Compliance as a Service: A buzzword or a new trend in business?

With nearly half of all businesses experiencing data breaches in 2014 alone, it’s almost like they’ve become a regular part of doing business.

But when serious legal and reputation ramifications accompany a business’s failure to protect sensitive information, preventing them becomes a lot more important. Still, this doesn’t rectify the fact that companies continuously struggle to handle regulatory compliance in-house — nearly 80 per cent of businesses fail their interim Payment Card Industry compliance assessments.

And when cloud service providers started to pick up on this need, a new trend was born: “compliance as a service.”

But it’s important to remember that when you hand over information and processing to another company, you’re outsourcing your business processes. And outsourcing a compliance-related business process doesn’t remove your company’s ultimate legal accountability for maintaining it. After all, a healthcare system could shop for a cloud company to carve out a portion of the compliance rules and protect information and records, but the agreement doesn’t release your company from its obligation to HIPAA.

When you consider paying for compliance as a service, you must take an honest look at your small business’s needs and responsibilities and weigh the risks against the returns.

The Pros and Cons of Compliance as a Service

If you’re involved in highly regulated industries like healthcare or financial services, you may want to think about using compliance services from cloud-based companies as they can enhance your compliance initiatives and help ensure you stay abreast of continued updates.

Getting help with compliance can increase efficiency in small businesses in particular by decreasing the amount of documentation required by regulatory bodies that you or your employees must personally administer and oversee. It can also cut down on the cost of managing HIPAA regulations or other industry-specific compliance issues. This can include offerings such as vulnerability scanning, data encryption log monitoring, access management, and several other tools that can be difficult for smaller organisations to manage themselves.

On the other hand, carving out portions of compliance requirements may make you feel too comfortable. If you assume that another company has taken care of your risks and legal responsibilities when it hasn’t, your business will be the one that pays for any slipups — and those fines can be financially devastating to small businesses. Relying on someone else to ensure your compliance may muddy the waters and leave certain responsibilities to chance.

Additionally, some cloud companies may pitch one-size-fits-all compliance services that may not work well with your company’s need to mitigate specific risks. Remember, the cloud is not a magic box; behind the curtain are servers, hardware, and networking equipment. Before you hire a vendor, make sure its account representative asks the right questions that demonstrate a deep understanding of your industry and a thorough comprehension of your basic needs.

If you fully understand the risks and decide to go ahead with using compliance as a service, then you’ll need to reflect on three key areas before choosing a provider:

1. Knowledge

Does the vendor have in-house expertise about the compliance risks specific to your industry? Do you understand your own requirements? A failure to answer these two questions could result in hiring a service provider who doesn’t fully comprehend your needs. Don’t bite on a sales pitch unless you have access to that firm’s third-party assurance reports.

An example includes Service Organisation Control reports that are actually mapped to your specific compliance requirements. Without an assurance report that maps back to your specific compliance requirement, you can’t possibly know whether a service company is creatively pitching or telling the truth about its capabilities.

2. Transparency

Outsourcing infrastructure doesn’t entail sending information off in a vacuum, never to be seen again. You must have the opportunity to log in and monitor your vendor in real time. Make sure the company you hire offers ongoing blog posts, updates, vulnerability reporting, and anything else that’s beneficial for your business. You must have unfettered access to see what’s happening with your sensitive information at all times.

3. Personalisation

Many service providers offer a variety of solutions. Make sure the vendor you choose understands your business and can outfit your IT infrastructure with appropriate safeguards. Your data must be placed on a server in the company’s actual environment, with all defenses enabled. Learn what the vendor is doing in its various server locations, and make sure you understand how the servers are maintained. Finally, check with other businesses managed by the service provider to ensure it follows through on the scope of its reporting.

Companies often view compliance as a burden and are thrilled to find out that someone else can help out. The “cloud” is a raging buzzword at the moment, and as a result, few businesses take the time to think about how these systems actually operate. That’s why you must perform due diligence to find secure solutions for your compliance as a service provider. Happy hunting!

Brad Thies is principal at Barr Assurance & Advisory Inc., a risk consulting and compliance firm that provides business performance, information technology, and assurance services to clients across a variety of industries. He specialises in helping clients assess, design, and implement processes and controls to meet customer, regulatory, and compliance requirements. Brad is a certified public accountant and a certified information system auditor with more than 10 years of experience in the industry.