! In fact, you get all the tools you need for end-to-end policy lifecycle management. To explore all the benefits of VComply, book a demo today.

VComply Editorial Team
Read More
Simplifying Compliance Workflows with VComply
Jun 24, 2021

The consequences that come with being non-compliant is huge. Considering the stringent regulatory requirements, internationally agreed on industry standards, and the need for internal efficiencies, it is imperative that organizations are proactive about compliance. But, staying on track with changing laws, regulations, and standards is a tedious process. Compliance automation can help solve these complex problems - streamline business processes, automate routine tasks, generate arduous reports in seconds and most importantly… improve overall organizational efficiency.

VComply is a robust compliance management tool that automates compliance processes in an organization and goes further to offer integrated risk assessment and policy management programs. If you are looking to streamline your compliance processes, look no further than VComply.  VComply understands the varied compliance requirements of companies and is flexible enough to design the compliance workflows based on their requirements. The tool helps companies to:

  • Access compliance framework and industry-standard control sets from a centralized location
  • Delegate compliance tasks/internal controls to an employee or a team and use a workflow automation tool to monitor the progress.  
  • Store documents and ensure that document retention stays flawless for when auditors come knocking. Workflow automation minimizes the chances of human error and can also help simplify search during audits.
  • Associate a risk level to the responsibility that will be imposed on the organization if the responsibility does not get completed on time.
  • Gain insights on compliance performance, identify gaps,  and address them quickly

VComply’s compliance workflow streamlines the flow of crucial information and key compliance responsibilities. It reduces manual effort and input required from the compliance officers. Compliance oversight and coordination can also be challenging in such a system, but such complexities can be reduced with automation.

How to establish and delegate compliance responsibilities with VComply?

Once you define the scope of compliance programs, establish governance principles and compliance policies,  is simple to create and delegate compliance responsibilities with VComply. Stakeholders and teams get notified by e-mails, and they can work on the responsibilities to make sure that the organization is compliant with all the regulations. Establishing responsibility includes authorizing the power to execute certain actions to these individuals.

  1. Log in to VComply.
  2. Click on Compliance on the left navigation bar.  
  3. Click and select internal control/compliance responsibility from the pre-built framework. If you choose to create a new compliance responsibility, then you can create a compliance responsibility.
  4. Select a user or a group of users to whom you want to assign the responsibility. If you choose ALL SELECTED PERSONS TO COMPLETE THIS option, separate responsibilities will be created for each selected user. Otherwise, only one responsibility will be created.  
  5. In the WHEN field, enter the frequency and due date for the compliance responsibility.
    VComply supports many additional options to help you create and assign responsibilities and make your compliance programs effective.
  6. Click on ENTRUST.  

An email notification is sent to the user to whom the responsibility is entrusted. The stakeholder can complete the compliance tasks and update the details.

It is that simple to entrust a prebuilt internal control or a compliance obligation task to a  stakeholder and measure and monitor the compliance performance. The VComply compliance alert mechanism allows you to stay informed of your compliance responsibilities and automatically notifies of compliance status, completion status etc. Best of all, the compliance and risk management dashboards provide a complete overview of your compliance performance and helps you monitor compliance trends and anomalies.

Devi Narayanan
Read More
Best Practices for Remote Audits
Apr 22, 2021

A remote audit or virtual audit came as a boon to audit teams during the unprecedented covid 19 crisis. It is a method of conducting an audit remotely using technology. Just like an onsite audit, it covers interview with management and employees, verification of documents and reports.

What Are the Benefits of Remote Audits

Remote audit can be internal or external. It can be at any stage of the certification process, and can provide many advantages.

Improved Efficiency

Unlike the widespread belief that only onsite audits yield results, the remote audits can bring in plenty of advantages. It forces auditors to think out of the box and come up with creative resolution to critical issues. Remote audits can enable active participation from people with different skills and expertise, and helps analyze the issues and come to resolution cost effectively.

