REGULATORY COMPLIANCE AUDIT

Regulatory Compliance Audit

Regulatory Compliance Audit

Each of these should be well defined by the auditor before beginning the audit, in the pre-audit appointment. A growing body of regulation imposes enormous burdens on institutions to safeguard their information systems, transaction processes and sensitive databases. Among them are Sarbanes-Oxley (SOX), ISO 27001, Gramm-Leach-Bliley Act (GLBA), Fair and Accurate Credit Transactions Act (FACTA), Health Insurance Portability and Accountability Act (HIPAA), and the latest requirements, adopted as part of the ARRA of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Failure to comply with applicable regulatory standards can result in the exploitation of vulnerabilities by hackers and other cybercriminals. Identities may be stolen, and sensitive information abused for malicious profit. Security breaches can have far-reaching impacts, ranging from remediation costs and damages payable to victims, to the incalculable toll of negative publicity, customer churn, and lost business. For these reasons, compliance audits should be conducted on a regular basis.

SECNAP's professionally certified security auditors leverage a complete audit tool kit—in tandem with their extensive, in-depth experience in conducting compliance audits—to ensure that you receive useful, comprehensive information suitable for immediate action. Tools may include automated testing, network and wireless scans, personnel interviews, social engineering techniques, policy reviews, procedural and process evaluations, in-depth analyses and more.

By leveraging third-party support for compliance audit projects, organizations ensure that experienced, objective experts are engaged appropriately, and that in-house IT and audit personnel are able to remain focused on mission-critical responsibilities.

The Audit Period

At the beginning of an audit the individual or company will be notified of the audit period. This is important because it indicates the time frame of records that will be reviewed. A common time frame is three years. This means that records need to be available for the entire three-year period. However, the auditor will not likely audit the entire audit period. Sample periods are selected; for example, three quarters from the three-year period, might be analyzed extensively. Anytime failure to comply is found in these sample periods, or fraud is suspected, the auditor may extend the audit period beyond the initially stated time frame. To prepare for an audit, ensure the records from the indicated period are present and easily accessible to the auditor. Showing that the records are present and good record keeping practices were followed will often eliminate further investigation into other periods.

The Records Required

Before the audit begins, the auditor will also explain in detail exactly what records will be reviewed. Generally, they are looking for documentation of what was reported. For example, in a sales tax audit they are reviewing records to determine that the correct amount of sales tax has been collected and remitted. Records requested will likely include copies of sales tax returns to the state and federal government, general ledger, worksheets, canceled checks, purchase and sales invoices, exemption certificates, bank statements, and cash receipts journal.

Appeal Procedures

An auditor is required to provide the individual with a copy of the working papers used to determine the audit ...