How can BostonCOMPLY’s compliance programs and the Practical Compliance Automation™ software help me with SSAE 16 /18 audits, SOC1 – SOC2 – SOC3 reports?
When you combine BostonCOMPLY’s comprehensive strategies, policies, and standards with automated tracking and documentation of compliance activities through our Practical Compliance Automation™ (PCA) platform, you have laid the foundation for successfully completing nearly any kind of IT audit, regardless of type.
If your organization operates information systems on behalf of other organizations, or if you provide information system services to other entities, there is a very good chance that you will be asked to provide one or more audit reports describing the controls you have put in place to protect your systems and services, and, by extension, how you protect your clients and partners.
The most common audit reports describe the findings from an SSAE 16/ 18 audit conducted by a CPA firm. These reports are typically called Service Organization Controls (SOC) reports and come in three flavors. SOC 1 reports focus primarily on maintaining internal control over financial reporting (ICFR), while SOC 2 and SOC 3 reports focus on information system security, availability, integrity, privacy, and confidentiality using standard Trust Services Principles and Criteria. The AICPA issued SSAE18 SOC1/SOC2/SOC3 structure as an update in May of 2017, as replacement for SSAE16.
BostonCOMPLY’s compliance programs and our Practical Compliance Automation™ software fully support the standard Trust Services Principles and Criteria, and our direct mapping to frameworks like COBIT and ISO 27001 give you the tools you need to painlessly meet your SOC reporting requirements. Also, by collecting and maintaining all of your compliance records in one place, the PCA platform can help your audits proceed more quickly and efficiently, translating to lower internal costs and disruptions and lower bills from the CPA firm performing your audit.
Taken together, BostonCOMPLY’s compliance programs and our Practical Compliance Automation™ software provide you with a foundation for passing SSAE 18 audits, getting favorable Service Organization Controls (SOC) reports, and assuring your stakeholders that you are fully in compliance and ready to do business.
I do business with citizens of the European Union, does this impact my compliance needs?
The General Data Protection Regulation (GDPR) effective May 25, 2018 standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location and can impose extensive financial penalties for noncompliance.
The BostonCOMPLY IT Compliance Framework includes the privacy standards and operating procedures necessary to meet current GDPR requirements. As part of the annual Practical Compliance Automation subscription BostonCOMPLY will keep you up to date with changes in regulations, too.
There are so many regulations and so many different compliance standards. How can one platform help me with all of them?
Whether it is a law or regulation like HIPAA or Sarbanes-Oxley (SOX), an industry standard like PCI DSS, or a customer-driven requirement, these days it can be difficult for any organization to make sure that it is doing everything it is expected to do. On top of that, there are many technical frameworks and controls, like COBIT and ISO 27001, each with different emphases, that specify how things should be done. The good news is that BostonCOMPLY has painstakingly mapped all of the major regulations, standards, and frameworks onto the BostonCOMPLY Practical Compliance Automation™ (PCA) platform. By adopting our platform, you can track and demonstrate compliance with multiple regulations and requirements all in one place and all using one system. This approach of covering all bases is particularly valuable if you need an SSAE 18 audit.
In the unlikely event that you need coverage for an IT regulation or an IT requirement that BostonCOMPLY does not already support, we’ll be happy to work with you to add it. In fact, since the BostonCOMPLY IT Compliance Framework is so comprehensive, chances are that we already include most or all of what you need to be compliant with other regulations and requirements, so usually it’s just a matter of mapping those requirements into what we already do.
Can BostonCOMPLY help small and mid-sized companies that have Sarbanes-Oxley (SOx) compliance requirements or that provide services to publicly traded companies?
Most people know that all publicly traded companies in the United States must comply with the Sarbanes-Oxley Act of 2002. It is less well known that organizations that supply certain services to publicly traded companies also have Sarbanes-Oxley (SOx) obligations if those services might impact a public company’s financial reporting. Especially for small service providers, that can sound pretty scary.
Whether your company is publicly traded or provides services to publicly traded companies, BostonCOMPLY’s comprehensive strategies, policies, and standards and our Practical Compliance Automation™ (PCA) platform can help to ensure that your information systems are compliant with SOx requirements. We’ve specially designed BostonCOMPLY and PCA to be comprehensive, yet practical and efficient, even for small organizations.
