Complying with the increasing number of regulations has made leveraging IT essential. That's particularly true in the automation of processes to handle the information in an organization's possession.
More compliance FAQs?
Get caught up on regulations and more with our IT compliance FAQs.
As requirements grow, systems that both facilitate compliance and demonstrate to auditors that standards for security and data protection have been met are an increasingly critical area of IT operations. Learn more in this FAQ.
- What is a compliance audit?
- How are compliance audits different?
- What regulations require compliance audits?
- Who performs compliance audits?
- What is the role of IT in a compliance audit?
- What are the penalties for noncompliance?
According to WhatIs.com, a compliance audit is a "comprehensive review of an organization's adherence to regulatory guidelines." This review generally surveys internal systems, such as user access controls and security policies, to test whether the organization is meeting its regulatory obligations. Most reviews are conducted by independent, external parties, such as government auditors or consultants with IT expertise. Organizations are asked to demonstrate that they have policies and procedures in place for achieving compliance.
Not all audits are the same. Consider, for instance, a financial audit of a public company's quarterly results. Both compliance and financial audits involve reviews of internal control systems by independent parties, but the scope and subject of the reviews differ. A financial audit focuses primarily on controls related to accounting and financial reporting systems to determine whether the resulting financial statements are accurate, fair and complete. A compliance audit examines an organization's internal systems and IT controls more broadly to test whether a particular set of regulatory requirements is being met.
Until recently, the concept of a compliance audit typically evoked the 2002 Sarbanes-Oxley Act (SOX). Officially entitled the U.S. Public Company Accounting Reform and Investor Protection Act, SOX pertains to all publicly traded companies. A growing body of federal law, however, requires audits of internal control systems to ensure compliance with regulations. Some laws are industry-specific, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), officially entitled The Financial Modernization Act. Additionally, there are industry-set standards that impose audit requirements, such as the Payment Card Industry Data Security Standard (PCI DSS).
Compliance audits are achieved in different ways depending on the regulations being enforced. The vast majority will involve an assessment of IT systems because such systems have become integral to compliance processes. Auditors typically meet with CIOs, chief technology officers and IT managers to discuss how these systems are secured and who has access to them. Auditors also request documents that demonstrate that an organization is meeting its regulatory requirements.
Sarbanes-Oxley Act: A compliance audit evaluating conformity with the Sarbanes-Oxley Act requires a company to explain the process by which it generated the figures on its financial statements and how those numbers can be validated. Financial reporting processes at public companies generally rely on IT systems. As a result, the controls for those IT systems will be at the heart of an assessment of SOX compliance. The law requires reports on how effective the controls and procedures for financial reporting are, which means companies have to document and be able to demonstrate how the processes are secured and how well they work. Nonfinancial systems as well as financial systems may be evaluated in a compliance audit.
Learn more in this SOX FAQ.
PCI DSS: The challenges associated with PCI compliance and audits are quite different from those associated with the Sarbanes-Oxley Act. PCI DSS establishes very specific compliance measures, leaving little room for differing interpretations. Greg A. Nolann pointed out the difficulties an organization can confront in addressing both types of compliance challenges in "Seeking Compliance Nirvana," an article for the Association for Computing Machinery. "SOX and PCI address similar goals but take approaches that are 180 degrees apart," he wrote. "SOX doesn't specify a standard; instead it says to use some other established methodology or set of practices. PCI, on the other hand, specifies exactly what you must do, who can do it, where it applies, and how to determine if you are compliant."
Learn more in this PCI DSS FAQ.
HIPAA: Health care providers that store or transmit electronic health records are subject to HIPAA requirements. The Center for Medicare & Medicaid Services, a division of the U.S. Department of Health and Human Services (HHS), provides a checklist of the kinds of information an auditor of HIPAA regulations requests. Experts recommend that an organization figure out which checklist items have been addressed and then prepare a statement that explains why they were or were not implemented to prepare for a HIPAA compliance audit. It is also important that you make a written policy for records management and retention available for review and have staff training up to date.
Learn more in this HIPAA FAQ.
Compliance audits are generally conducted by government auditors or contractors so that there is an independent, third-party certification made for an organization's adherence to relevant regulations. Some regulations, however, require internal as well as external audits. Under the Sarbanes-Oxley Act, for example, internal auditors assure that internal control systems are effective. Industry-established regulations can also require internal audits. Under PCI DSS, most merchants are required to bring in an external Qualified Security Assessor for a compliance audit. In a particular set of circumstances, some merchants can use an internal auditor instead.
Internal audits are sometimes conducted in preparation for external compliance audits. It is important to make sure policies and practices are up to date, enforced and documented. Since organizations should be prepared to turn over the documents at the auditors' request, they should be stored in noneraseable, nonrewriteable formats and located where they can be accessed easily and retrieved quickly.
IT managers can prepare for audits by deploying information management tools, such as event log managers and change management programs, to make it easier to track and document internal controls and demonstrate compliance to auditors.
Preparing for a SOX audit can take hundreds of hours. Preparation requires reviewing information on the internal controls for financial data -- such as security, implementation, disaster recovery and change management -- and verifying the controls as well as the data.
Compliance management: How to keep the IT auditors away
With compliance regulations and legislation constantly changing, keeping up can be tricky. Find your way through the confusion and learn how to avoid IT audits.
After the introduction of numerous state data breach and protection laws, a central responsibility of IT is now to protect sensitive data within an organization. This responsibility encompasses keeping track of who can access the data and how. Given that IT systems are integral to financial reporting and other regulatory requirements, an assessment of the IT system's internal controls is also critical to a compliance audit. This applies not only to compliance audits that involve the Sarbanes-Oxley Act, but also to the Gramm-Leach-Bliley Act, HIPAA, HHS regulations and more.
Effective compliance frameworks should be supported by IT systems that suit a particular organization and the relevant regulations. Document management, event log management software, change management software and other tools can help achieve compliance with regulations and facilitate compliance audits.
An organization's IT professionals now work closely with other sides of the business , such as finance, legal and internal audit, to meet compliance goals. IT professionals should also collaborate with these departments in preparing for a compliance validation and then helping during the auditing process.
Avoid enterprise risk with compliance system controls
A lack of internal controls over activities and systems can lead to failed compliance initiatives and increased risk to the enterprise.
Failure to comply with regulatory obligations -- which include compliance audits -- can result in fines and prison terms, depending on the area of noncompliance. Under the Sarbanes-Oxley Act, for instance, the destruction of relevant email can result in fines up to $5 million and 20 years imprisonment. Noncompliance with the GLBA can result in five years in prison, as well as fines.
Regulations established by industry bodies such as the New York Stock Exchange or the PCI Security Standards Council do not include imprisonment for noncompliance but do impose fines.
Let us know what you think about the story; email email@example.com.
This was first published in October 2009