Flexible Approach

Remote audits allow auditors to interview a global network of employees with out travelling. It also helps them to remain on schedule even with travel restrictions. By using technology and effective tools, stakeholders can perform large amount of work asynchronously. It allows them to work in their space and increase the effectiveness of audit efforts.

Saves Cost and Time

Remote audits can be less costly. All the money associated with travelling and time saved can bring in significant cost reduction. Communication at the starting of audit, before or after also can also be recorded. It provides better visibility to the leadership teams and improve the quality of audits.

Conducting a Remote Audit

The remote audit is a dynamic process with auditors engage in technology to audit. The phases in audit processes are:

Establish an Audit Plan

Define the audit scope first. Then, develop a  remote audit plan. The  audit plan should cover the criteria, checkpoints that will be audited remotely, and the technology used during remote auditing. Once the methodology and approach is confirmed, schedule the audit date with the firm.

Conduct the Remote Audit

Conduct a kick-off meeting with the management explaining the procedures of the audit. Take a record of the opening session attendees, and identify if there is any changes in the audit plan after the initial meeting with the management.

The remote audit includes the review of internal controls, documents, evidence and proofs, and conducting remote interviews with employees. The proof, documents will be reviewed to support the findings. The team can conduct a closing meeting with the management and convey the findings. 


The audit team can create an audit report, also document the methodology and techniques used in the audit and report whether audit was effective in achieving its goals.

Role of Good Software in Remote Auditing 

Any type of audits involve review, analysis and evaluation of processes, documents, evidences, systems, and organizations. Auditors assess the accuracy, validity, reliability, verifiability and timeliness of information, as well as the sources and processes by which that information is obtained. An integrated software like VComply helps automate processes and workflows, conduct methodological audits, report incidents, and resolve issues promptly. Using VComply, it is easy to collaborate with stakeholders. It also keeps employees responsible for their obligations,  and facilities oversight in executing compliance obligations. Documents, and proofs are made available and accessible. It also provides powerful reports and intuitive dashboards to help auditors gain real-time insights into the organization’s compliance data and risk exposure.

Devi Narayanan
Read More
5 Questions to Ask When Choosing a GRC Platform
Apr 20, 2021

Governance, Risk and Compliance (GRC) management is an integral part of an organization's management strategy. Once the management identifies the benefit of adopting a GRC platform, the next question that comes up is that how to choose the best GRC platform suitable to your organization? Not all platforms are the same. The key is to set the right expectations and perform the due diligence before you choose your vendor. 


We have highlighted 5 questions you should ask your vendor:

Where Do You Host My Data?

Companies opting for SaaS applications are on the rise. It is vital to know where your vendor is hosting your data in times of data sovereignty and GDPR. If you are opting for a SaaS GRC platform, which is a great choice of organizations, including small and mid-tier companies, you need to ask your vendor where they are hosting your data. Your vendor is your data processing application, make sure that you choose the best vendor who host the data in a secure virtual server. VComply is hosted in cloud, and makes sure that your data is secure and compliant at all the times.

What Are the Features and Benefits the Vendor Offers?

Evaluate the features that the vendor offers. Compare the features with other vendors in the same price range. Analyze your organization's GRC goals, whether the proposed application provides a structured approach to achieve your organizational goal, minimize your risks, and manage your compliance requirements.

The basic features that you can look out for in a GRC platform are:

  • Centralized Internal Controls
  • Support for Future Frameworks and Standards
  • Workflow Automation
  • Scalability
  • Customizable Reports and Dashboard
  • Flexibility
  • Obligation Assignment

VComply is tailor-made to meet the demands of compliance professionals by helping them perform risk assessments and implement controls. It comes with built-in compliance frameworks that enables you to automate the implementation of compliance controls. VComply's workflow automation makes creating, assigning, and monitoring compliance responsibilities easier. It sends reminders to stakeholders who are entrusted to complete a responsibility. Automation can drastically improve compliance oversight, coordination, and collaboration.

How Easy is It to Use the Platform?

