Critical Documentation

You hear us repeat it over and over again: if it’s not written down, it’s not happening. Documentation is a critical component of any organization. Policies and procedures are vital to your business operability, business continuity, consistency within your organization, training new employees, controlling risk, meeting regulatory compliance requirements, meeting client requirements, and so much more. Policies and procedures demonstrate how you conduct your business.

What is a Policy?

A policy is an executive-level document that defines that something must be done. They are a statement of management intent. Policies are the law at your organization. An effective policy should outline what employees must do or not do, directions, limits, principles, and guides for decision making.

Policies can be rules, acceptable or unacceptable behaviors, limits, approval authorities, consequences for non-compliance, who needs to know, etc. They answer questions like: What? Why?

What is a Procedure?

A procedure is the counterpart to a policy; a policy defines that something must be done, but a procedure defines how you do it. It is the process to fulfill management intent. It is the instruction on how a policy is followed. A policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it.

Procedures answer questions like: How? When? Where?

Policy and Procedure Creation

Individuals with the appropriate authority need to be involved in drafting policies and procedures. When creating new documentation or amending the existing, there should be a process for checking for conflicts with existing documents, checking for legal requirements, and ensuring the document discusses all necessary topics. A formal review process is also necessary to keep all policies and procedures up-to-date. Policies and procedures should be reviewed at least annually.

Communication is key to putting policies and procedures into action. Even if a policy or procedure is perfectly crafted, if it’s not in effect, then it’s worthless. Policies and procedures should be documented, in use, and known to all affected parties. Your personnel must be living out what the policies and procedures require of them. It is not sufficient that you generate documentation just for the sake of an audit.

If you want to learn more about how to write effective policies and procedures, check out our Style Guide to Creating Good Policies and our Style Guide to Writing Good Procedures.

Documented policies and procedures are critical components of an effective compliance management system. In some ways, if a regulatory agency doesn’t see documentation, then they consider that a policy or procedure isn’t happening at all. Policies and procedures help create consistency and standards within an organization, and are key in training new employees. Policies and procedures are also effective in monitoring and auditing internal company practices. In order for policies and procedures to be effective, they should be reviewed whenever laws or requirements change, or at least annually.

The end of the year is rapidly approaching, and so is the deadline for those completing a Q4 audit! It’s not hard to imagine what Santa and his Elves feel like as they rush around to get everything in order and ready for their big day.

Just as the Elves help Santa to ensure everything gets done in time, our auditors are committed to helping you make sure you have everything in place working effectively to successfully complete your audit on schedule. Here are 6 tips on how to pass an audit in time for year-end.

How to Pass an Audit in Q4

To better prepare for your upcoming audit, here are six tips that companies across all industries can find helpful:

1. Perform a Risk Assessment

Risk Assessment. Risk Assessment. Risk Assessment.

It always starts with a Risk Assessment. What better way to identify your assets and prioritize your unique risks than by performing a regular risk assessment? Not sure if you have all of the necessary controls in place to properly protect your assets and mitigate risks? Don’t worry – your annual risk assessment will help you with that. Not only is a risk assessment mandated by most audit frameworks, but it’s also a critical component of any information security program.

2. Documentation Inventory

Are you maintaining audit logs? Do you have proof of employee acknowledgement of policies and procedures? Are you keeping all necessary records for your auditor to review?

Waiting until the last minute to pull all of your documentation together can make preparing to pass an audit seem much more tedious and stressful than is actually necessary. Veterans of the audit process will highly encourage companies to continuously collect and maintain necessary documentation in order to be prepared year-round for an audit.

3. Policy and Procedure Review

Reviewing your policies and procedures on an annual basis is a good way to ensure that there are not any gaps in your controls and processes. It is also the perfect opportunity to be certain that everything you say you’re doing as an organization is formally documented and communicated to all relevant personnel.

