“Quis custodiet ipsos custodes? (Who watches the watchmen?)” – Decimus Junius Juvenalis (Juvenal), Roman satiric poet
We’ve spoken before about the importance of meeting high standards with your work.
We’ve also covered, in detail, how failure to comply with industry standards and bad processes cost Zenefits $7,000,000.
This all happened because they weren’t meeting the standards they should have been with their internal processes.
To help stop you from falling afoul of the same fate, we here at Process Street will be covering compliance audits in this post. These are the guidelines that you will need to follow to avoid penalties from external sources for not doing your work satisfactorily.
It doesn’t matter what business you’re in – compliance audits are there to make sure that your customers are getting a satisfactory (or, at least reasonable) service.
We’ll cover:
- What is a compliance audit?
- Why is audit compliance important?
- Compliance audit types
- How to prepare for a compliance audit
- Process Street: The natural compliance audit software
Let’s get right into it.
What is a compliance audit?
A compliance audit is a series of checks performed externally to make sure that your company is meeting the regulatory standards applicable to your business.
In other words, it’s a way of making sure that you’re carrying out your work up to a basic required standard. The checks are carried out by an external, impartial party to help eliminate bias and keep things fair.
The trouble with discussing compliance audits is that the things being assessed differ greatly depending on the nature and dealings of your company.
For example, each of the following elements will change the standards you have to meet to pass a compliance audit:
- Whether you’re a public or private company
- The sector you operate in (SaaS, healthcare, etc)
- The types of roles you employ within (content writers, graphic designers, programmers, etc)
- Local laws and regulations
- Whether you take only local or international customers
- Whether you retain private data
California law will differ from UK law, doctors have to meet different standards than financial planners, and so on. The only way to know for sure what you need to be compliant with is to look up the industry standards for your own.
One example of a compliance audit is the ISO 9000 family of quality management standards.
If you want to learn more about ISO standards, you can find our blog posts here:
- Agile ISO: How to Combine Compliance with Rapid Process Improvement
- Agile ISO: A Holistic Business Process Management Framework
- What is ISO 9000? The Beginner’s Guide to Quality Management System Standards (Free ISO 9001 QMS Template)
- ISO 50001: The Ultimate Guide to Energy Management Systems (EnMS)
- What Is ISO 31000? Getting Started with Risk Management
- ISO 19011:2018 Basics (8 Free Management System Audit Checklists)
- ISO 13485: Basics and How to Get Started (QMS for Medical Devices)
- 5 Free ISO 14001 Checklist Templates for Environmental Management
- ISO 26000 for Corporate Social Responsibility: How to Get Started
- What is Quality Management? The Definitive QMS Guide (Free ISO 9001 Template)
- What is ISO 14000? EMS Basics & Implementation (Environmental Management)
- What is ISO 9001 Certification? How to Get Certified (For Beginners)
- What is an ISO Audit? Free ISO 9000 Self-Audit Checklist (ISO 9004:2018)
- What is a Quality Management System? The Key to ISO 9000
We’ve also written checklist templates to help you make sure that your company is compliant with the ISO standards relevant to you. Check them out here:
- ISO-9000 Structure Template
- ISO-9000 Marketing Procedures
- ISO Container Inspection Checklist
- ISO 9004:2018 Self-Audit Checklist
- ISO 9001 Internal Audit Checklist for Quality Management Systems
- ISO 9001 and ISO 14001 Integrated Management System (IMS) Checklist
- ISO 45001 Occupational Health and Safety (OHS) Audit Checklist
- ISO 27001 Information Security Management System (ISO27K ISMS) Audit Checklist
- ISO 26000 Social Responsibility Performance Assessment Checklist
- ISO 19011 Management Systems Audit Checklist
If you couldn’t already tell, we’ve done a lot of work on quality management systems (especially ISO standards) which serve as a base for many official compliance audits. That’s why we’re tackling the topic on the whole in this post.