A GRC platform should be intuitive and easy to use. Many of the legacy applications available in the market are complex and pose difficulties in using. When there is a gap in the customers' expectations from a great GRC platform, it turns into bad UX costs. For example, if the user experience does not allow the user to create and assign a control quickly after a risk assessment, it fails the purpose of an effective GRC platform. Suppose the compliance team cannot collaborate on a document or a compliance obligation, or the leadership team do not get enough insights from the reports or dashboards. In that case, it can lead to wasted efforts, time, and frustration. In some cases, it can even add up to your tasks. Analyze the application based on these factors, and it should be easy for the platform to fit for your needs.

Compliance is considered an on-going process, and your tools should also embody that attribute. VComply evolves and proactively adapt to provide you enjoyable user experience. When it comes down to the nitty gritities of risk and compliance management, the dashboards and report should provide at-a glance information. The VComply suite is equipped to address this need and does so seamlessly to successful compliance efforts. 

Does the Platform Provide Integrated GRC ?

A modern and integrated GRC software can help predict and mitigate risks,  streamline compliance with regulations and the organization's policies. The flexibility to extend applications' capability to allow employees to access a policy library, upload compliance evidence, and proofs, and file and archive documents help to a great extent to avoid compliance mistakes and omissions.

VComply offers a federated approach to GRC wherein audit, risk, policy, and compliance management activities are integrated. A centralized view of risks, internal controls, and compliance responsibilities are available to the leadership teams. A holistic view of GRC is transformational.

What Does The Overall Onboarding Process Look Like?

More broadly than simply selecting a tool, consider how exactly the vendor plans to onboard you onto the platform. How long does it take to operationalize and reap benefits out of the GRC platform? First, identify your success criteria for implementing the system and convey it to your vendor and tie it with your onboarding process. It takes only 5 days to fully onboard with VComply. It is easy to set up VComply and set up organizational settings for managing your compliance and risk programs. The implementation team is with you at every step of the implementation process from kick-off, configuration, and workshops. VComply equips your team to shorten audit cycles and eliminate the cost of non-compliance meaningfully. By automating workflows, processes, and mapping of frameworks, VComply can generate faster ROI for you.

If you're looking for a better way to manage governance, risk, and compliance in your organization, take a look at GRC software by VComply.  VComply offers a complete GRC management solution to help you streamline everyday compliance processes with a centrally managed, cloud-hosted system.

Devi Narayanan
Read More
Why Are Internal Controls Critical for Your Organization?
Apr 13, 2021

Growth is something that organizations have their eyes fixed on. They are cautious of wasting precious time and money in costly lawsuits, compliance risks resulting in penalties, or reputational damage. Internal controls help establish procedures and policies to keep the organization compliant, prevent employees from committing fraud, and improve the organization's operational and financial efficiency.

What is Internal Control?

COSO defines internal control framework as the following:

A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting;
  • Compliance with applicable laws and regulations.

Internal Controls are made up of steps, procedures, policies, and rules designed to ensure that an organization meets its objectives in the most efficient manner and prevent, detect, and mitigate risks facing organizations. Internal Controls aim at operational efficiency and effectiveness through the control of risks. Many experts even comment that internal controls are part of day-to-day operations. 

The following are the basic features required for a robust internal control system: 

Establishing responsibilities

The most important principle of internal control is establishing and entrusting the responsibility to specific individuals. Many times, teams fail because of the lack of clarity on one's responsibilities. Controls work the best when individuals are made responsible for executing tasks. Establishing responsibility includes authorizing the power to execute certain actions to these individuals.

‍Segregation of Duties 

Separating duties involve bifurcating a task into a series of small tasks and sharing them among various employees. Separation of tasks (SOD) is the basic building block of internal controls and risk management and helps prevent fraud and errors. When parts of a  task are divided and distributed to two or more employees, it reduces wrong doings, errors, and swindling. The SOD promotes shared responsibilities and prevents just one person from accessing company's critical assets. The concept of SOD is derived from the notion that giving complete control of critical systems and vulnerable processes to one single individual can increase risks. 

