Data compliance audits allow regulatory agencies to ensure your organization is sticking to the rules. If your business is subject to industry or government regulations, compliance audits are simply a fact of life. They will happen periodically, and you must be prepared for them. Failure is not an option, especially with the reputation and financial future of your business hanging in the balance. But there are some practical tips that can help you meet the challenges of data compliance audits and achieve favorable results.
Compliance audit basics
Compliance audits are normally dictated by the laws and regulations that impact your business, so you may be routinely inspected every year or two. The actual frequency will vary depending on your industry, the inspection budget of the regulatory agency and the results of past audits on your company. But audits can occur at any time, even though you've done nothing wrong. "Audits can also be triggered by problem reports or complaints received by the regulatory agencies about your company or about other companies in the same field," according to Mike Casey, vice president of services development and marketing at Contoural Inc., an e-discovery consulting firm.
When a data compliance audit occurs, it is rarely a scheduled event. "Many regulators prefer unannounced audits to make it harder for companies to 'clean up their act' only when they know that an audit is coming," Casey says. In practice, audits may be performed directly by the examination and enforcement staff of the regulatory agency itself. In other cases, compliance audits can be conducted by third-party examiners, such as accounting firms, acting under the oversight of a regulatory agency. The company's internal compliance auditor will work with the outside auditor to furnish relevant documentation and other materials, but other business areas (e.g., IT, accounting or human resources) may also be involved to address an auditor's questions or produce specific data.
Inspectors normally have a compliance audit plan or checklist of areas that they will address. This plan may include a direct inspection of business records, an examination of working conditions and employees, and interviews with department heads. Inspectors will check a random sample of documents or processes in each area of concern. If the inspectors are satisfied, they will move on to the next area. If not, the auditors will invariably drill down into the details of that area, examining larger samples and expanding interviews until they reach a favorable or unfavorable conclusion.
The penalties for not meeting a compliance audit can vary dramatically depending on the industry, the rules and the regulatory agency involved. For example, data compliance deficiencies in a bank may increase the required capital reserves and the overall cost of capital, while repeated deficiencies in a manufacturing plant may result in fines or even closures. "Severe deficiencies in compliance with Securities and Exchange Commission (SEC) rules can lead to prosecution, fines and jail terms for company officers," Casey says.
Ten tips to meet compliance audits
Now that you've covered some compliance basics, here are 10 tips that will help you prepare for, and master, the inevitable compliance audits.
Know the inspection process in advance. There should be no mystery behind compliance audit requirements or processes, and you can often obtain the examination manual or inspection checklist directly from the regulatory or governing agency. In addition, industry associations and other groups may offer audit guidelines, sample policies and procedures, and even comprehensive audit preparation workshops. All of this can be used to help prepare your own internal audit program. For example, the MIS Training Institute (MISTI) in Framingham, Mass., provides a wide range of internal audit seminars and workshops.
Self-auditing is essential for success. It is essential to have a sound internal audit program that includes adequate documentation and follow-up processes. Companies should perform internal data compliance audits regularly and proactively correct any deficiencies. This isn't just for specific industries, like banking or medical product manufacturing. Public companies bound by the Sarbanes-Oxley Act (SOX) or the Health Insurance Portability and Accountability Act (HIPAA) should also conduct internal audits. Remember that outside auditors will look closely at the internal audit system. An absent or inadequate internal audit program will be marked as a deficiency, possibly encouraging a deeper examination.
Consider using an independent auditor. While it is certainly possible to conduct your own internal compliance audits, some companies simply don't have the resources or in-house expertise to handle that business function. Independent third-party compliance auditing firms can help to bridge this gap, allowing companies to present regulators with independent results.
Be sensitive to changes in your industry. Complacency is one of the biggest threats to data compliance because compliance is not static. It's a "moving target" that shifts and changes based on notable activities within the industry and new enforcement priorities within the regulatory agency. For example, the Basel II capital accord for global banking requires internal analysis and reporting of "operational risk," so banks moving to Basel II will need to update their compliance audit policies and processes to accommodate that new requirement. Auditors will probably tailor their inspection to ensure that any new regulations are accommodated.
Be alert to problems within your industry or business environment. Some problems may be systemic, and trouble at one or more companies in your industry may bring the compliance auditors knocking on your door -- even when you haven't done anything yourself. One important example is the recent SEC crackdown on backdating stock options. Incidents of backdating have led to litigation and penalties for convicted parties.
Demonstrate that you can keep compliance data secure. Many regulations place security requirements on sensitive data, preventing unauthorized access and safeguarding the data against alteration or destruction within the appropriate retention period. This may involve technologies like encryption and content-addressed storage (CAS) products. During a data compliance audit, inspectors will want to verify that both aspects of these security requirements are in place and working properly. An IT security staff will certainly be familiar with the available controls and safeguards, but internal audit processes should accommodate both concerns. In addition, you should have data retention/deletion policies that are clearly defined for both backup/recovery and archiving. Be ready to demonstrate how "expired" data is actually removed from your storage systems.
Be prepared to furnish documentation quickly. It used to be that a company might have days (even weeks) to produce the documentation requested by a compliance auditor. Now regulators are expecting companies to tender documents quickly, and this should be an important focus of your internal audit process. A typical examiner may expect the company's internal compliance officer to access records on demand while the auditor is waiting in the room.
Pay attention to legacy IT systems. Although compliance is certainly not an IT-only function, it's important for IT managers to ensure that all of the company's storage and networking infrastructure continues to meet the requirements for security, documentation and other regulatory requirements that might present themselves. This is particularly challenging for aging legacy systems that may not easily keep pace with changing compliance requirements. Upgrades and forklift replacements may be needed to maintain proper adherence, so compliance managers must actively involve IT managers in the data compliance audit process.
Don't ignore the importance of disaster preparation. Compliance issues also involve disaster planning and preparedness, so be sure to document your mission critical systems and present a recovery plan for those systems. Compliance auditors may want to see disaster recovery plans for both single component faults and total site disasters.
Bring known flaws to the forefront. Finally, if an internal audit reveals a lapse in the infrastructure, this does not necessarily guarantee a data compliance audit failure or severe penalties from a regulator. This is especially true for young organizations that are relatively new to compliance issues. The key is to present any known issues to the auditor, along with a reasonable plan to address and correct the lapse. The penalties for intentionally hiding a known issue can be far worse than discussing the lapse and formulating a plan to fix it.