A Buck For Your Thoughts - Episode 001
What better way to start off this series, and this year, than to talk about one of my all-time favorite topics?
I like it so much because what it deals with is something that I know many organizations struggle with. It’s what I like to call “optimizing the audit.” What a lot of organizations deal with is how do they take the need to be compliant with an assessment—maybe it’s a SOC 1 or SOC 2, but they also have covered entities that they need to be compliant with HIPAA, or perhaps HITRUST and various other organizations. And maybe they even manage and process cardholder data; therefore, you have PCI out there. So, these organizations are going through, and they are scheduling meetings, gathering evidence, and meeting with auditors, and it just seems like it’s a mad race at the end of the year. Every. Single. Year.
The thinking is, what can be done to make that process maybe just move a little smoother, a little easier? This is what I call “optimizing the audit.”
Optimizing the audit is when the organization does not look at it as just as a point-in-time assessment, where they must go and gather information to satisfy this group or that group, but rather they think in terms of a continuous state of compliance.
This is where you are going to be able to take what the auditor is giving you in terms of scheduling meetings, sending you information request lists, and asking for evidence and artifacts, as the assessor goes through what they need to do to get through the SOC 1, SOC 2, or PCI assessment—actually taking those artifacts and cataloging them alongside that effort in such a way, that even long after the auditor is gone, you have a good sense of what types of information the auditors are looking at to assess your controls. And then, perhaps as part of an internal assessment or an internal compliance effort, you can take that information and build your own internal audit plan to work from—that way, you maintain a continual attitude toward compliance throughout the year, and you are able to catalog and artifact those items in such a way that the next time the auditor shows up, it isn’t such a mad dash where you gather all that evidence and coordinate meetings because, from an internal standpoint, you have already been doing it on your own.
I would say, the next time you have the thought, “I wish it wasn’t such a mad dash to get ready for this audit,” try to think, “maybe there is a way to optimize these that we have not considered in the past.”
Remember – you heard it here on a Buck for Your Thoughts.
About the Author
Ryan Buckner is a Principal at Schellman & Company, Inc. Ryan currently leads Schellman’s SOC 1 practice and has been a leading advocate for the adoption of SOC 1 and SOC 2 solutions by cloud service providers. Ryan also is an AICPA-approved and nationally listed SOC Peer Review Specialist for SOC 1 and SOC 2 examinations. Having completed over 800 service audits. Ryan is one of the most experienced service auditors in the United States.More Content by Ryan Buckner