Records Maintenance 

Documentation is a critical component of any internal control. Maintaining appropriate records enables storing and safeguarding of documentation, and includes destroying any tangible obsolete records. A GRC platform like VComply helps organizations maintain a central repository of records, and associate proofs or evidence for a control.  It also facilitates role based access to records and restricts unauthorized access. A backup of the data ensures that there is no data loss.

‍Independent Reviews and Audits

Independent internal verification or audits ensure that that controls are working as intended. They also assure the organization that it  complies with rules and regulations, performance of operations are effective, and financial reporting is accurate.

Safeguarding and Insuring of Assets

Physical as well as digital safeguards help protect company's assets. They can be physical e.g. locks or intangible e.g. – passwords and pins . Irrespective of the methods, they are an important feature of the company's internal control plan. Documents such as blank checks, company letterhead and signature stamps are items that require safeguarding. One may commonly overlook this. 

Thus, to ensure good governance and compliance, a company should have effective internal controls in place. 

VComply is a leading GRC platform that helps meet the demands of compliance professionals by helping them perform risk assessment and implement controls. It comes with built-in compliance frameworks that helps you automate the implementation of compliance controls.

Devi Narayanan
Read More
How to Prepare Your Organization for GDPR and Data Privacy?
Apr 8, 2021

When the internet and technology are the lifeblood of modern business operations, it is no wonder that data privacy has taken the  center stage. According to a Pew Research Center report, 79% of consumers have raised concerns about personal data that organizations collect. These concerns have as much to do with discrimination and law as they do with ethics and policy. Across the EU, UK, USA, China, Singapore, and virtually every other location on the planet, the regulatory landscape for data privacy has changed and continues to evolve. In the EU, the General Data Protection Regulation (GDPR enforceable in 2018) and its policies have effected change worldwide.

EU regulators and legislators indicated that businesses' almost laissez-faire approach toward data protection compliance had gone on for far too long and that the GDPR would rectify this. And it did. Today, the cost of data privacy infractions can amount to a hefty penalty of up to €20 million or 4% of the company's annual global turnover. Moreover, on account of the GDPR's broad territorial scope, it is regarded as a standard globally, and businesses invest heavily to keep up with the compliance regulations.

However, despite efforts, a report published by DLA Piper states that data breach fines and notifications between January 2020 and 2021 increased by 40% and 19%, respectively. Naturally, this double-digit growth isn't conducive to healthy business operation and implores the question, 'What can or should companies do to mitigate losses due to data privacy non-compliance?' For insight on the matter, read on to know how companies can prepare for the inevitable progression of GDPR or any other such data privacy laws and regulatory guidelines.

Define the role and responsibilities of a data protection officer

The first approach companies could take is to hire a data protection officer or DPO. This is a relatively new role for most institutions and should exist, especially considering how quickly regulatory reforms can occur. A data protection officer is a professional tasked with doing all the heavy lifting in ensuring that the organization remains compliant with the GDPR. As a matter of fact, it is a mandatory requirement by the GDPR that a company must hire a DPO if it handles personal data of EU residents. 

Ideally, companies should look inwards at personnel working within the IT or legal departments for the role of DPO. A DPO's responsibilities often overlap with those of a Chief Data Officer and these professionals serve as viable candidates for the job. However, to be effective, it is important that the DPO receives formal training on GDPR. Organizations such as the Association of Data Protection Officers and the International Association of Privacy Professionals (IAPP) offer courses on data privacy and security. There is a talk that the GDPR will likely create entities that offer certification for such courses in the near future.

Ditch all age-old, legacy systems that make data management tedious

In a bid to save on costs, it is quite common for companies to take legacy systems forward with every passing year. While this may have worked a decade ago, it definitely won't in today's environment. Legacy systems used to track, enter, and monitor data make staying compliant difficult, especially when dealing with a breach. The solution here is to evaluate the efficacy of existing data management tools with today's standards. 

