FAQ

FAQ: What is the impact of a compliance audit on IT operations?

Complying with the increasing number of regulations has made leveraging IT essential. That's particularly true in the automation of processes to handle the information in an organization's possession. As requirements grow, systems that both facilitate compliance and demonstrate to auditors that standards for security and data protection have been met are an increasingly critical area of IT operations.

 

Table of contents

 

  What is a compliance audit? Table of Contents

According to WhatIs.com, a compliance audit is a "comprehensive review of an organization's adherence to regulatory guidelines." This review generally surveys internal systems, such as user access controls and security policies, to test whether the organization is meeting its regulatory obligations. Most reviews are conducted by independent, external parties, such as government auditors or consultants with IT expertise. Organizations are asked to demonstrate that they have policies and procedures in place for achieving compliance.

 

  How are compliance audits different? Table of Contents

Not all audits are the same. Consider, for instance, a financial audit of a public company's quarterly results. Both compliance and financial audits involve reviews of internal control systems by independent parties, but the scope and subject of the reviews differ. A financial audit focuses primarily on controls related to accounting and financial reporting systems to determine whether the resulting financial statements are accurate, fair and complete. A compliance audit examines an organization's internal systems and IT controls more broadly to test whether a particular set of regulatory requirements is being met.

MORE INFO:

 Keeping up with IT Compliance
Learn how to achieve the right balance among file storage, email management and other compliance-related tasks with this e-book.

 

  What regulations require compliance audits? Table of Contents

Until recently, the concept of a compliance audit typically evoked the 2002 Sarbanes-Oxley Act (SOX). Officially entitled the U.S. Public Company Accounting Reform and Investor Protection Act, SOX pertains to all publicly traded companies. A growing body of federal law, however, requires audits of internal control systems to ensure compliance with regulations. Some laws are industry-specific, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), officially entitled The Financial Modernization Act. Additionally, there are industry-set standards that impose audit requirements, such as the Payment Card Industry Data Security Standard (PCI DSS).

Compliance audits are achieved in different ways depending on the regulations being enforced. The vast majority will involve an assessment of IT systems because such systems have become integral to compliance processes. Auditors typically meet with CIOs, chief technology officers and IT managers to discuss how these systems are secured and who has access to them. Auditors also request documents that demonstrate that an organization is meeting its regulatory requirements.

Sarbanes-Oxley Act

A compliance audit evaluating conformity with the Sarbanes-Oxley Act requires a company to explain the process by which it generated the figures on its financial statements and how those numbers can be validated. Financial reporting processes at public companies generally rely on IT systems. As a result, the controls for those IT systems will be at the heart of an assessment of SOX compliance. The law requires reports on how effective the controls and procedures for financial reporting are, which means companies have to document and be able to demonstrate how the processes are secured and how well they work. Nonfinancial systems as well as financial systems may be evaluated in a compliance audit.

Learn more in this SOX FAQ.

PCI DSS

The challenges associated with PCI compliance and audits are quite different from those associated with the Sarbanes-Oxley Act. PCI DSS establishes very specific compliance measures, leaving little room for differing interpretations. Greg A. Nolann pointed out the difficulties an organization can confront in addressing both types of compliance challenges in "Seeking Compliance Nirvana," an article for the Association for Computing Machinery. "SOX and PCI address similar goals but take approaches that are 180 degrees apart," he wrote. "SOX doesn't specify a standard; instead it says to use some other established methodology or set of practices. PCI, on the other hand, specifies exactly what you must do, who can do it, where it applies, and how to determine if you are compliant."

Learn more in this PCI DSS FAQ.

HIPAA

Health care providers that store or transmit electronic health records are subject to HIPAA requirements. The Center for Medicare & Medicaid Services, a division of the U.S. Department of Health and Human Services (HHS), provides a checklist of the kinds of information an auditor of HIPAA regulations requests. Experts recommend that an organization figure out which checklist items have been addressed and then prepare a statement that explains why they were or were not implemented to prepare for a HIPAA compliance audit. It is also important that you make a written policy for records management and retention available for review and have staff training up to date.

Learn more in this HIPAA FAQ.

 

  Who performs compliance audits? Table of Contents

Compliance audits are generally conducted by government auditors or contractors so that there is an independent, third-party certification made for an organization's adherence to relevant regulations. Some regulations, however, require internal as well as external audits. Under the Sarbanes-Oxley Act, for example, internal auditors assure that internal control systems are effective. Industry-established regulations can also require internal audits. Under PCI DSS, most merchants are required to bring in an external Qualified Security Assessor for a compliance audit. In a particular set of circumstances, some merchants can use an internal auditor instead.

Internal audits are sometimes conducted in preparation for external compliance audits. It is important to make sure policies and practices are up to date, enforced and documented. Since organizations should be prepared to turn over the documents at the auditors' request, they should be stored in noneraseable, nonrewriteable formats and located where they can be accessed easily and retrieved quickly.

IT managers can prepare for audits by deploying information management tools, such as event log managers and change management programs, to make it easier to track and document internal controls and demonstrate compliance to auditors.

Preparing for a SOX audit can take hundreds of hours. Preparation requires reviewing information on the internal controls for financial data -- such as security, implementation, disaster recovery and change management -- and verifying the controls as well as the data.

MORE INFO:

 Compliance management: How to keep the IT auditors away
With compliance regulations and legislation constantly changing, keeping up can be tricky. Find your way through the confusion and learn how to avoid IT audits.

 

  What is the role of IT in a compliance audit?</</b> Table of Contents

After the introduction of numerous state data breach and protection laws, a central responsibility of IT is now to protect sensitive data within an organization. This responsibility encompasses keeping track of who can access the data and how. Given that IT systems are integral to financial reporting and other regulatory requirements, an assessment of the IT system's internal controls is also critical to a compliance audit. This applies not only to compliance audits that involve the Sarbanes-Oxley Act, but also to the Gramm-Leach-Bliley Act, HIPAA, HHS regulations and more.

Effective compliance frameworks should be supported by IT systems that suit a particular organization and the relevant regulations. Document management, event log management software, change management software and other tools can help achieve compliance with regulations and facilitate compliance audits.

An organization's IT professionals now work closely with other sides of the business , such as finance, legal and internal audit, to meet compliance goals. IT professionals should also collaborate with these departments in preparing for a compliance validation and then helping during the auditing process.

MORE INFO:

 Avoid enterprise risk with compliance system controls
A lack of internal controls over activities and systems can lead to failed compliance initiatives and increased risk to the enterprise.

 

  What are the penalties for noncompliance? Table of Contents

Failure to comply with regulatory obligations -- which include compliance audits -- can result in fines and prison terms, depending on the area of noncompliance. Under the Sarbanes-Oxley Act, for instance, the destruction of relevant email can result in fines up to $5 million and 20 years imprisonment. Noncompliance with the GLBA can result in five years in prison, as well as fines.

Regulations established by industry bodies such as the New York Stock Exchange or the PCI Security Standards Council do not include imprisonment for noncompliance but do impose fines.

For more on regulation-specific fines, review our recent FAQ sections on HIPAA penalties, HITECH penalties, PCI DSS penalties and SOX penalties.

 

Let us know what you think about the story; email: editor@searchcompliance.com.


This was first published in November 2009