For many service providers, compliance can be a tangled web of chaos, half-formed questions and unresolved headaches. You’ve got your own audit requirements to manage and you’ve got customer needs to meet. All while deciphering compliance language and auditor-speak.
Otava has been there, but they’ve found a way to make compliance audits hassle-free.
Otava is a hybrid cloud provider with various managed services to help companies achieve compliance and greater resiliency for their business. They primarily serve customers in the healthcare and financial industries, who have the utmost concern for data security and compliance.
We spoke with Otava Tech security officer Jason Yaeger about their auditing and compliance practices to find out how they’ve mastered their audits. Jason is responsible for all of Otava’s compliance audits, including implementation, rollout, and annual auditing. Here’s what he told us.
Mastering the Biggest Challenges of Compliance Audits
TCT: What are the biggest challenges for most compliance service providers?
JY: Once you have to do more than one or two particular audits, it becomes difficult to track what you need for which audits. It adds a ton of workload, because you now need to submit proof or documentation for multiple audits at one given time. And a lot of this information that you’re providing is the same information for different audits.
One of the challenges that we had initially was that we had three or four compliance standards to meet, and I wanted to know which control objectives were the same across the different standards. For example, this particular control point for PCI will meet another control point for HIPAA. Theoretically speaking, I should be able to provide the same evidence one time and map it to both audit requirements.
In the beginning, that was all managed in a spreadsheet. It was difficult, because we have at least ten different people supplying different information from different departments. The organization of the effort was a nightmare.
The other challenge was that, technically speaking, there’s no entity that says we need these audits. It’s all coming from the marketplace. If you don’t do these audits, it will be hard to sell your services to customers. So initially, it was a challenge to get the entire company bought into being audited so that we can provide better service—not just to sell more things.
At the end of the day, that’s what it’s about. Even for the companies that are required to do audits, it’s about making it so that their customers’ data is more secure (for example). A lot of companies do as little as they need to do to get the audit done. It takes a solid culture to do something that you’re not actually required to do and push it through and have everybody in the same boat rowing in the same direction.
So initially, there was a lot of “Why are we doing this? We don’t need to be HIPAA compliant.” Now it’s just a part of our company’s everyday life.
Handpicked related content: Want Easier Compliance? Create a Culture of Compliance
TCT: What are your challenges in sharing compliance documentation with your clients?
JY: Clients don’t always understand that our documentation doesn’t remove their requirement for being audited themselves. We can only solve a portion of their audits. A lot of the compliance is around internal policies and procedures that have nothing to do with our services—HR, for example, doing background checks. You can use our audits to satisfy a significant portion of your audit, but it doesn’t remove your responsibility.
Not all of our clients are TCT customers, but it’s easier with the TCT customers. When a customer uses TCT, they know exactly what gaps they need to fill. So there’s less time figuring out which control points overlap with our services. And if they’re using TCT, a whole bunch of their control points are automatically marked as in place because TCT knows that we’re either fully or partially responsible for that requirement. Basically, using the TCT Portal streamlines the audit management process for our clients.
TCT: What are your favorite tools to manage and track compliance?
JY: We started with spreadsheets, but we don’t use them anymore. They lack traceability, true accountability and security. Spreadsheets have their purpose, but they don’t scale to multiple audits or multiple contributors. They don’t give you a great report on where you actually are while managing the compliance process. If I’ve got one person responsible for 25 percent of evidence gathering, and they send it to me in an email, I have to update a spreadsheet to show that they submitted it. I don’t have a real-time report of where we truly are.
Spreadsheets create bottlenecks. You’ve got one person who wrote the spreadsheet managing documentation from ten different people. It’s just not organized or efficient.
TCT is the most helpful tool. It’s a great way to manage all of the evidence that needs to be gathered. But where it really helps is when you’ve got ten different people gathering evidence. When they log into the portal, they only see the things they need to supply for the audit. So it helps manage it across various departments and numerous people. Expectations are clear, and requirements are clear.
The other benefit is that we have a secure place to upload all the information, instead of using a myriad of methods.
TCT: Any advice to other service providers who are trying to figure out their own compliance mess?
JY: Have a phone call with TCT to see how they can help. If you’re having similar issues to these, reach out to see how TCT’s experience and software can help streamline your audits and make everyone’s lives easier.
Using TCT for our internal audit functions gives our management team and our board a higher level of confidence that we’re going to come out at the end of our audit with no exceptions. And if we are going to have an exception, we know about it early on.
TCT: Thanks for your time, Jason.
Master Your Compliance Tracking
Still trying to juggle the mess of audit documentation and struggling to know the status on evidence gathering? There really is a better way. TCT makes your compliance tracking clear and hassle-free.