Posted by: Charles Denyer
audits, Compliance, GLBA, HIPAA, regulatory compliance, SAS 70, SOX
The compliance pendulum is in full swing, pointing heavily towards some very common legislation, audits, and other governance mandates. From the Sarbanes Oxley Act to HIPAA, Gramm Leach Bliley (GLBA) and numerous other federal and state legislative laws and rulings, companies are spending enormous time, money and effort for regulatory compliance.
And with all laws and edicts that come out our nation’s capital and from various state legislators, there’s the good, the bad, and the ugly. Let’s take a quick peak at these rulings, their impact, and what the future holds for the compliance crystal ball. My opinions are based on over a decade of audit experience, primarily with information systems, so I hope to provide you with information that is factual, unbiased and practical. Let’s begin with the probably the most notable, the Sarbanes Oxley Act of 2002.
After the corporate scandals, Sarbanes Oxley (SOX) was quickly put into effect, and the ramifications have been staggering indeed. Not only have companies spent a tremendous amount of money in being compliant, but many other regulatory compliance edicts have grown as a result of SOX. One of the most notable, SAS 70 audits. Be it a SAS 70 Type I or a SAS 70 Type II audit, service organizations are under the microscope, being required to be SAS 70 compliant. This stems primarily out of section 404 of the SOX act and it’s relation to management having to certify on internal controls, many of which have been outsourced to third parties. If your organization is currently facing SAS 70 Type I or Type II compliance, then it would be a good idea to learn more about what SAS 70 really is.
As for HIPAA and GLBA, these legislative provisions have also resulted in mandatory provisions surrounding security of confidential data, such as medical records and customer information. As with SOX, SAS 70 audits have quickly become the default de facto audit for ensuring organizations are adhering to HIPAA and GLBA requirements.
These are currently three of the biggest legislative laws requiring organization to undergo a slew of compliance audits, with many pointing towards the SAS 70 auditing standard.
The payment card industry (PCI) is also having big ramifications on regulatory compliance, as many organizations need to undergo a PCS QSA assessment. The PCI standards are geared towards organizations that process and hold sensitive credit card information.
What’s important to note is that with SOX, HIPAA, GLBA, and other legislative laws, this is really just the beginning of the compliance game. Many new laws and mandates will no doubt be coming down from the halls of congress and various state legislative sessions.
Stay informed on these rulings as they will no doubt have serious financial and operational ramifications on your organization.