Pretty much every industry and every type of business has some type of compliance they must be aware of and adhere to on a regular basis. Whether it is OSHA compliance for factory and warehouse workers, the Sarbanes-Oxley Act for a large corporation, or IT compliance for your small business, being up to date on current regulations and ensuring compliance is a big task. That is why many companies hire a compliance officer and invest in a compliance department, however, if you are a small business owner, you may not have the budget for your own compliance department. If this is the case, then the task of being aware of all regulations that pertain to your business and being in compliance with those regulations falls squarely on your shoulders. Ignorance of the law is not a defense.
When it comes to IT compliance, the landscape seems to be constantly shifting as innovation and rapidly changing technologies are dictating the need for strong compliance to help combat cyber threats and to protect consumer information. There have been numerous large data breaches in the news in recent years, and often, the victims of these cyber-attacks were 100% compliant at the time of the attack. Cybercriminals are constantly finding new ways to infiltrate the networks of small and large companies to mine consumer information, implement ransom attacks for money, and steal trade secrets and sensitive information. Because of this, it may be hard to keep up with new regulations as they become law, however, as a business owner, it is part of your responsibility.
Most recently, we saw companies change their focus from their competition, regulations, and investment risks to things like the pandemic, climate change, and supply chain risk. This quick pivot had and continues to have some major impact on today’s cost of compliance.
Why Are Compliance Costs Rising?
In recent years, IT compliance, and compliance in general, has become an increasingly larger portion of every company’s operating budget. From the hiring of additional employees like compliance officers and more IT professionals to the purchase of vulnerability scanning software and other network security tools, the costs seem to be going up with no end in sight. So how do you balance trimming compliance expenses without reducing oversight and protection?
“There are several factors in the economic environment right now that are driving up costs. One of those, for example, is the recovery following two years of shutdowns that had a major impact on industries and now they are getting slammed with additional regulations – some at the federal level and some at the state level,” explained David Dunkelberger, who is a Partner at I.S. Partners and specialized in forensic investigation and fraud detection, SOC 1, 2 and 3 audits, information security assessments, financial controls and process enhancements, internal reporting, strategic planning and development. “The risk assessment process has been almost entirely revamped and businesses now must consider things they would have never imagined happening during their lifetimes.”
“The pandemic was one major event; now we have rising inflation, the global economy is not doing very well, there are widespread supply chain issues and supply insecurity…All of these are increasing costs to doing business in just providing goods and services. These factors—both externally and internally—are affecting the environment as far as compliance is concerned.”
We’re seeing a a large drive in aversion to technology risk so many companies are sharing data these days that maybe your customer data it may be internal data it may be confidential data or non confidential data there’s still an increased sense of transition of data from one place to another between B to B organizations as a result of that we’ve seen a large drive in monitoring of that date of that transferring some data and as a result demand for you know mitigating factors such as like let’s say sock two compliance having increased severely as a result that’s definitely driving demand of those goods and services so in that that is increasingly general increasing monitoring of that technology risk
Another factor is the increased investment that organizations are making as the aversion to technology risk grows. If you look at companies that handle PHI, for example, there are so many fees and penalties that could be incurred if that data falls into the wrong hands. If an organization doesn’t have the appropriate mitigating controls or techniques to stop that data from being breached, it is subject to millions of dollars in fines. Because of this, many organizations are anticipating the possible costs of a data breach.
So, in response, the cost of compliance is increasing as organizations implement more monitoring techniques and take on greater engagements, like a SOC audit, internal audit, or HITRUST assessment, in order to strengthen their cybersecurity posture. The same is true for all the organizations’ third-party relationships; each organization wants to make sure that the vendors they work with have the same level of security.
Strategies for Optimizing Compliance Costs
Here are a few things you may want to consider about your approach to reducing compliance expenses without increasing the risk of operating outside the law or exposing yourself to some of the dangers that compliance is there to protect you and your customers from.
1. Process Automation is Key.
We’re seeing a great push in for like automated platforms in the market that help centralize various types of GRC programs. There is definitely some gain to be made from centralizing the location of the information.