A good starting point would be to get rid of systems that don't easily integrate with workflow automation. Manual inputs and processes increase the risk of noncompliance, and new-age tools can help address this problem. One smart and effective solution is the VComply GRC software suite. VComply allows you to establish a centralized data model, where a single repository of all critical documents may be maintained. This enables easy management, tracking and can aid quick breach redressal when dealing with risk data.  

Ensure that the privacy impact assessment isn't lacking

An effective way to stay ahead of GDPR changes is ensure that the current documentation is maintained with maximum accuracy and as per requirements. Under the GDPR, all data-intensive projects must have privacy impact assessment (PIA) documentation, which must be accessible to everyone involved in a project. This is non-optional as it is a process that accounts for all the privacy risk present with any data a company collects from consumers. 

 Ideally, a comprehensive PIA should be able to document all key data-related information. Here is a table that highlights the main verticals and the type of data that should be documented.

Prioritize security above all

It comes as no surprise that data security is a key part of the GDPR compliance journey. To stay ahead of the ever-changing environment, companies should design all security measures with privacy as a priority. Common measures include creating workflows that govern data access, both on-site and remotely. As per the GDPR, an external data breach can even be a situation where an unvetted temporary employee is granted full access to data through a generic log in. 


Such cases of unsecured data access can be solved by implementing clearly defined user access controls. Besides these, security measures extend to monitoring and logging. This is another branch of data collection, albeit internal, and should be handled in keeping with the GDPR.

Review existing risk assessment controls and revamp as needed

Before the GDPR took hold, data privacy may have not been a key part of the risk assessment and management strategy. This needs to change in order to adapt to the modern-day requirements and data privacy should be given its fair share of importance within these protocols. This includes designing specific risk assessment models, having controls to mitigate risks, and understand the impact of these risks and the extent of their exposure. 


Considering that the GDPR guidelines will continue to evolve with every passing year, it is safe to assume that companies will soon have to learn to adapt on the fly. These 5 measures should help prepare for many reforms, especially if the company has the right tools at its disposal. The VComply GRC software suite offers such a solution to organizations to map their data and efficiently implement controls to track and manage compliance with GDPR regulation. To address any queries or know more about the provision, contact us online.

VComply Editorial Team
Read More
Avoid These Mistakes While Implementing Policy Management
Apr 6, 2021

A holistic GRC management is incomplete without policy management. In an ideal world, policies guide an organization to follow the rules and regulations, prepare for internal and external audits, and finally keep the organizations away from risks. However, the reality seems to be different. Many of the organizations seem to have only very basic policy management system in place. It can cause severe consequences as it leaves you at the risk for financial losses, security breaches, and overlook the improvement initiatives.

Avoid These Mistakes While Implementing Policy Management

Let's see the major risks companies can face not implementing a full-blown policy management system, and how to avoid them.

Approval Processes Hurting Your Business? Automate It

Is the policy document approved? Who approved it? Are we distributing the approved version of the policy to employees? These are some of the common questions that we hear in organizations. Policies usually require multi-level approvals. There could be occurrences that the organizations' performance improvement initiatives can get delayed due to a missed approval.

VComply helps you set up workflows for multi-level approvals.  Instead of manually sending a policy and wait at every turn for a manager to approve a policy and then send it to another level for approval, you can automate the whole approval process and configure parallel, round-robin, or sequential level of approval.

Policies Everywhere? Centralize It

The lack of having a central repository can create chaos when it comes to working with multiple policies. The employees find it difficult to choose which version of the policy is to be followed in a manual set up. VComply encourages efficient policy management as all the policies are centrally located, saving employees' time retrieving the policy. VComply's policy portal helps ensure that your organization complies with laws and regulations, and helps share policies with your stakeholders for attestation or reference.

Disparate and Disconnected Systems for Compliance, Risk and Policy Management? Link Them

Organizations using disparate and disconnected systems for risk, compliance and policy management miss the integrated system's benefits. Compliance, Risks management, and Policy management share interrelated tasks and common objectives. Combining these processes, and establishing transparency and accountability requires an integrated and linked system. 

