The experts at Concord Compliance have seen it all before – here are some answers to the most frequently asked compliance questions.
The experts at Concord Compliance have seen it all before – here are some answers to the most frequently asked compliance questions.
Understanding the complex world of laws, standards, and regulatory compliance is no easy task. That’s why you could use a partner like Concord Compliance. We understand the questions you face, and we make compliance management simple for you.
When you combine Concord Compliance’s comprehensive strategies, policies, and standards with automated tracking and documentation of compliance activities through our Practical Compliance Automation™ (PCA) platform, you have laid the foundation for successfully completing nearly any kind of IT audit, regardless of type.
If your organization operates information systems on behalf of other organizations, or if you provide information system services to other entities, there is a very good chance that you will be asked to provide one or more audit reports describing the controls you have put in place to protect your systems and services, and, by extension, how you protect your clients and partners.
The most common audit reports describe the findings from an SSAE 16/ 18 audit conducted by a CPA firm. These reports are typically called Service Organization Controls (SOC) reports and come in three flavors. SOC 1 reports focus primarily on maintaining internal control over financial reporting (ICFR), while SOC 2 and SOC 3 reports focus on information system security, availability, integrity, privacy, and confidentiality using standard Trust Services Principles and Criteria. The AICPA issued SSAE18 SOC1/SOC2/SOC3 structure as an update in May of 2017, as replacement for SSAE16.
Concord Compliance’s compliance programs and our Practical Compliance Automation™ software fully support the standard Trust Services Principles and Criteria, and our direct mapping to frameworks like COBIT and ISO 27001 give you the tools you need to painlessly meet your SOC reporting requirements. Also, by collecting and maintaining all of your compliance records in one place, the PCA platform can help your audits proceed more quickly and efficiently, translating to lower internal costs and disruptions and lower bills from the CPA firm performing your audit.
Taken together, Concord Compliance’s compliance programs and our Practical Compliance Automation™ software provide you with a foundation for passing SSAE 18 audits, getting favorable Service Organization Controls (SOC) reports, and assuring your stakeholders that you are fully in compliance and ready to do business.
The General Data Protection Regulation (GDPR) effective May 25, 2018 standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location and can impose extensive financial penalties for noncompliance.
The Concord Compliance IT Compliance Framework includes the privacy standards and operating procedures necessary to meet current GDPR requirements. As part of the annual Practical Compliance Automation subscription Concord Compliance will keep you up to date with changes in regulations, too.
Whether it is a law or regulation like HIPAA or Sarbanes-Oxley (SOX), an industry standard like PCI DSS, or a customer-driven requirement, these days it can be difficult for any organization to make sure that it is doing everything it is expected to do. On top of that, there are many technical frameworks and controls, like COBIT and ISO 27001, each with different emphases, that specify how things should be done. The good news is that Concord Compliance has painstakingly mapped all of the major regulations, standards, and frameworks onto the Concord Compliance Practical Compliance Automation™ (PCA) platform. By adopting our platform, you can track and demonstrate compliance with multiple regulations and requirements all in one place and all using one system. This approach of covering all bases is particularly valuable if you need an SSAE 18 audit.
In the unlikely event that you need coverage for an IT regulation or an IT requirement that Concord Compliance does not already support, we’ll be happy to work with you to add it. In fact, since the Concord Compliance IT Compliance Framework is so comprehensive, chances are that we already include most or all of what you need to be compliant with other regulations and requirements, so usually it’s just a matter of mapping those requirements into what we already do.
Most people know that all publicly traded companies in the United States must comply with the Sarbanes-Oxley Act of 2002. It is less well known that organizations that supply certain services to publicly traded companies also have Sarbanes-Oxley (SOx) obligations if those services might impact a public company’s financial reporting. Especially for small service providers, that can sound pretty scary.
Whether your company is publicly traded or provides services to publicly traded companies, Concord Compliance’s comprehensive strategies, policies, and standards and our Practical Compliance Automation™ (PCA) platform can help to ensure that your information systems are compliant with SOx requirements. We’ve specially designed Concord Compliance and PCA to be comprehensive, yet practical and efficient, even for small organizations.
Our compliance library directly maps to the COBIT framework for managing information systems; COBIT is the most widely used framework for assuring IT SOx compliance. In addition, we also map to other common frameworks, like ISO 27001 and NIST 800, to provide added confidence in your systems. Further, our PCA platform documents that you have been managing your compliance program and staying up to date with all required activities. Not only do we provide you with a system designed to support key compliance requirements, our system helps you easily prove to auditors that you are maintaining compliance over time.
Taken together, Concord Compliance’s compliance programs and our Practical Compliance Automation™ software provide you with a foundation for passing audits and assuring your stakeholders that the services you provide are complying with Sarbanes-Oxley requirements.
Depending on the complexity of your information technology footprint, availability of your staff and leadership, and complexity of your compliance requirements, Concord Compliance can have your compliance program in place in as little as 45 days. During that time we can help you work with your customers’ compliance and vendor certification teams so they can understand the project dates and milestones and the comprehensive nature of the program being delivered. In our experience, the fact that you have engaged Concord Compliance as compliance professionals goes a long way to proving that you are serious about meeting your customer and partner requirements.