Additionally, oftentimes when particular risk management assessments and task processing becomes automated, the likelihood of error decreases as the human element is removed from the equation. Not only will these processes then be less labor-intensive, but they will also be more accurate.
Another positive aspect of automation is when risk assessment, task processing, and workflows become more automated, scaling is much easier. As a company grows, so does its IT infrastructure, workforce, and its scope of compliance. If automation is being fully utilized, it is much easier to adjust.
2. Combine Compliance Efforts.
Another solution which can optimize costs is the consolidation of compliance services. “When organizations need three or four different types of attestations or certifications, their compliance team should work to bring those efforts together. This saves costs by saving time; cutting out repeat tasks and eliminating duplicate work,” said David.
This also makes the compliance process less stressful by combining the information gathering efforts into one time period, rather than trying to find the information needed for three or four different sets of requirements.
3. Invest in Compliance Resources and Personnel.
The best way to optimize compliance costs, the approach that is going to deliver the most ROI, is having the internal dedicated resources needed to really understand your contractual requirements, regulatory requirements, and commitments to customers in protecting their data. Having the internal staff or outsourcing will provide the guidance and tools needed to ensure that your organization can go through an external or internal audit in a streamlined fashion.
We see so many failed efforts by clients seeking a particular compliance certification. It’s a challenge when they don’t have the resources needed to actually get the audit done and then the audit ends up taking much longer. The whole process becomes much more strenuous and ultimately the implementation goals aren’t reached because of the lack of resources available.
Having a skilled internal or outsourced compliance officer can save you money in the long run. By having someone onboard who understands the various costs of compliance and the challenges that are particular to ISO 27001 versus PCI, for example, is invaluable in terms of time and avoiding headaches.
As hiring a compliance officer or investing in a compliance department can be expensive, it is even more expensive if you are caught operating outside of the law. Just remember that, on average, the cost of non-compliance is 2.65 times higher than the cost of compliance. Operating in non-compliance can result in heavy fines, restitution, or even put your business in jeopardy through the suspension of licenses or even expulsion from the industry itself.
4. Constantly Address Any, and all Cyber Security Risks.
As we discussed before, a major part of a business’s compliance efforts has to do with IT regulation. Regulators have been consistently updating and adding new IT regulations to help combat the rising threat of cyber-attacks and data breaches. Because of this, a responsible business should take a proactive approach to cyber security rather than a reactive approach. A company should prepare for when an attack occurs rather than if.
Part of that preparation should include going above and beyond current regulations to help ensure the security of the data and privacy of your customers, employees, and intellectual property. For example, if current regulations mandate a vulnerability scan of your entire network once every 90-days, maybe you should perform scans once a month. Additionally, if a cyber-attack or data breach should happen to your company, you should have procedures in place that spells out how to respond to incidents and how to prepare for regulatory reporting.
Cybersecurity is one of the biggest investments a company may make when it comes to compliance, however, there is the risk of even higher costs for a company that is not proactive about cybersecurity. Not only could a company be subject to fines if operating in non-compliance, but the consequences of a successful cyber-attack could be even costlier.
How I.S. Partners Helps Your Organization to Decrease the Costs of Compliance
“First of all, you know we as a CPA audit firm, I.S. Partners must address those risks for our clients and then modify our audit approach to consider events like the COVID-19 pandemic, the cost of the a shutdown, and other regulatory factors.
Our company also feels responsible for understanding our clients’ growing aversion to technology risk and the potential monetary impacts of a data breach. At the same time, we know that our clients often have multiple industry standards and regulatory obligations that need to be addressed. That’s why we package compliance efforts into one service and map the controls across all the different attestations that need to be done.
Our automated client portal is a tool that we are currently using to help consolidate multiple efforts and streamline the compliance process. The application that we use simplifies that auditing by aligning similar types of requests and controls across multiple engagements. When we have a client that’s dealing with multiple requirements for compliance–such as PCI, SOC, and ISO all at the same time– we’re able to streamline that process on our client side. If they upload something that’s going to be necessary for all three engagements, we make sure that it’s added to all three of those engagements at the same time.