Conquering the Complexity of Compliance

with co-author Adam Berman

Today’s outsource service providers (OSPs) are increasingly handling large amounts of sensitive information for their customers, resulting in a higher level of regulatory scrutiny. At the same time, the regulatory environment has become more complex, with standards and guidance in a continual state of flux across multiple industries. OSPs are faced with a constant barrage of questionnaires, inquiries and audits from regulatory bodies, internal audit staff and customers that need to ensure the compliance of their vendors as part of their extended enterprise. Without a proficient approach to third-party assurance (TPA) reporting, OSPs can quickly become overwhelmed. The following are some of the biggest challenges many face.

Keeping a Finger on Multiple Pulses

Regulations regarding the handling of personally identifiable information (PII) or protected health information (PHI) have changed dramatically over the past decade, particularly in industries like financial services, health care and consumer products. With such changes likely to continue, many OSPs often find themselves scrambling to keep up. Yet unless they stay current, they can be caught short when the Federal Financial Institutions Examination Council (FFIEC) regulator, Payment Card Industry assessor or other regulatory body arrives to conduct an audit.

Traditionally, staying abreast of regulatory changes has not been a focus for OSPs, but increasingly it makes good business sense for them to explicitly focus on this very task. Not only can this help prepare them for external audits, but they will likely be better positioned to respond to questions from customers because information on new guidance will be at their fingertips. The earlier an organization is apprised of regulatory changes, the earlier it can respond to those changes by making adjustments in processes and building them into their integrated framework.

Nipping Wheel Reinvention in the Bud

It starts with a few questions from a single customer. Someone is assigned to track down the answers and put together a response. Then another questionnaire from a different customer lands on someone else’s desk. Some of the questions are the same, but the recipient doesn’t know that, so she starts from square one. Then internal audit comes in with many of the same questions. Eventually the department that has received the same question five different times begins to ask “what’s going on?”

Coping with the “one-offs” is one of the biggest pain points we have heard about from our OSP clients. It is also a compelling rationale for issuing TPA reports like Service Organization Control (SOC) reports on a regular basis. But turning reactive into proactive takes some concerted planning. First, the OSP needs a comprehensive understanding of its internal and external control requirements. This can be achieved by creating a full inventory of requirements, including internally identified requirements, industry requirements and those included in customer questionnaires or service-level agreements. Requirements can then be mapped to the controls that fulfill them and used as the basis for TPA reports.

These reports won’t answer every client or regulator question. But when done well, they are likely to cover most of the risks involved and may almost certainly reduce the number of one-off questionnaires that OSPs receive from their customers. For example, OSPs can demonstrate not only compliance with internal controls over financial reporting (ICFR) using SOC 1 reports, but also broader compliance with the AICPA’s Trust Service Principles (TSPs) via SOC 2 reports. Even beyond this, they can issue enhanced SOC 2 reports, called SOC 2+ reports to provide evidence of compliance with a wide range of regulatory and industry frameworks, including the National Institute of Standards and Technology (NIST), the International Standardization Organization (ISO) and others. Such reports will clearly demonstrate to regulators that the OSP is taking a proactive approach to compliance.

Reining in the Resources Expended on Compliance Activities

Even with a robust TPA reporting process, OSPs need to contend with both internal and external audits and visits from various regulatory bodies, as well as from customers. These can be extremely time-consuming and absorb significant resources. In fact, without careful planning, a company may find itself in what seems like a perpetual audit.

A key to avoiding this state of affairs is intelligent scheduling. The reality is, as with compliance questionnaires, many of these audits are redundant in terms of the requirements they focus on. If management is more proactive about identifying those commonalities, they can plan the timing of audits so that testing of certain processes can be done just once instead of multiple times. In addition, if external audits are scheduled first, often internal audits can utilize the results to supplement their reporting and customer due diligence to avoid additional testing.

The Rewards of Proficiency

Compliance can no longer be an afterthought for OSPs. Not only is too much at stake, but failing to plan and focus on compliance activities may end up draining resources and distracting the organization from its core business. On the other hand, becoming proficient at TPA reporting can save companies time and money, allow rapid tailoring to fit customer compliance needs and ultimately improve customer satisfaction.