Good companies talk about privacy and security; great ones back their words up with third-party audits.
At the most basic level, audits establish trust. Submitting to a privacy and security audit is not something that should be done lightly. It involves countless hours of work and resources, not to mention a significant capital investment to execute. Note that I describe it as an investment, not an expense.
Audits should not be viewed as a cost of doing business. Instead, they should be seen as an investment to bolster your clients’ faith in your capabilities and systems. This is particularly important for direct marketers because they ensure that marketers are using high quality, privacy-compliant data that will enable them to execute effective programmes and campaigns.
But audits do more than help put clients at ease. They help manage the rising threats and associated risks of handling and securing data. In a rapidly changing environment—one that’s rightly under increasing levels of scrutiny around privacy and security—audits motivate business working with data to innovate and improve.
Not only do auditors make sure businesses have the right policies and procedures in place, but they also demand physical evidence to prove you are adhering to those rules as part of your daily routine. A thorough auditor will perform checks in your offices to ensure desks are clear of sensitive client information, that your server rooms have proper security controls and that hard copies of client information are destroyed when they are no longer needed.
What does a privacy and security audit entail?
For those unfamiliar with the process of data and security audits, they serve several essential functions. For starters, they provide focus and offer persistent reminders to ensure that a business is keeping up with best practices and standards issued by the industry. They ask questions like: are the data on your servers and backups encrypted? How often do you patch your servers? Are employees trained on security? Do you have quality controls? Can you produce a complete data inventory? And do you destroy data and what is the process? In total, to comply with an audit (such as the SOC2), an accounting company will review more than 100 items to ensure adherence to industry best practices.
More than a month before the auditors arrive, stakeholders from finance, operations, legal, software development, research, project management, IT, human resources, office administration and sales should clear time to collect supporting evidence and prepare answers to auditor questions. This team (under project management leadership) should conduct a gap analysis, map the existing controls, and perform internal audits and other related tasks. By the time the auditors arrive, your staff should be armed with hundreds of pages of documents, ranging from basic policies and procedures to operating manuals, checklists and signed contracts. Ideally, companies should already have logs and digital records ready for auditors to demonstrate that “correct content” file transfers involving client data are conducted securely.
To their credit, the auditors don’t leave you any room to hide. Not surprisingly, in an industry that is continuously experimenting with new technologies, the things that they look for are constantly changing, which is why it’s critical to submit to this process every year. For instance, in the past year, SOC2 trust services criteria were updated to focus on risk management, incident management (breach protocol) and performing internal ongoing as well as periodic evaluations of relevant controls. As a result, auditors this year will examine your policies and processes and conduct data fire drills and training to make sure they meet all of the requirements.
Proof of exemplary service…