When it comes to compliance, we’ve all heard the adage, “If it’s not written down, it isn’t happening”. This is good advice when it comes to preparing for an audit because your auditor won’t be interested in hearing about your processes, but rather will need to see them documented on paper and see evidence that they are a living a breathing document that continuously changes and matures with your organization’s environment.

4. Employee Training

A strong defense is the best defense. Regularly training your employees on security awareness and the importance of security and compliance can help put your mind at ease when it comes to knowing they are taking the right steps and precautions to protect organizational assets. A culture of security awareness and compliance must start from the upper-management level and trickle down to the employee level in order to make the best impact. Security training programs should educate employees on policies and procedures as well as basic security awareness.

5. Vendor Compliance Management

Are you properly managing your vendors to verify that they are complying with information security and compliance requirements and best practices? Vendors pose a risk to every organization, so it’s imperative that you’re doing your due diligence to mitigate those risks. Do you have all of your documentation of proper vetting prepared and ready for your auditor to review? What is your onboarding process? Off-boarding? Do you have vendors sign a non-disclosure? Learn more vendor management best practices with our vendor compliance assessment.

These are the pieces you’ll want to have together in order to successfully pass your audit in Q4.

6. Work with your Auditor

When it comes to completing an information security or compliance audit, your auditor is your greatest resource and is not to be feared. Work with your auditor to show them you’re committed to the audit and remediation process and improving your environment. If they show you that a control you have in place is insufficient, work with them to make the appropriate changes for follow-up, and most importantly, be honest. A good auditor won’t work with you to simply check a box, they will work with you to ensure that your organization is secure and compliant.

So as you wrap up your Q4 audit this year, remember to not overcomplicate it. Gain audit participation from your entire organization by expressing the importance that security plays in your business operations. Working together with your organization and your auditor can help you achieve greater levels of security and compliance at your organization.

If your customers rely on you to protect consumer information, chances are you may be asked to produce an SSAE 16 audit report. An SSAE 16 audit is a reporting on the controls at an organization that are relevant to, or may affect a client’s financial statements. This standard is designed to demonstrate that an organization has proper internal controls and processes in place to address information security and compliance risks. It’s not uncommon to have a million questions the first time you decide to engage in an SSAE 16 (SOC 1) audit. Where do we start? What does this entail? Will we fail? Here are 10 things you can do to begin preparing for your SSAE 16 audit.

1. Risk Assessment

If you look at any compliance or information security framework, audit, or standard, they all require a risk assessment. That being said, performing a formal risk assessment is the best starting point in preparing for your upcoming SSAE 16 audit. A risk assessment helps you understand what you’re doing as an organization and can help identify any risks in your environment. Based on your assessment, the implementation of controls should be reasonable and feasible. A written, formal risk assessment should be performed by a cross-section of departments and employees.

2. Evaluate Client Requirements

Who are you serving as a market? Are you providing services to retail organizations? Healthcare organizations? Federal government? Financial services organizations? Based on your answers, that will determine the laws and regulations that apply to you and how you deliver your services. What do your clients expect from you? What does your contract say you’re providing? As a service provider, your audit’s scope is shaped by your service delivery methods and client requirements should be evaluated in order to understand what is expected and reasonable. Don’t forget to evaluate contracts and service packages to ensure that expectations have been properly documented.

3. Regulatory Implications

In order to prepare for your SSAE 16 audit, you must determine what your regulatory responsibilities are based on your locale and the customers you service. For example, if you’re serving the healthcare market, you’ll be responsible to comply with relevant sections of the HIPAA/HITECH Act. If you’re serving the financial marketing, then GLBA is relevant. If you’re serving publicly traded companies, SOX is relevant. If you’re serving the Federal government, you must comply with FISMA. Taking into consideration each regulatory framework that applies to you will help determine what’s important to consider when preparing for your SSAE 16 audit.

