No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Conquering the Complexity of Compliance

by Tom Haberman
January 13, 2017
in Compliance
Compliance challenges for OSPs

with co-author Adam Berman

Today’s outsource service providers (OSPs) are increasingly handling large amounts of sensitive information for their customers, resulting in a higher level of regulatory scrutiny. At the same time, the regulatory environment has become more complex, with standards and guidance in a continual state of flux across multiple industries. OSPs are faced with a constant barrage of questionnaires, inquiries and audits from regulatory bodies, internal audit staff and customers that need to ensure the compliance of their vendors as part of their extended enterprise. Without a proficient approach to third-party assurance (TPA) reporting, OSPs can quickly become overwhelmed. The following are some of the biggest challenges many face.

Keeping a Finger on Multiple Pulses

Regulations regarding the handling of personally identifiable information (PII) or protected health information (PHI) have changed dramatically over the past decade, particularly in industries like financial services, health care and consumer products. With such changes likely to continue, many OSPs often find themselves scrambling to keep up. Yet unless they stay current, they can be caught short when the Federal Financial Institutions Examination Council (FFIEC) regulator, Payment Card Industry assessor or other regulatory body arrives to conduct an audit.

Traditionally, staying abreast of regulatory changes has not been a focus for OSPs, but increasingly it makes good business sense for them to explicitly focus on this very task. Not only can this help prepare them for external audits, but they will likely be better positioned to respond to questions from customers because information on new guidance will be at their fingertips. The earlier an organization is apprised of regulatory changes, the earlier it can respond to those changes by making adjustments in processes and building them into their integrated framework.

Nipping Wheel Reinvention in the Bud

It starts with a few questions from a single customer. Someone is assigned to track down the answers and put together a response. Then another questionnaire from a different customer lands on someone else’s desk. Some of the questions are the same, but the recipient doesn’t know that, so she starts from square one. Then internal audit comes in with many of the same questions. Eventually the department that has received the same question five different times begins to ask “what’s going on?”

Coping with the “one-offs” is one of the biggest pain points we have heard about from our OSP clients. It is also a compelling rationale for issuing TPA reports like Service Organization Control (SOC) reports on a regular basis. But turning reactive into proactive takes some concerted planning. First, the OSP needs a comprehensive understanding of its internal and external control requirements. This can be achieved by creating a full inventory of requirements, including internally identified requirements, industry requirements and those included in customer questionnaires or service-level agreements. Requirements can then be mapped to the controls that fulfill them and used as the basis for TPA reports.

These reports won’t answer every client or regulator question. But when done well, they are likely to cover most of the risks involved and may almost certainly reduce the number of one-off questionnaires that OSPs receive from their customers. For example, OSPs can demonstrate not only compliance with internal controls over financial reporting (ICFR) using SOC 1 reports, but also broader compliance with the AICPA’s Trust Service Principles (TSPs) via SOC 2 reports. Even beyond this, they can issue enhanced SOC 2 reports, called SOC 2+ reports to provide evidence of compliance with a wide range of regulatory and industry frameworks, including the National Institute of Standards and Technology (NIST), the International Standardization Organization (ISO) and others. Such reports will clearly demonstrate to regulators that the OSP is taking a proactive approach to compliance.

Reining in the Resources Expended on Compliance Activities

Even with a robust TPA reporting process, OSPs need to contend with both internal and external audits and visits from various regulatory bodies, as well as from customers. These can be extremely time-consuming and absorb significant resources. In fact, without careful planning, a company may find itself in what seems like a perpetual audit.

A key to avoiding this state of affairs is intelligent scheduling. The reality is, as with compliance questionnaires, many of these audits are redundant in terms of the requirements they focus on. If management is more proactive about identifying those commonalities, they can plan the timing of audits so that testing of certain processes can be done just once instead of multiple times. In addition, if external audits are scheduled first, often internal audits can utilize the results to supplement their reporting and customer due diligence to avoid additional testing.

The Rewards of Proficiency

Compliance can no longer be an afterthought for OSPs. Not only is too much at stake, but failing to plan and focus on compliance activities may end up draining resources and distracting the organization from its core business. On the other hand, becoming proficient at TPA reporting can save companies time and money, allow rapid tailoring to fit customer compliance needs and ultimately improve customer satisfaction.


Previous Post

Focus Points for 2017

Next Post

Getting Governance Right: a Handbook for Today’s CEO and the Board of Directors

Tom Haberman

Tom Haberman

Tom Haberman is a principal in the Advisory practice of Deloitte & Touche LLP and co-leads Deloitte’s Third-Party Assurance practice. His area of emphasis is information systems and business process auditing and consulting, with particular experience in assessing, designing and implementing technology/business-related risk frameworks, programs and controls. He has assisted clients across a broad spectrum of areas, including: financial statement audit, Sarbanes-Oxley, finance transformation, controls transformation/rationalization and SSAE 16. In addition, Tom is a Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), and Certified Risk Professional (CRP). He can be reached at thaberman@deloitte.com.

Related Posts

Phaxis 100 dollars

AML & KYC: Addressing Key Challenges for 2023 and Beyond

by Alex Roberto
March 16, 2023

(Sponsored) In today’s world, financial criminals are often a step ahead of regulators and financial institutions who struggle to effectively...

audit

IIA Survey: Technology Issues Widening Risk Landscape

by Staff and Wire Reports
March 15, 2023

The past year has seen internal audit staffing and budgets continue their recovery to pre-pandemic levels as organizations contend with...

Paul Weiss Economic Sanctions and AML Developments 2022_f

Economic Sanctions and AML Developments

by Corporate Compliance Insights
March 15, 2023

Sanctions start high and stay high 2022 Year in Review Economic Sanctions and AML Developments What’s in this report from...

insider fraud threat

As Layoffs Continue, the Potential for Insider Fraud Is Growing. Are You Ready?

by Chris Gerda
March 15, 2023

From startups to big banks, the technology and financial services sector have already seen tens of thousands of layoffs in...

Next Post
Getting governance right 2017 cover

Getting Governance Right: a Handbook for Today's CEO and the Board of Directors

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT