Privacy and compliance laws are significantly expanding, the need for transparency is increasing and how organizations use and share private information is evolving. All this means the role of Chief Audit Officer (CAO) is an essential one in many corporate and healthcare organizations. A CAO has several key responsibilities, including conducting a thorough examination of an organization’s business operations, recommending operational efficiencies, ensuring compliance with privacy and security laws such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX) and the various state breach notification laws. And if the organization operates globally, the governance mandate of the CAO grows exponentially as the organization must comply with regional and international privacy and compliance laws.
Often it becomes the responsibility of the CAO to recommend ways the organization can improve operating efficiencies. As part of making such recommendations, the officer needs to perform risk assessments, identifying areas where the organization may be vulnerable now or in the future.
Being able to identify these vulnerabilities quickly and address them is one of several key attributes of an effective chief audit officer. Other key attributes include:
Ability to build strong relationships
A successful CAO needs to have insight into all areas of the business. To do this, they need to build close relationships across multiple departments while maintaining independence and an objective outlook. This can be tricky as on the one hand an effective CAO must observe all areas of the business, which requires close relationships with many departments, including IT, HR and the executive team. On the other hand, a successful officer must also flag compliance issues within these same departments. A difficult balance to maintain.
A discrete and trustworthy disposition
A CAO must conduct the job with a very high level of discretion and be able to build trust among co-workers. The nature of the role puts officers in a situation where they are often privy to confidential information and therefore must be conscious of the information flowing between departments. He or she walks a fine line between gathering confidential information and sharing relevant data on potential breaches with the proper parties.
Alternatively, when a CAO successfully performs on his or her duties, and does so in a professional manner, he or she innately develops trust and respect. Co-workers recognize the skillful manner in which the officer makes the organization operate in a more compliant environment, keeping the organization and its employees out of harm’s way.
The CAO holds a critical position within the executive team. He or she ensures that policies, procedures, controls, solutions and testing are consistent throughout the organization. Experience is key. An experienced CAO will know what solutions should be in place so gaps can be identified, supported by accurate reporting data. For example, a persistent security and management solution on all computers, laptops, tablets and smartphones allows IT to effectively manage all of these devices and the confidential data they may contain. A successful officer will utilize an end-point security solution that enables reports to be easily generated and demonstrates compliance within a few minutes, making his job easier and positioning himself as an ally of IT.
A CAO with strong relationships, discretion and experience is an asset to any organization, and one that could potentially save an organization millions of dollars in non-compliance penalties.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
About the Author As Legal Counsel to the Investigations and Recovery Services Department of Absolute Software, Stephen Treglia oversees the entire department staff of more than 40 investigators and data analysts. Stephen recently concluded a 30-year career as a prosecutor in New York, having created and supervised one of the world’s first computer crime units from 1997-2010. Stephen is a renowned nationwide lecturer, teacher and writer on a variety of legal topics.