Because of the complexity of today’s threats and the innovation of new businesses, it’s not uncommon for organizations to pursue multiple compliance goals at the same time. Let’s say you provide IaaS solutions – you may want not only a SOC 2 attestation, but also HIPAA compliance for the healthcare clients you serve. Let’s say you’re a payment processing SaaS who needs PCI compliance and a SOC 2 attestation. When an organization is pursuing multiple compliance goals, it’s crucial to find an auditing firm who has the technology and expertise to not only streamline your process, but also use your resources in the most responsible way. At KirkpatrickPrice, we utilize our Online Audit Manager to do so. Let’s discuss the common challenges that come along with pursuing multiple compliance objectives and the solutions we provide.
Road Blocks for Multiple Compliance Objectives
We see three common challenges when companies try to undergo multiple audits: a heavy focus on remote auditing, a steep price, and lack of expertise.
Many auditing firms simply don’t have the necessary certifications and experience to provide a wide span of information security audits. Let’s go back to the SaaS example – to gain a SOC 2 attestation, you’ll need a CPA firm that has auditors who specialize in information security. To gain PCI compliance, your audit needs to be performed by a QSA. Looking for a CPA firm that’s also a QSA firm may prove to be challenging, but you want to perform due diligence to find a qualified, experienced information security auditing firm. If not, you’ll have to work with several different firms and several different auditors, who all have different processes.
Many auditing firms market themselves as the firm that doesn’t have to waste time and money on onsite visits because of their online portal (which is actually just a document upload site). They tout “100% remote auditing” as their best feature. If you’re an organization who wants to check information security off your to-do list, these types of firms could be a good fit for you. We believe that an audit that is completely remote is actually a disservice. When we created our own portal with remote auditing functionality, we never intended to use it to make ourselves an “only remote auditing” firm. Onsite visits are needed to witness physical security controls, company culture, integrity, and to cultivate the best partnership possible. Don’t choose a firm who pushes a full remote audit.
With the development of online portals came new software providers. They offer a GRC portal as a service, but not the actual auditing. At KirkpatrickPrice, that’s not the way it works. We’re not going to charge you separate prices for an audit and for the use our Online Audit Manager. Shane Shissler, Technical Services Manager at Anexio, put it this way, “Other GRC products are really great, but as I was watching demos, I realized that your portal did so much of the same stuff. Your portal essentially does all of the same things and has many of the same functionalities. Companies are charging up to $5,000 a month to use their GRC software. Your Online Audit Manager is automatically granted with doing the audit; it’s included in your pricing. Not only does KirkpatrickPrice do a great job with your reports and pricing, but with that report and that audit, you also give access to your portal which maps multiple frameworks. It’s just such an added value.”
Our Solution: The Online Audit Manager
When an organization asks why they should work with KirkpatrickPrice, we can’t help but talk about our Online Audit Manager. When Joseph Kirkpatrick began his career in the information security industry, he noticed a major gap: a way to perform multiple audits through a single process. Thus, our Online Audit Manager was created. KirkpatrickPrice was the first authorized company to provide multiple audits through an online portal process.
Our Online Audit Manager isn’t intended for 100% remote auditing or solely a tool to store documents. Our portal is the way our auditors, audit support staff, technical writers, and client success team interact with clients and manage the audit progress. It’s how we combine multiple audit frameworks into one audit. The portal acts as a guide through the audit control objectives, allowing each client to organize their requirements and document their process.
Steve Grzybinski, Director of Security, Compliance, and Technology at Connectria Hosting, explains, “What used to be difficult has become easier after incorporating the KirkpatrickPrice portal into our processes. KirkpatrickPrice has made the audit process a more efficient with the tools and partnership mentality that they bring to the table. The online portal that allows us to combine all of the questions from all of the audit disciplines that we require has made this effort quicker, easier, and more engaging. The KirkpatrickPrice team has become an extension of the Connectria team throughout each exam effort. This harmonization is important for minimizing duplication of effort for any organization that must demonstrate compliance in multiple audit disciplines. Year over year, we continue to grow and improve our auditing processes. Connectria has been able to create repeatable automated processes for vulnerability management, evidence gathering, and monthly reporting after engaging with KirkpatrickPrice.”
If you’re wondering how you can meet all of your compliance goals, let us walk you through an Online Audit Manager demo and discuss your compliance plan. With KirkpatrickPrice, it may be more achievable than you think!