The good companies talk about privacy and security; the great ones back their words up with third-party audits.
At the most basic level, audits establish trust. Submitting to a privacy and security audit isn’t something that should be done lightly. It involves countless hours of work and resources, not to mention a significant capital investment to execute. Note, that I describe it as an investment, not an expense.
We don’t see audits as being a cost of doing business, we view it as an investment to bolster our clients’ faith in our capabilities and systems. But they do more than just help put our clients at ease with doing business with us; audits help us manage the rising threats and associated risks of handling and securing data today. And as an innovator and data provider operating in a rapidly changing environment that’s under increasing levels of scrutiny around privacy and security—and rightly so—audits motivate us to continually innovate and improve.
When we submit to an audit, auditors are doing more than simply making sure we have the right policies and procedures in place. They demand physical evidence to prove that we’re adhering to those rules as part of our daily routine. As an example in our last audit, they conducted physical checks in our offices to ensure our desks were clear of sensitive client information, they viewed our server rooms for security controls and they made sure hardcopies of client information were destroyed when they were no longer needed. Point being, it’s extensive and beyond digital.
What does a privacy and security audit entail?
More than a month before the auditors arrive to do their field check, stakeholders from finance, operations, legal, software development, research, project management, IT, human resources, office administration and sales all make time in their schedules to prepare answers to auditor questions and collect supporting evidence. This team (under project management leadership) conducts a gap analysis, map the existing controls, perform internal audits and more. By the time the auditors arrive, our staff are armed with hundreds of pages of documents, ranging from basic policies and procedures to operating manuals, checklists and signed contracts. We’ll even supply logs and digital records that demonstrate “correct content” file transfers between us and clients are conducted in a secure manner.
For those unfamiliar with the process of data and security audits, they serve several important functions. For starters, they provide focus and offer a persistent reminder to ensure a business is keeping up with the best practices and standards issued by the industry. They ask questions like: is data at rest on your servers encrypted? How often do you patch your servers? Are employees trained on security? Do you have quality controls? Show me your data inventory. And do you destroy data and what is the process? In total, to comply with the audit (such as the SOC2), the accounting company will review more than 90 items or areas to ensure they adhere to industry best practices.
To their credit, the auditors don’t leave you any room to hide. That is their role. Not surprisingly, in an industry that is constantly experimenting with new technologies, the things they look for are constantly changing, which is why it’s important to go through this process every year. For instance, in the past year, new laws and audit rules came into effect around data breaches. It was no surprise that policy, process, fire drills and training were subject to review.
Proof of exemplary service
These audits also help us ensure we’re providing our clients with the best level of service possible. In the event of a critical failure, we have to prove that our systems can fail over to our disaster recovery hot site within the Service Level Agreement. Business Continuity Plan/Disaster Recovery requirements are contractual and auditable.
Because privacy and security is so important to us, we don’t just submit to one audit, we submit to three: the financial controls assurance (SOC 1, previously SAS 70), the operational controls assurance of a service organization’s environment (SOC2) and a third audit that focuses on handling sensitive health data (HITECH/HIPAA). We’re proud to report that we’re among an elite group of companies that can claim to meet every standard and test for those audits—without exception.
While audits don’t describe a grade (i.e. pass/fail), the reports will highlight areas for improvement and deficiencies where companies fail to meet best-practices, as well as the standards they set out for themselves. Clients should always ask to see these reports as a normal course of business. We’ll proudly share ours; it’s our competitive advantage.
James Smith is the Chief Compliance and Privacy Officer at Environics Analytics