VComply's GRC management is tightly coupled with policy management and helps implement proactive and risk-based policy management. It saves time, effort and money – and streamline the efforts required for managing risks, compliance, and policy management.

Role-based Access Control

Every policy management workflow should define the policy owner and with whom the policy is intended to be shared and not. VComply's Workflow Management System should allow you to customize what each user can see and edit. It enables business-level control of access rights by using roles to match user permissions to the organization

A comprehensive policy management tool can alleviate the difficulties in creating and implementing policies. Cloud-based solutions like VComply’s Policy Management Software give you a powerful way to create, modify, distribute, and test policies. For instance, with VComply, you can create questionnaires to gauge the effectiveness of a policy, assign privileges to give proper access, have a convenient audit trail, get real-time alerts, and more. Policy is a crucial component of GRC and VComply offers a range of tools for governance, risk, and compliance management.

Having considered what a policy management process looks like and some reasons to invest in a policy management solution, deliberate on how to better govern your organization. Remember, the cost of bad policy management may far exceed that of investing in a policy management solution. So, when the time is right, do not think twice about using a smart software to empower your efforts!

Devi Narayanan
Read More
Internal Audit: Trends in 2021
Apr 2, 2021

The primary role of auditors is to help the organization remain compliant and meet its objectives efficiently. The growing and changing needs of stakeholders, crisis management requirements, and uncertainty have widened the scope of internal audits. In response to these requirements, new trends have emerged in the field of internal audit that will add value to the organization and guide it through the landscape of risks.

Here are some of the new trends in Internal Auditing:

Holistic approach towards auditing

Disruptions, threats, uncertainty, and changes are part of today's organizations. Starting from cyber-attacks, climate change to supply chain disruptions, organizations face numerous challenges. They need a resilient approach, frameworks, and mechanisms to bounce back when dealt with unexpected risks. Internal auditing should assume bigger responsibilities beyond just evaluating the company's compliance challenges, fraud detection, and reporting in this environment. Internal auditing should take on a central strategic role in an organization and provide insights to the management to run the organization efficiently. It should provide guidance to govern risks, stays compliant, and implement an operational resilience strategy.

Remote audit

The pandemic has forced companies to go remote. And, at least for some companies, the trend is remote from now on. Similar to other functions, audit functions need to resort to tools that overcome communication and availability challenges. The adoption of communication technologies enable audit evidence collection, review of records, and report generation to support audit conclusion. The companies must conduct risk assessment and document the outcomes achieved through remote auditing. Internal audit must take up a proactive role by giving insights concerning different risks, challenging practices, processes, and the organization's overall risk landscape.

Build agility in audit

Audit teams need to agile to keep up with the increasing pressures of the organizations. They should let go of their rigid practices and long audit cycles, instead, focus on the organization's present needs, respond to quickly to changing risks, adopt short and accelerated audit cycles, and fewer documentation requirements. Agile auditing empowers auditors to prioritize audits based on its importance and provide long standing value.

Innovative audit techniques

While many companies are looking at technology specific to audit function, others already invested in technology are expanding the role of automation and analytics. Audit automation simplify the process of constructing new audits and creating new checklists. It ensures that non-compliances and weak areas are properly addressed. Thanks to advanced machine learning techniques, auditors are gaining invaluable insights by accurately analyzing mass amounts of information, saving time and money.  Meanwhile, advanced analytics can shed light on new risk patterns, anomalies, internal control gaps, or opportunities. They help internal auditors improve the scope and quality of their work, while also delivering better insights to stakeholders.

Organizations use GRC tools such as VComply to conduct audit programs, schedule audit checklists, and issue audit report. The advantage of such a tool is that you can monitor and improve upon control systems and areas of risk in an ongoing manner and in real time too. Moreover, you govern your business better as you are no longer working in silos and with spreadsheets, but organization-wide, with customized software. VComply, for instance, allows you to schedule tests, classify incidents, track progress and more. Now that you are aware of the basics of conducting an internal audit, venture forth to create a robust and consistent business process!  