Compliance is an important part of doing business today, so compliance training needs to be taken seriously. We understand there are real concerns about the amount of time it takes to roll out a compliance program and to ensure that staff are properly trained. That’s why we carefully calibrate your rollout and compliance training to your unique requirements. Even if you have demanding financial services or pharmaceutical compliance requirements, we deliver programs that are practical and manageable.
At first, some of your big customers may seem to be pushing down some heavy requirements, but once their vendor certification or compliance department understands the scope of your Concord Compliance program things should settle down. Using the external compliance reconciliation (ECRs) functionality of our Practical Compliance Automation platform goes a long way towards helping your large customers understand that you are serious about meeting their requirements. ECRs provide an element-by-element tie out from your customer’s or partner’s compliance program to yours and provides a place to spell out mitigating controls that Concord Compliance has helped you develop to meet their requirements—requirements that may be appropriate for a 40,000 employee organization but, without an ECR, could crush your small company.
Practical Compliance Automation can be your single system to manage all of your IT, operational and functional compliance materials. Working with your internal functional compliance staff or external 3rd party FDA GxP or FINRA compliance consultants, Concord Compliance can deliver on all of your requirements in a manageable package including training, required activities and audit systems of record functionality.
No organization can outsource their responsibility for a compliance program even if they outsource the underlying processes. Even if you are outsourcing IT to an MSP or clinical research to a CRO, you are still required to establish and maintain a proper compliance program.
Organizations that do not have a compliance program when one is indicated are in the wrong, but organizations that identify the need for a compliance program, lay out the program and then fail to maintain it or cannot prove that they are carrying it out are demonstrating negligence against their own self-identified requirements. This can lead their customers, auditors, and regulators to speculate what
Practical Compliance Automation includes a powerful set of features we call External Compliance Reconciliation (ECR). This toolset allows you to map each element and requirement of your customer or partner compliance program to the custom compliance program Concord Compliance will deliver. ECRs also provide a place to document any mitigating controls necessary for your operations to meet their requirements. ECRs provide a critical connection to specific Compliance Activities surrounding those mitigating controls to leverage all of the tracking, attestation and audit power of the Practical Compliance Automation software platform.
Once you have a compliance program, the External Compliance Reconciliation (ECR) features makes it easy to map your program to your prospect, customer and partner compliance questionnaires. If time, complexity or resources are an issue our Concord Compliance consultants can always help develop your customer specific ECRs. When clients come to us in the midst of negotiating MSA and other contracts with key customers and partners, we can take a leadership role on their behalf to get through these discussions quickly and painlessly. Depending on the complexity of your information technology footprint, availability of your staff and leadership, and complexity of your compliance requirements, Concord Compliance can have your compliance program in place in as little as 45 days.
When it comes to your cyberinsurance applications and renewals, it is typically a simple matter to reference the various aspects of our program to the application questions. Some insurers are starting to require a compliance program to be in place before coverage is extended, in some cases even for renewals of long standing policies.
The Concord Compliance IT Compliance Framework includes all of the privacy standards and operating procedures necessary to meet current EU and Canadian requirements. As part of the annual Practical Compliance Automation subscription Concord Compliance will keep you up to date with changes in regulations, too.
Our Practical Compliance Automation portal can efficiently and cost-effectively manage all of your programs including your GLP/GCP/GMP compliance in life sciences and AML (anti-money laundering) and KYC (know your customer) requirements for financial services.
More and more organizations are finding that they collect, access and even store protected health information (PHI), even if they are not actually in the healthcare industry. The risks and penalties associated with the mishandling or inappropriately releasing PHI are very serious so we advise a conservative approach. During the assessment phase of your Concord Compliance project, we help you walk through the data you are collecting and how you are using it to see if HIPAA needs to be part of your compliance program.
While cloud applications are often a cost effective way to adopt solid, well run infrastructure and applications, you typically still need your own compliance program laying out your governance, systems usage and operating procedures.
We strongly recommend that your compliance program incorporate all of your systems and data. It can be very easy to overlook even small aspects of your technology footprint that open the door to major compliance vulnerabilities. Concord Compliance engagements include the development of a Graphical Systems Visualization™ (GSV), which maps all of your business operations to deployed applications and the infrastructure and network elements supporting the applications. The GSV helps both you and Concord Compliance see the interrelated nature of your systems and to make good decisions around which elements need to be covered by your compliance program. That said, even if you decide that some of your systems are not priorities for your compliance program, if any of your systems are breached or compromised, your reputation with your customers can suffer, even if the breach or data loss does not impact customer data.
Concord Compliance consultants are experts in compliance program development and management, but we are not CPAs. As such, we cannot do a formal audit for a public company or deliver SOC 1/2/3 reports. However, the annual subscription to Practical Compliance Automation™ includes an annual, independent review of your compliance maintenance activities. Optionally, we can do a deeper annual review and report of systems and compliance to meet more stringent customer requirements. We are finding that many customers and partners are accepting these annual reviews as sufficient evidence that you are managing and maintaining your compliance program.
We would hate to see you go, but Practical Compliance Automation™ includes functionality that allows you to output your entire compliance program for use offline with manual tracking.