There are certain words that strike fear in the hearts of all who hear them. “Audit” may well be one of those words. Though it has its linguistic roots in hearing or deep listening, the word carries with it a sense of intense scrutiny, of nit-picking, of rooting out mistakes.
For the business world, one of the few ways of making this word worse is to yoke it to the word “compliance.” Compliance, of course, refers to a company’s relationship with any number of complicated regulations and mandates under which it operates. Compliance initiatives are wide-ranging, and might pertain to legal departments, document retention, security or data management, among other topics. Compliance programs exist as a way to demonstrate that the company is operating within its legal limits.
A compliance audit, therefore, is a close examination of that claim, and it involves a comprehensive review of an organization’s adherence to regulatory guidelines. Below, we’ll take a look at some of the details of compliance audits and suggest steps that will help your organization prepare for its next compliance audit.
Who performs compliance auditing?
The answer to this question will depend on whether the audit is internal or external.
Internal audit teams are composed of employees from within the organization who have been tasked with evaluating the effectiveness of a particular department or compliance initiative. When creating such a team, it is important to select detail-oriented members who are both thoroughly familiar with the content of the regulations and the company’s actions in response to those regulations. Internal audit teams document their observations and report their findings to appropriate management for review.
External audit teams consist of specialized professionals representing the various governing or regulatory bodies. As such, they may be independent accountants, security analysts or IT specialists. External audit teams report their finding to their respective regulatory organizations, as well as to the company in question. External audits are particularly important because they carry with them the threat of sanction or legal action.
What do compliance auditors look for?
The precise content of a compliance audit will vary depending on the particular compliance initiative examined or the regulatory body conducting the audit. Other factors that influence an audit include whether the company is public or private, what sort of data the company handles, and whether the company transmits or stores sensitive financial information.
For example, if the auditing team is examining the organization’s handling of Sarbanes-Oxley (SOX) regulations, auditors will be interested in ensuring that all electronic communications be backed up and secured, with a reliable disaster recovery procedure in place. Health care providers who store or transmit electronic health records are subject to the mandates of HIPAA (Health Insurance Portability and Accountability Act of 1996), which concerns the security and responsible use of the personal information contained in patients’ medical files. Likewise, companies that process and transmit credit card data must fall in line with PCI DSS (Payment Card Industry Data Security Standard) regulations.
Despite the different details that the regulatory bodies focus on, all audits tend to measure a company’s fitness in three important areas: security, user access control and risk management policy.
Security: If your organization handles sensitive information, you need to take all available measures to make sure that the data is safeguarded from fraud or abuse. Unauthorized storage, sharing or sales of customer information can result in fines or other sanctions. With the recent enactment of the European Union’s GDPR (General Data Protection Regulation), the range of information considered private has widened considerably, causing many organizations to review their policies concerning customer data.
User Access Control: One key step in providing overall data security is instituting and maintaining user access control. This system creates a series of password-protected barriers between the data and the general public, and limits access to only authorized employees. Furthermore, quality access control includes the creation of action logs, which document each change in data that takes place and records which user instigated that change.
Risk Management: Finally, compliance teams are often concerned with the ways in which organizations recognize and mitigate risk. A risk factor is anything that might represent a threat to the company’s successful operation. This might include the possibility of corruption, unfavorable publicity or even a natural disaster. Compliance auditors want to know that your organization has plans in place for dealing with these various possibilities to ensure the company’s success moving forward.
Often times, compliance auditors will need to contact an organization’s CIO, CTO and IT administrator. In particular, they may ask for an up-to-date employee roster, a list of all IT administrators with access to critical information, notification of all personnel departures and proof that any unused access IDs have been revoked.
Planning Internal Compliance Auditing
A successful internal audit can reveal weaknesses or deficiencies in a compliance initiative in the early stages, before they become too complicated to solve or put the organization at risk of legal sanction.
- Choose a team of experienced and motivated employees who are familiar with both the department under examination and the details of the compliance measures.
- Review copies of departmental procedures and cross-reference them with regulations to ensure that they are all compliant.
- Examine reports in reference to production and volume to determine an appropriate sample size for the audit. For example, if the audit focused on contracts, 100 out of 500 would be an adequate ratio to determine an overall trend. Anything less may give the audit false results.
- Create a checklist that each auditor should reference when reviewing a file. The details of the list will vary depending on the type of department the audit concerns, but the goal is to provide a measure of consistency from auditor to auditor.
- Develop a system for reporting the findings and suggestions to the organization’s management and necessary employees.
Let Technology Help
Although no software platform can entirely transform an out-of-compliance company, robust entity management systems can provide valuable resources to help ease the burden of compliance audits. Data verification and consolidation can ensure that your company operates with a single, reliable source of information, and customizable compliance modules help create instantly accessible audit trails.
For more information on how Blueprint can help you prepare for a compliance audit, contact a Blueprint representative.