Devi Narayanan
Read More
How Does Your Organization Comply with PCI DSS? All You Need to Know
Apr 1, 2021

According to an analysis by Atlas VPN, credit card fraud cases surged by 104.7% when you compare Q1 of 2019 and 2020. Likewise, Julie Conroy,  a research director at Aite Group, reported that by the end-2020, credit card fraud losses in the US amounted to a staggering $11 billion! These facts make it clear that the digital payment ecosystem is rife with vulnerabilities. After all, security gaps can emerge at various points of handling, storage, and transmission, such as at POS devices, e-commerce apps, Wi-Fi hotspots and personal computers. 

To create a safer payment ecosystem, major players, namely, American Express, JCB, MasterCard, Visa, and Discover formed the Payment Card Industry Security Standards Council (PCI SSC) and subsequently, a standard for data security, the PCI Data Security Standards (PCI DSS). The latest version of PCI DSS is v.3.2.1 and though PCI DSS is not a law, it is expected that the industry needs to be compliant with its requirements as non-compliance entails hefty fines and lost business opportunities and customers.

Do you need to be PCI DSS compliant? 

If you handle, store, process, or transmit credit card data you ought to be PCI DSS compliant. Moreover, your card processing agreement normally requires you to be so. Depending on how much sensitive information visits and resides in your systems, your compliance requirements could be more or less, complex or basic. 

Achieving PCI DSS compliance entails adhering to 12 high-level requirements, and depending on your compliance needs, 300+ controls. Here is more on how to comply with PCI DSS. 

What is needed for PCI DSS compliance?

PCI DSS compliance is validated against a list of PCI DSS requirements. Read on to know more. 

Goal: Build and Maintain a Secure Network and Systems

  1. Use and maintain a firewall configuration: The goal is to protect cardholder data using a network security device (firewall) by controlling incoming and outgoing network traffic. Here, it pertains to traffic within internal trusted networks as well as between internal and external (untrusted) networks. A firewall is your first line of defense, preventing unauthorized access and securing the cardholder data environment.
  2. Ensure proper password protection: Operating systems, routers, POS terminals, etc., often come with vendor-default passwords and accounts. These can help with installation; however, such initial settings are often freely available on the internet or are widely known. Hackers can easily exploit this loophole and hence, change all vendor-supplied passwords and security parameters, and delete default accounts.

Goal: Protect Cardholder Data

  1. Protect stored data: As a rule, it is good to avoid storing cardholder data when it is not necessary. However, some business transactions need you to store sensitive information. In such cases PCI DSS mandates that you employ protection methods like hashing, encryption, masking, and truncation to ensure that in case of unauthorized access, the cybercriminal will not be able to read the data or use it meaningfully.
  2. Encrypt transmitted data: Open, public networks can be accessed by cybercriminals and hence, you should ensure that the data you send over networks like the internet, Bluetooth, GSM, and Wi-Fi, is secure. PCI DSS asks that data be encrypted, and that encryption strength be appropriate, that you use trusted keys/ certificates only, and that you employ a secure protocol for data transmission.

Goal: Maintain a Vulnerability Management Program 

  1. Use and update antivirus software: Today, there is an increased amount of business activity that is susceptible to malicious software attacks. Hence, it is essential to have an antivirus software (which may be supplemented by an anti-malware solution) that can detect, protect against, and remove all known types of viruses, worms, trojans, adware, rootkits, spyware, etc. Since, software threats evolve with each day, regular updates are also a PCI DSS requirement.
  2. Have secure applications and systems: All code is buggy and hence, applications are never “perfect”. Loopholes exist and are discovered, and for this reason, developers frequently release security patches. PCI DSS requires you to install critical patches supplied by vendors within 1 month of release. Also, you need to set in place a process for identifying security vulnerabilities and map them to a risk ranking – “high”, “medium” or “low”.

