Are any of you on this group in organizations that are subject to multiple sets of internal or external audits that overlap? If so, how do you handle the duplication of work?
In my organization, we have external PCI audits, external ISO27001 audits, external SAS70 audits, external Sarbanes Oxley audits, plus we are required to do internal audits for ISO 27001 and Sarbanes Oxley – most of which concentrate on the same things: general computing controls, the protection of sensitive data, and the integrity of our applications.
What is particularly frustrating to control owners/operators is having to answer the same questions and produce the same evidence time after time for these different audits. One thing that is helping is automation of many of these audited tasks (or automating the recordkeeping), which makes evidence collection easier.
Are any of you experiencing this? Please share.
Peter H. Gregory 