Friday, July 24, 2009

Inside Compliance

Follow a three-pronged approach to compliance

By John Robichaud

From HIPPA to SOX to PCI DSS — and on and on — the growing canon of compliance regulations can overwhelm businesses simply trying to keep up. What makes compliance difficult is the fact that not only do applicable regulations vary by industry — for instance, Health Insurance Portability Accountability Act of 1996 (HIPAA) for health-care providers or PCI Data Security Standard (PCI DSS) for companies that accept and process credit card payments — but the actual tasks integral to ensuring compliance and accountability are spread across multiple departments.

Yet, the penalties for not complying are so great that extreme diligence is necessary to meet applicable standards and execute appropriate management practices. As a result, companies must find ways to not only identify and decipher the intricacies of the specific regulations applicable to their operations but also develop strategies to manage the complex internal processes necessary to ensure compliance and avoid stiff penalties.

To cope, savvy companies rely on three key tools: a thorough third-party compliance audit; a strategic communications plan; and specialized governance, risk management and compliance (GRC) programs that enable businesses to demonstrate compliance to auditors, boards of directors and CEOs.

Compliance Audit
Organizations sometimes do not understand the full range of their requirements. As a result, they don’t always accurately identify which policies, controls and tasks are appropriate. That’s where a compliance audit can help. Auditors, such as independent accounting, security or IT consultants, review security policies, user access controls and risk management procedures. This investigation into an organization’s adherence to regulatory guidelines provides a snapshot of the strength of compliance preparations.

The type of audit needed varies widely based on the type of organization (public or private), the kind of data it handles, and the work in which the company is engaged. For example, businesses that transmit credit card data are subject to PCI DSS, a multifaceted data security standard that includes requirements for security management, policies, procedures, network architecture and other protective measures intended to safeguard customer account data. Health-care providers that store or transmit e-health records, like personal health information, are subject to HIPAA requirements. For other companies, the driving force may be Sarbanes-Oxley (SOX) requirements, or mandates set forth by the U.S. Environmental Protection Agency or other regulatory agencies.

Auditors evaluate regulations relevant to a particular business, focusing on key areas, such as information technology, human resources and accounts receivable. When examining IT, for instance, an auditor would likely assess and test compliance with new Massachusetts data security regulations.

If the client was a university, compliance with the Family Education Rights and Privacy Act of 1974 (FERPA), a federal law that protects the privacy of student education records, would be explored. For human resource-related compliance, an auditor would assess a company’s policies and procedures, and test compliance with myriad statutes covering areas such as age discrimination, the Americans with Disabilities Act, the Civil Rights Act of 1964 and fair labor standards.

Communications Strategy
Effective programs take a strategic enterprise view of compliance and support management with a consistent set of methods and tools. Such a program fosters clear communication among departments to erase ambiguity about roles, eliminate duplication of effort and promote accountability. For example, many organizations maintain compliance requirements, policies and checklists in multiple spreadsheets, filing cabinets, shared folders and intranets. Establishing a central document repository and defining roles and responsibilities allow workers to access and effectively manage the information needed for careful analysis.

GRC Program
A GRC program provides the framework to ensure that policies and controls, written by many individuals in many jurisdictions, work together rather than overlap or conflict. It also improves workflow because it allows an organization to map back to specific actions and programs that mitigate risk and improve compliance.

The bottom line is this: An effective compliance program demands that businesses understand and stay up-to-date on evolving requirements; establish a common definition of policies, processes, risks, controls, and related issues; assign accountability; and share information in real time. Combining the advantages of a thoughtful compliance audit, a well-devised communications strategy and a GRC program can improve the health of any organization.

John Robichaud is a director at CBIZ Tofias, a Cambridge provider of tax and consulting services. He can be reached at jrobichaud@cbiztofias.com.