Goal: Implement Strong Access Control Measures

  1. Restrict access to cardholder data: Risk increases as data exposure increases, and to limit this, PCI DSS proposes that critical data be accessed only by authorized staff, on a need-to-know basis. What is the minimum amount of access that is required to perform a specific job responsibility? That is what you must consider when assigning and approving privileges. A system admin will enjoy more privileges than a call center staff, yet none may require access in a particular scenario.
  2. Assign unique IDs for access: Having unique IDs for users is important to ensuring accountability for actions taken and tracing the cause of issues. Point 8 of PCI DSS also requires that you use sufficiently strong passwords. Inactive IDs are to be removed or disabled in 90 days and passwords are also to be changed within this period.
  3. Limit physical access to data: Restricting and monitoring physical access to cardholder data is important to the integrity and security of the sensitive information you hold. Ensuring a secure cardholder environment could involve everything from installing video security cameras to having password-protected login screens and procedures to authorize visitors.

Goal: Regularly Monitor and Test Networks

  1. Create and monitor access logs: Having audit logs in place allows you to trace suspicious activity and attribute it to a specific user in case of any data compromise. However, PCI DSS also requires that you monitor these logs. Else, you will find yourself backtracking only after a data breach occurs. The goal is to stop it in its tracks.
  2. Test security systems and processes often:  To root out fresh vulnerabilities PCI DSS asks that you conduct tests on your custom software, processes, and system components regularly. In particular, check for the presence of wireless access points, through which an intruder can gain unauthorized access “invisibly”.

Goal: Maintain an Information Security Policy

Document a security policy: Protecting sensitive data is the responsibility of all employees and to set the right tone, PCI DSS requires that you establish, publish, maintain, and disseminate a security policy that educates personnel on what is needed from them.

What are the essential steps of PCI DSS compliance?

Know your compliance level There are 4 PCI DSS compliance levels.
  • Level 1: Merchant processing <20,000 online transactions annually, or up to 1 million total transactions annually
  • Level 2: Merchant processing 20,000 – 1 million online transactions and less than 1 million total transactions 
  • Level 3: Merchant processing 1 – 6 million transactions annually
  • Level 4: Merchant processing over 6 million transactions annually

Depending on your compliance level, you will determine which networks and components are in PCI DSS scope.

Assess system components within scope: Each PCI requirement has corresponding testing procedures, and at this stage you must check for compliance and identify gaps. Level 1 businesses need to conduct an onsite assessment and draft an Annual Report on Compliance (ROC). A Qualified Security Assessor or an internal auditor will be involved in the process. A QSA is a PCI-SSC-approved independent security organization that validates your business’ adherence to PCI DSS.

If you belong to Level 2-4, assess your compliance by filling out an annual Self-Assessment Questionnaire (SAQ). There are 9 SAQs and these comprise Yes-or-No questions for each PCI DSS requirement. You need to use the SAQ relevant to you only. Every quarter or less, businesses at all levels engage the services of an Approved Scanning Vector (ASV) to check for external scanning requirements of PCI DSS.  Depending on the gaps present, you will need to adopt certain security controls and protocols. The 12 PCI DSS security requirements outlined above indicate how you should go about protecting sensitive information.

Report, attest, and submit: After assessing and taking remedial measures, documentation of the SAQ/ ROC and compensating controls occurs. You can then fill out a formal Attestation of Compliance (AOC) and have it verified by a QSA to show that you are in full compliance with PCI DSS. You can submit your SAQ, ROC, AOC, etc., to any organization requesting them with everything in order.

Remember, PCI DSS compliance is not a one-time task. It involves an ongoing process of assessing, repairing, and reporting. It requires you to bring together your legal, technology, finance, and security teams for a common purpose, and a software solution like VComply can help you manage and monitor the 300 odd security controls you may need to set in place. With it, you can easily delegate responsibilities, conduct gap analysis, generate reports, get prompt alerts, and more. With PCI DSS 4.0 slated to arrive in mid-2021, getting compliant today is the best thing you can do to prepare for the future. So, take steps towards securing your cardholder data environment and use VComply to accelerate your compliance efforts manifold!  

Devi Narayanan
Read More