The Situation

As a compliance professional, you bear a unique responsibility and some difficult challenges — you want to simplify and fast-track your efforts so you can quickly achieve compliance with U.S. and international regulations and frameworks while reducing cost, time, and effort.

We hear the frustration though, because many companies have no unified plan of attack—departments are unintegrated, working in silos.

Also, research can be a problem; trying to find the original, definitive Authority Documents online can be difficult, but trying to interpret the language is a nightmare.

Plus, there are a daunting number of controls you have to manage, and every organization must comply with multiple overlapping regulations.

To compound matters, all the Authority Documents are terrible at providing key definitions, and no one is on the same page when it comes to language and definitions.

The good news is that compliance can be made much simpler, especially if you have the correct tools to guide you.

Below are some pointers on how to fast-track your compliance efforts using the process that we’ve seen other companies use to solve their compliance challenges.

Here's How To Get There

Purchase a CCH Basic Account

To build credibility for this solution within your department, you first need to believe in the quality of the UCF mappings. For just $4995, you get access to everything – every AD, control, term, and a world of metadata. Explore, browse, ping us with questions. Worst case – don’t renew, but we know you will find this an invaluable research tool.



The Templates package includes policies, standards, roles, event monitoring, and more.

You can do your own workflow, but here is what we see most organizations do:

  1. Create a List. Start small—you can always add later. Part of the benefit of the UCF is the ease of adding in new Authority Documents (ADs). It’s better to start with ADs you are already compliant with and then add them to your list one at a time. Most organizations update their list quarterly. This is where new Common Controls are introduced. New Common Controls mean more work and more budget – thus the need for caution.
  2. Create a Build. With the Template Build, you have everything you need for a real GRC workflow.
  3. Review the Controls. You can do this in the Controls spreadsheet or by Impact Zone.
    • Look for controls in isolation, i.e., only one AD is mapped to them. This is an opportunity for applying scope. Only include processes, applications and assets that are in scope for that AD.
    • Look for controls that are related. Siblings can overlap up to 80% so you may have already addressed both the existing and a newly introduced control.
    • Look for parents and children. Newly introduced children controls may already be addressed – just not documented or formalized.
  4. Circulate the Audit Questions. Find out who is addressing each control, or not. The audit questions will also help with standardizing language for pending audits. Evidence can be collected around the same audit question where you do not need to answer the question 2 or 3 times or more.
  5. Leverage the Compliance Templates. If you already have a great library of policies and standards, these templates will help you group the Common Controls by topic. You can search within the templates to see how we have grouped controls. If you do not have a library, you can start with this set of documents. Here are the steps:
    • Search for a high-level control within the library. Like what you see? Now remove any roles, assets, etc. that are not relevant. These are superset documents meant to be pruned.
    • Go back to the Controls spreadsheet and mark that the controls can be found in the template. You now know this control has been documented.
  6. Evidence Collecting. You are going to put your evidence into folders with the Common Control number. You will also want to track this in the original Control Excel worksheet.
  7. Tracking. Back at the CCH, give it one last review:
    • Go to the Common Control. Look at the related citation guidance. Does the evidence and documentation support what is being asked? Remember, the Common Control is only an anchor to tie all this together. Your evidence and GRC documents must address the original mandates from the ADs.
    • Everything looks good – mark it done. Need time? – select a date in the calendar. No reminders, but you can track what needs to get done.
  8. Audit Day! Grab the In-depth Report for that audit. Review what the auditor is going to be asking in the columns with the citations. Be ready with your evidence and documentation. Remember, the auditor does not care about the Common Control. It is all about them and the Authority Document.
  9. Throughout the Process. Leverage the Research portal and review the definitions. Look at how others say the same things that are being asked of you. Create a position of strength to push back when you know what your organization is doing is what is being asked of it, not some interpretation from a single party.


Click on “Customize Your Basic Subscription”

Transition to a GRC Platform

Now you can see why the CCH content in combination with a GRC platform is so much better! No more Excel—Common Controls are assigned and trackable in a workflow, and reports are easily generated with all the data you need. Bring that UCF content into your favorite GRC program. Just call the Unified Compliance sales team and we’ll swap your template license for an API license.

Discover Our Developer Partners

Work Toward Your Desired End Result

  1. Create a customized framework specific to your organization.
  2. Compile de-duplicated Authority Document and Common Controls lists in minutes to save time and resources.
  3. Find overlaps and gaps between regulations to reduce audit requirements.
  4. Have a convenient way to research Authority Documents and Common Controls.
  5. Be able to share customized content eventually with a GRC tool.

All leading to the ultimate goal—wildly successful audits!