How to scale compliance program across divisions while maintaining independence

AshT · ‎11-27-2024

We have GRC SOX Content Pack imported, and the SOX program is being managed at the corporate level.

Now, another division of the company wants to utilize the same program but segregate its SOX compliance from the corporate program. The control owners would still be the SOX team, but the controls, risks and processes need to stand alone

While data could be locked down using roles and entitlements, curious to understand would be a leading practice to satisfy the use case? Ideally, providing further scalability to extend to other divisions.

ChristopherS154 · ‎12-19-2024

Hello,

I believe additional entity scoping is all that is needed here. Where initially you may have SOX controls mapped to a 'Corporate' entity, you'll then want to set up downstream entities under 'Corporate' that represent the divisions of the company. Then map those SOX controls to the associated Divisions entity type and have the appropriate division-level control owners attest to the SOX controls independent of 'Corporate'. (Same approach for Risks)

There is also a new Composite Entity capability that allows you to simplify the entity hierarchy that might be worth looking into as well for this.

Hope this helps!