While the checklists above won’t automatically make your business ISO compliant, using them to check your business before applying for an external compliance audit is a great way to avoid wasting time and effort on failing the audit.
Why is audit compliance important?
Anybody can say that they’re the best in the world. Heck, just think of the number of grimy coffee shops that you’ve seen with “World’s Best Coffee!” slapped in the window.
The same is true of any business – if left unchecked, there’s little other than word-of-mouth to prevent them from claiming that they offer the best service on the market.
For small businesses (SMBs), this presents less of a threat to their customers (relative to larger companies). Usually, SMBs operate on a smaller scale with less power to mess their customers around.
However, what happens when a large business doesn’t meet the appropriate security standards?
Just speak to (what used to be) Yahoo.
A security breach in 2013 compromised the names, dates of birth, email addresses, passwords, security questions and answers of 3 billion users, making it the largest recorded data breach. The revelation knocked $350 million off of its sale price (around 8% of its final price).
Basically, if you don’t at least meet industry standards, you open yourself (and your customers) up to huge problems.
Compliance audits thus help to verify:
- The security of sensitive data
- The records of financial departments
- Payroll
- HR policies
- Health and safety
- Environmental impact
- Quality management standards
The audits prove that your team (and company as a whole) is performing its duties in these fields up to a standard that can be trusted by its customers. It not only gives them peace of mind and confidence in you but shows your performance at a measurable level.
If you’re GDPR certified and your main competitor isn’t, for example, a large new lead will be more likely to become your customer than theirs.
Compliance audit types
While assessing bodies may look at several elements at once, the majority put a huge amount of emphasis on the security of sensitive data. This is because data is by far the most dangerous thing for your company to be mishandling.
It doesn’t matter what business you’re in – if your practices lead to a breach of customer data, those customers (and potential new ones) will lose a huge amount of faith in you. Not to mention they’re far more likely to start looking for another, safer business to deal with.
To that end, while the audit you need to adhere to differs depending on the type of business you’re running and the location you’re in, most of them focus on similar aspects.
While I won’t cover every type of compliance audit here, here are some of the main ones which large-scale US companies have to deal with:
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- International Organization for Standardization (ISO)
- Payment Card Industry Data Security Standards (PCI DSS)
- The Sarbanes-Oxley (SOX) Act
- SOC 2
General Data Protection Regulation (GDPR) compliance audit
GDPR is a dense beast that mostly comes down to the protection of customer data in the EU.
Now, I said that these compliance audit checks would concern larger US companies, and this is still true. GDPR regulations apply to any company that has dealings within the EU, no matter the main base of operations.
While the specifics of GDPR are lost in legal jargon (which you should read if it applies to you), the gist of the standards can be summarised thus:
- You need to have a system in place to manage data and security.
- You need to have that system fully documented.
- You need to operate with the parameters of the GDPR, e.g.
- Consent boxes cannot be auto-filled as “yes”.
- Companies must respond to access requests from users within 1 month.
- Requests for personal information must be processed free of charge.
If you want more information, check out our full breakdown of how to be GDPR compliant:
Alternatively, check out our free GDPR Checklist For Businesses!
Health Insurance Portability and Accountability Act (HIPAA) compliance audit
HIPAA was passed in 1996, and covers anyone dealing with protected health information (PHI) of clients in any form (hard copy, oral or digital).
Another behemoth of legislation, you can find a short, 25-page summary of HIPPA here. However, for those with less patience, I’ll summarise the summary below:
- You need to have safeguards to prevent unauthorized access to PHI
- These safeguards should be fully documented, checked, and updated according to new technological requirements
- These safeguards shouldn’t prevent the sharing of information within your organization where it is required to perform your duties
International Organization for Standardization (ISO) compliance audit
ISO is different from the previous two compliance audits, in that it represents an entire family of checks as opposed to a single focus.
For example, ISO 9001 focuses on quality management to let your business use continuous improvement. Meanwhile, ISO 14001 instead checks that your team has implemented (and is upholding) an effective environmental management system (EMS).