Our compliance library directly maps to the COBIT framework for managing information systems; COBIT is the most widely used framework for assuring IT SOx compliance. In addition, we also map to other common frameworks, like ISO 27001 and NIST 800, to provide added confidence in your systems. Further, our PCA platform documents that you have been managing your compliance program and staying up to date with all required activities. Not only do we provide you with a system designed to support key compliance requirements, our system helps you easily prove to auditors that you are maintaining compliance over time.
Taken together, BostonCOMPLY’s compliance programs and our Practical Compliance Automation™ software provide you with a foundation for passing audits and assuring your stakeholders that the services you provide are complying with Sarbanes-Oxley requirements.
A potential new customer will not sign our MSA until we have a compliance program in place. How quickly can we get it implemented?
Depending on the complexity of your information technology footprint, availability of your staff and leadership, and complexity of your compliance requirements, BostonCOMPLY can have your compliance program in place in as little as 45 days. During that time we can help you work with your customers’ compliance and vendor certification teams so they can understand the project dates and milestones and the comprehensive nature of the program being delivered. In our experience, the fact that you have engaged BostonCOMPLY as compliance professionals goes a long way to proving that you are serious about meeting your customer and partner requirements.
How much time will my staff have to spend on compliance training?
Compliance is an important part of doing business today, so compliance training needs to be taken seriously. We understand there are real concerns about the amount of time it takes to roll out a compliance program and to ensure that staff are properly trained. That’s why we carefully calibrate your rollout and compliance training to your unique requirements. Even if you have demanding financial services or pharmaceutical compliance requirements, we deliver programs that are practical and manageable.
We are a small company; how can we meet the compliance requirements being forced on us by our Fortune1000/Fortune2500 customers?
At first, some of your big customers may seem to be pushing down some heavy requirements, but once their vendor certification or compliance department understands the scope of your BostonCOMPLY program things should settle down. Using the external compliance reconciliation (ECRs) functionality of our Practical Compliance Automation platform goes a long way towards helping your large customers understand that you are serious about meeting their requirements. ECRs provide an element-by-element tie out from your customer’s or partner’s compliance program to yours and provides a place to spell out mitigating controls that BostonCOMPLY has helped you develop to meet their requirements—requirements that may be appropriate for a 40,000 employee organization but, without an ECR, could crush your small company.
I already have functional compliance materials related to my FINRA or GxP requirements; what do I do with all of that? What about my industry’s professional code of ethics and conduct?
Practical Compliance Automation can be your single system to manage all of your IT, operational and functional compliance materials. Working with your internal functional compliance staff or external 3rd party FDA GxP or FINRA compliance consultants, BostonCOMPLY can deliver on all of your requirements in a manageable package including training, required activities and audit systems of record functionality.
I have outsourced my desktop and network support to a managed service provider and working with a CRO. Isn’t compliance their problem?
No organization can outsource their responsibility for a compliance program even if they outsource the underlying processes. Even if you are outsourcing IT to an MSP or clinical research to a CRO, you are still required to establish and maintain a proper compliance program. If your MSP is participating in BostonCIO’s Service Provider Ecosystem delivery model, we can configure Practical Compliance Automation to inherit the appropriate elements of your compliance program directly from your MSP. Not only can you inherit the program documents but also their staff training and compliance activities and attestations that the MSP undertakes on your behalf.
I am hearing that not managing and properly administering your compliance program may be worse than not having one at all; why?
Organizations that do not have a compliance program when one is indicated are in the wrong, but organizations that identify the need for a compliance program, lay out the program and then fail to maintain it or cannot prove that they are carrying it out are demonstrating negligence against their own self-identified requirements. This can lead their customers, auditors, and regulators to speculate what other corners they may be cutting.
My customers and partners want to see how my compliance program maps out to their compliance requirements. How do I handle that?
Practical Compliance Automation includes a powerful set of features we call External Compliance Reconciliation (ECR). This toolset allows you to map each element and requirement of your customer or partner compliance program to the custom compliance program BostonCOMPLY will deliver. ECRs also provide a place to document any mitigating controls necessary for your operations to meet their requirements. ECRs provide a critical connection to specific Compliance Activities surrounding those mitigating controls to leverage all of the tracking, attestation and audit power of the Practical Compliance Automation software platform.
