Nearly every day, both new and long-standing companies face regulatory or compliance challenges. A common mistake made by most is to seek a “compliance check list” and go it alone to save money. Unfortunately, in many cases this path is fraught with pitfalls only first-hand knowledge and prior audit experience can help avoid. The lost business and reputational damage a failed audit can bring typically far exceeds the costs of engaging an experienced partner to lead the compliance journey.
Although most regulatory standards do in fact contain a checklist of controls, interpreting the intent behind the often-complex legal language favored by regulators requires experience. In fact, the sometimes-vague control language often lends itself to misinterpretation. Without having been through an audit to provide evidence of the effectiveness of a particular control, it is very likely the inexperienced control owner may miss the spirit of the control, thus receiving a comment or outright deficiency.
Another common mistake many organizations make when first encountering a compliance challenge is to target the bare minimum to meet the requirement. Although this may in fact satisfy the regulatory need, it can create a negative organizational culture that drives employees toward mediocrity, rather than going above and beyond to satisfy customers. That’s not to say companies should spend copious amounts of time and money to bullet-proof every possible compliance control. Rather, in the industry, terms such as “spirit” and “letter” are often used. It’s possible to follow the letter of a control requirement and pass an audit. But companies that understand and embrace the spirit or intent of the control and strive to incorporate it into business processes are the ones that will not fear the annual audit cycle and will ultimately spend less time and money to maintain compliance on an ongoing basis.
Incorporating compliance controls into everyday business processes is indeed a best practice. And it helps to avoid several additional common pitfalls, which include putting Information Technology (IT) in charge of compliance and letting compliance drive cyber security strategy. Both strategies can lead to compliance becoming an “IT thing” resulting in a lack of business engagement. Although this strategy may pass with some auditors for some regulations, inevitably, questions about business responsibilities will arise. And when they do, attempting to incorporate the business into what was previously viewed as an IT or Security responsibility will likely be met with significant resistance, making it much harder to achieve long-term compliance.
A better approach is to identify and build a separate compliance function apart from either IT or the business while integrating functions and priorities of both. IT and Security should still play a significant role in compliance, as should key business functions. But a neutral party between IT and the business will help to resolve conflicts where IT may quickly lose sight of business objectives in its quest to implement a myriad of technical and novel compliance solutions. The same is true when the business may not appreciate the security need to modify or monitor certain business practices.
This strategy of integrating compliance also holds with respect to the overall IT Security program. Compliance edicts should not be the only input into the entire IT security strategy. Security should become part of everyday business practices, with policies and procedures designed to identify and limit business specific risks and ensure business continuity. Often, the necessary controls to meet continuing business requirements and mitigate common business risk will also satisfy a variety of regulatory controls, eliminating the need for costly special purpose compliance solutions. When approached in this manner, compliance controls are often less controversial and IT security is viewed as a partner rather than an adversary.
With robust IT, Security and Compliance Programs in place, the next logical step is to implement an effective governance program. Governance is an often-overlooked element to success in IT, security, compliance, and even business practices. Governance, Risk [Management], and Compliance (GRC) programs not only support compliance objectives, but also serve to:
- Enable a company to demonstrate measurable results against business objectives.
- Provide a mechanism to inform stakeholders and investors of the ways in which the company’s IT practices and services align with required best practices and industry standards.
- Maintain adherence to changing compliance and regulatory requirements over time.
As the complexity of a compliance program grows, it is essential that good documentation, written procedures, and training for personnel are incorporated into the program. Auditors will ask for this type of documentation. Delays in producing it, or worse: employee interviews that uncover a lack of awareness of the policies and procedures will result in audit comments. The easiest way to avoid this mistake is to establish a well-organized central repository for policies and procedures and to train personnel on both the documentation system and the job specific controls required for compliance.
As part of implementation, ongoing monitoring and testing of controls for any successful compliance program is an absolute requirement. Not only will this testing and monitoring ensure the program remains in place, but it will also provide much of the necessary audit evidence required to satisfy regulators that the system is effective. It will also serve to quickly identify deficiencies in the system in real-time so they can be corrected before they become a larger problem that might jeopardize certification. This validation and testing should include an annual recertification component for employees to ensure processes have not been lost or forgotten. It is also a good idea to incorporate a test or quiz as part of the annual training requirement to ensure content was received and understood by personnel.
Even with the best of compliance programs, it is impossible to plan for every possible scenario. There will be times where a particular policy, procedure or control cannot be implemented either for technical reasons or without imposing unreasonable burdens on the business. In these cases, the audit process requires exceptions to be documented and maintained or revisited on a regular basis. Exceptions will often be requested as part of the annual audit or certification process and may also require evidence of compensating controls or practices that still meet the spirit, if not the letter, of the control.
If all of this serves as proof not to take the compliance process lightly, there is one last common mistake to avoid. It’s that of hiring a compliance advisor rather than a professional services firm as a guide through the compliance journey. Thousands of firms will produce spreadsheets and checklists and happily direct company resources in a variety of tasks to implement a compliance program. But these organizations often lack the knowledge and resources to actually build a cohesive compliance program for your business. Instead, look for those few experienced firms with the ability to work side by side with company resources. The most capable partners will be knowledgeable about the common pitfalls outlined above. They will also provide resources to assist in implementing an effective compliance program, building out necessary tools, templates, processes and solutions alongside company personnel. They will develop training for employees, and serve as a partner at the table during the certification process rather than a coach or task master that vanishes before crossing the finish line.