4. Service Delivery Controls

Possibly one of the biggest risks that businesses may overlook (since it’s not a security breach) are operational risks. As auditors, we look for things that deal with operational efficiency, catching errors, and quality assurance. These are all important factors that will help make up a set of service delivery controls. What controls do you have set up along the service delivery process? A helpful way to manage service delivery controls is by creating a data flow diagram of the life-cycle of your service delivery model. Take us step-by-step through the entire process.

5. Written Policies & Procedures

This isn’t the first time you’ve heard us say this, and it won’t be the last. The most important thing to remember when developing policies and procedures to prepare for any audit is “if it’s not written down, it didn’t happen.” Having a formally written and fully documented set of policies and procedures is paramount for an SSAE 16 audit because these are what we audit against. If your policy says you do X, Y, Z, we will perform a test against that policy to verify that you do, in fact do X, Y, Z. Having a formal set of written policies and procedures also helps guide employees on company expectations and consequences and provide guidance on the proper execution of service delivery. Policies and procedures should be fully endorsed by senior management, and updated by the authorized individual at least annually.

6. Training

When trying to prepare for your SSAE 16 audit, policies and procedures and training often can go hand in hand. It’s essential that employees receive job-specific training to ensure full compliance with all company policies and procedures. Did all employees attend? Did all employees comprehend? Is there some kind of acknowledgement form that was signed saying they have been presented with and understand what’s expected of them as an employee? Since, for example, HR, IT, and Production are all responsible for different aspects of the business, training should be as job specific as possible. Another type of training that is critical in this current threat-landscape is security awareness training. Employees should be trained annually to keep them vigilant in understanding the types of threats that are out there.

7. Vendor Management

Vendors represent a risk to every organization. Your vendor requirements for each vendor may vary based on the risk that vendor poses to your organization. For example, a VPN-connected vendor introduces different risks than a cleaning service. As far as managing your vendors, on-boarding and off-boarding procedures are just as critical for vendors as they are for employees. What are you going to require for the on-boarding process? A Signed non-disclosure? Ask to verify that they perform a background check on employees? Verify that they are in compliance with any relevant information security and regulatory compliance requirements? Effective policies, training, and monitoring can greatly reduce your vendor risk. Be sure to include the right-to-audit clause in your contract.

8. Physical Controls

Your physical controls talk about restricting access to your physical environment. These controls cover things like controlling how someone comes in and out of your facility, tracking visitors, and keeping a log. Access controls can generate logs to verify access granted and denied. Video footage can be helpful after an incident to determine the impact. Visitor procedures are important for documenting historical events. Are there additional checkpoints or limited access once inside? Sensitive areas should be controlled to restrict access on a strictly business-justified basis. Assessing your physical controls is important when you prepare for an SSAE 16 audit.

9. Security Controls

When we talk about controls that affect “security”, we are talking about CIA: Confidentiality, Integrity, and Availability. If an important document containing sensitive information is stolen, then the confidentiality of that document has been compromised. If you’re storing an important hardcopy document that has gotten wet and is now unreadable, then the integrity of that document has been compromised. If something has gone missing, like an important filing cabinet full of sensitive documents, but hasn’t been taken by an unauthorized person, then the availability of those documents inside the filing cabinet has been compromised. Placing Administrative, Technical, and Physical controls in place can help you address each of those areas of security.

10. Availability Controls

Availability controls include things such as Business Continuity and Disaster Recovery Plans. These are critical for maintaining availability to your customers. Other availability controls to consider when preparing for an SSAE 16 audit are data backups, network monitoring, and cross-training employees.

Companies are looking to do business with vendors who understand these issues. Being proactive about undergoing your SSAE 16 audit can mean the difference in winning your next big deal and earning the trust and respect of the clients you serve.

KirkpatrickPrice strives to be your partner. Engaging in an SSAE 16 Audit doesn’t have to be a scary thing and we are here to offer help every step of the way with recommendations and resources to help strengthen your environment. If you’re ready to get some help, contact us today.