How do current and future investors view compliance?
BostonCIO works extensively with the private equity community performing due diligence on potential acquisitions and strengthening systems and business processes within their portfolio companies. Investors are always looking to understand, manage and mitigate risk. Having a solid compliance program in place that you can demonstrate is being managed and maintained will check off an important box and can help avoid unpleasant valuation adjustments and funding hold backs.
Can BostonCOMPLY help me to land new customers and to win RFPs?
Once you have a compliance program, the External Compliance Reconciliation (ECR) features makes it easy to map your program to your prospect, customer and partner compliance questionnaires. If time, complexity or resources are an issue our BostonCOMPLY consultants can always help develop your customer specific ECRs. When clients come to us in the midst of negotiating MSA and other contracts with key customers and partners, we can take a leadership role on their behalf to get through these discussions quickly and painlessly. Depending on the complexity of your information technology footprint, availability of your staff and leadership, and complexity of your compliance requirements, BostonCOMPLY can have your compliance program in place in as little as 45 days.
I’ve heard that I might need cyberinsurance or my current policy is up for renewal. Can BostonCOMPLY help me with that?
When it comes to your cyberinsurance applications and renewals, it is typically a simple matter to reference the various aspects of our program to the application questions. Some insurers are starting to require a compliance program to be in place before coverage is extended, in some cases even for renewals of long standing policies.
I do business in Europe and Canada; how does that impact my compliance needs?
The BostonCOMPLY IT Compliance Framework includes all of the privacy standards and operating procedures necessary to meet current EU and Canadian requirements. As part of the annual Practical Compliance Automation subscription BostonCOMPLY will keep you up to date with changes in regulations, too.
What do I do with other compliance items I need to track, like employee handbooks and safety training?
Our Practical Compliance Automation portal can efficiently and cost-effectively manage all of your programs including your GLP/GCP/GMP compliance in life sciences and AML (anti-money laundering) and KYC (know your customer) requirements for financial services.
Do I really have to deal with HIPAA?
More and more organizations are finding that they collect, access and even store protected health information (PHI), even if they are not actually in the healthcare industry. The risks and penalties associated with the mishandling or inappropriately releasing PHI are very serious so we advise a conservative approach. During the assessment phase of your BostonCOMPLY project, we help you walk through the data you are collecting and how you are using it to see if HIPAA needs to be part of your compliance program.
How does our reliance on cloud applications like Google Apps, Microsoft Office 365, Salesforce, or QuickBooks Online impact my compliance needs?
While cloud applications are often a cost effective way to adopt solid, well run infrastructure and applications, you typically still need your own compliance program laying out your governance, systems usage and operating procedures.
Only a small portion of my systems contain customer or patient data; do I have to worry about all of my systems?
We strongly recommend that your compliance program incorporate all of your systems and data. It can be very easy to overlook even small aspects of your technology footprint that open the door to major compliance vulnerabilities. BostonCOMPLY engagements include the development of a Graphical Systems Visualization™ (GSV), which maps all of your business operations to deployed applications and the infrastructure and network elements supporting the applications. The GSV helps both you and BostonCOMPLY see the interrelated nature of your systems and to make good decisions around which elements need to be covered by your compliance program. That said, even if you decide that some of your systems are not priorities for your compliance program, if any of your systems are breached or compromised, your reputation with your customers can suffer, even if the breach or data loss does not impact customer data.
When my customers want an audit of my compliance program, can BostonCOMPLY do that?
BostonCOMPLY consultants are experts in compliance program development and management, but we are not CPAs. As such, we cannot do a formal audit for a public company or deliver SOC 1/2/3 reports. However, the annual subscription to Practical Compliance Automation™ includes an annual, independent review of your compliance maintenance activities. Optionally, we can do a deeper annual review and report of systems and compliance to meet more stringent customer requirements. We are finding that many customers and partners are accepting these annual reviews as sufficient evidence that you are managing and maintaining your compliance program.
What if I no longer want to subscribe to Practical Compliance Automation™?
We would hate to see you go, but Practical Compliance Automation™ includes functionality that allows you to output your entire compliance program for use offline with manual tracking.