If you want to learn more about ISO standards and use some free checklists to help yourself become ISO compliant, check the What is a compliance audit? section of this post for a full list of our resources.
Payment Card Industry Data Security Standards (PCI DSS) compliance audit
The Payment Card Industry (PCI) Security Standards Council is responsible for the standards that you need to adhere to if you process payment cards at all.
Their Data Security Standards are entirely designed to make sure that your business is safely handling this data. If anything, this is as much for your own good as it is for your customers.
Just think of the damages you’d have to pay if payment card information was leaked due to your bad practices.
To meet their standards, you have to:
- “Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors”
The Sarbanes-Oxley (SOX) Act compliance audit
Back in 2002, the Sarbanes-Oxley (SOX) Act was passed in the US, bringing huge changes for the standards that public companies had to meet.
SOX focuses on regulating the financial practices of public companies, how they are governed, and the accountability that executives must take. As you might imagine, this act was created as a response to massive financial scandals in public companies to attempt to prevent the same from happening again.
The checks that must be made in order to be compliant with SOX involve:
- Any electronic records you hold, and the management of them
- Data protection measures
- How accountable executives can be held
SOC 2 compliance audit
Created by the American Institute of CPAs (AICPA), SOC 2 is another set of guidelines applying to those who use the cloud to store customer data (especially technology companies).
To achieve high standards of data security, there are two types of SOC 2 audits which you can be compliant with:
- SOC Type 1 – assesses whether a vendor’s systems have the appropriate security measures to safely house customer data in the cloud
- SOC Type 2 – focuses instead on the vendor’s operations, including the systems and processes, typically over a period of six months
Again, while these six compliance audits are far from an exhaustive list, they’re a great place to start with knowing what standards you have to meet in your business.
How to prepare for a compliance audit
There’s only one way to prepare for a compliance audit; to look up the requirements to pass it and then rigorously enforce those requirements in your organization.
I won’t go over how to meet the specific requirements of each and every compliance audit out there. Frankly, the best way to know what you need to do is to look up the audits that apply to your business and what you need to do to meet their standards.
However, I can tell you how to prepare yourself to comply with an audit.
Since we deal with customers in the EU, Process Street needs to be GDPR compliant. We made a massive push to ensure that everything was up to standard and ready to go to avoid breaching their rules and damaging our reputation (not to mention risking our clients’ data).
There were a couple of elements that I noticed made a huge difference in this transition, preventing it from being a manic mess of trial and error.
- We had a workflow management system already in place
- Our continuous improvement system allowed us to easily make changes
- The collaboration culture allowed departments to talk to each other and get to the bottom of things faster
Having some kind of business process documentation software is essential to be compliant with an audit. There’s no better way of effectively keeping track of what standards your work currently meets and how successful any improvements are.
We practice what we preach by using Process Street alongside apps like Salesforce to let us perfectly track what we do (and how we do it).
Let me tell you why.
Process Street: The natural compliance audit software
Process Street lets you lay the groundwork of your organization out for anyone to understand. By documenting your processes as superpowered checklists, you make sure that everyone knows what they’re doing, how they should be doing it, and is able to perform their tasks to your high standards no matter how inexperienced they are.
These checklists can be built out with rich text, images, videos, sample emails, files, and more to remove any obstacles between your employees and their work. You can even assign team members to specific tasks or checklists and set due dates to make sure that everyone knows exactly what they need to do and when it’s due.
To cap it all off, you can save time and effort by automating your processes and integrating Process Street with other apps. This lets you automatically take care of busywork like data entry and task creation without having to get your hands dirty and waste your attention on the smaller, robotic tasks.
In other words, your standards can be set, improved and enforced all within Process Street!
Get a head start on your compliance audits by signing up for a free account today.
What compliance audits does your business need to meet? Let us know in the comments below!
Ben Mulholland
Ben Mulholland is an Editor at Process Street, and winds down with a casual article or two on Mulholland Writing. Find him on Twitter here.