Compliance Is Not the Same as Assurance
Compliance is perceived as one of the major global economic, operational and overall sustainability tools available to give the public some comfort that we can trust things aren’t going to come tumbling down.
But let me pose this question: “What level of comfort does compliance really give us?” We still hear about security breaches, management failures, and fraud. If these organizations have passed their compliance exams, why are there still so many issues? There are several governing bodies that have defined their frameworks requirements. As it relates to business operations and systems there are COSO, COBIT, ISO, PCI, HIPAA, HITRUST, NIST, and FFEIC—just to name a few. There are global compliance standards, and those specific to countries, industries and states. How could there be so many? Maybe it’s because there’s money to be made, or maybe it’s because some people think they have a better handle on what’s required than others. What I do know is that it creates massive headaches for organizations trying to comply, and it becomes a sea of confusion for the vendors, customers and governing bodies.
Compliance was created with good intentions. It provides confirmation to users that the entities they rely on have designed and implemented controls. Just the existence of a policy and procedure, or verbal confirmation of the existence of the control, is enough to obtain a passing grade. Compliance doesn’t provide information over the operating effectiveness of those controls. It simply provides a checklist validation of a set of defined controls put in place. Perhaps most important, compliance only validates the existence at a point in time.
I believe assurance is something greater than compliance. Where compliance provides proof of existence and maybe implementation (design) of policies, procedures and controls, assurance tells us about their operational effectiveness. Assurance provides a greater level of comfort to management and users. Assurance entails verification by an independent, certified, third party that performs tests of operating effectiveness on controls.
One way to provide assurance is a System and Organization Controls (SOC) report. A SOC report is the only independent report option I’m aware of that opines on the operating effectiveness of controls over a period of time. In addition, there’s a SOC2 Plus report option that allows for independent assurance testing over the operating effectiveness of management-defined expectations and the operating effectiveness of the various aforementioned compliance framework controls. The other unique aspect of the SOC report is that it’s rooted in the understanding of risk versus a defined set of rules.
Management should be held to a higher standard than merely completing a checklist. The design testing of controls outlined in that checklist doesn’t show what happened six months ago, and doesn’t create transparency the way a SOC report does, which measures controls over time. By managing controls under the expectations of SOC guidance, management can effectively capture organizational risks in a timely manner, adjust for them and continue to manage with those risks in mind. Assurance reports, like a SOC report, can be structured to cover the risks that are most important to management, owners, business partners and the public. Meeting the expectation that confidential information remains as such is vital to ensuring consumer trust. It’s not enough to take comfort that your vendor or your own business is operating effectively based simply on a “passing” grade on a compliance test