Regulatory
compliance audits

Regulatory
compliance audits

Book a meeting

What do compliance audits mean for your Business Continuity Programme?

Third-party payroll providers are an important member of your extended enterprise and bring benefits to the company:  cost efficiencies, subject matter expertise, access to geographies, resource, customers and, ultimately, revenue growth. However, the risks associated with third-party operations are disproportionately loaded on to the primary ‘parent’ company in the relationship chain. In the eyes of several cross-jurisdictional laws, and public opinion, this ‘parent’ entity is expected to carry accountability for the actions and conduct of not only themselves but also their business partners.

CAIQ
CGEIT
CRISC
EBA
GDPR
HSAW
ISO 22301
ISO 27001
ISO 27031
ISO 9001
P3 Audit TPPPDS Validation
PCI DESS
SSAE 16
Book a meeting

CAIQ

The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications.

The CAIQ contains a series of yes or no control-assertion questions that can be customized to fit an individual cloud customer's needs. The CAIQ is intended to be used in conjunction with the CSA Guidance and the CSA Cloud Controls Matrix (CCM). The CAIQ is part of the CSA governance, risk management and compliance stack.

The questionnaire is designed to support organizations when they interact with cloud providers during the cloud providers' assessment process by giving organizations specific questions to ask about the providers operations and processes.

Cloud providers can use the CAIQ to outline their security capabilities and security posture to customers, publicly or privately, in a standardized way using the terms and descriptions considered to be best practices by the CSA.

Completing the CAIQ questionnaire usually takes a few hours and is considered only a first-level screening process; more intensive provider review processes are advised. 

Benefits of the CAIQ

The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. Organizations should use the CAIQ as a first-level filter, After they pass that test, businesses should audit vendors to provide more specific demonstrations on controls that matter most to them.

Next steps after the CAIQ

The CSA STAR program consists of three levels of assurance (self-assessment, third party certification and continuous auditing) based on:

  • the CAIQ;
  • the CSA Cloud Controls Matrix (CCM); and
  • the CSA Code of Conduct for GDPR

    Download 

 

 

 

CGEIT

Certified in the Governance of Enterprise IT (CGEIT) is a vendor-neutral certification for experienced tech professionals. The CGEIT credential is designed to provide certification for those who direct, manage or otherwise support the governance of IT in large organizations and their extended third-party service provider capability . ISACA (Information Systems Audit and Control Association) developed and runs CGEIT, which is accredited by the American National Standards Institute (ANSI).

Information technology governance in organizations continues to grow in importance due to an ever-increasing reliance on IT to deliver services, along with the rising need to comply with complex laws and regulations concerning financial accountability, data security and protection, and privacy. As a result, the need arises for governance credentials, such as Certified in the Governance of Enterprise IT (CGEIT), as well as others such as ITIL Expert, Certified in IT Governance, Risk Management, and Compliance (CRISC)  from ISACA and PMI Risk Management Professional from the Project Management Institute.

CGEIT Qualifications: Education and Experience

To receive the certification, candidates must pass a four-hour exam, which includes 150 questions and covers five areas: Framework for the Governance of Enterprise IT, Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization. CGEIT-certified professionals also must have at least five years of cumulative work experience in IT enterprise governance, including at least one year defining, implementing and managing a governance framework. (Individuals may take the CGEIT exam before meeting the experience requirements, which must be met before the CGEIT designation is awarded.)

Additionally, CGEIT holders are expected to comply with the ISACA Code of Professional Ethics as well as the CGEIT Continuing Education Policy, attaining an annual minimum of 20 continuing professional education (CPE) hours in related coursework to reach a minimum of 120 CPE hours for a three-year reporting period.

Depending on the third-party payroll providers clients, the CGEIT certifications can form part of their global business continuity and TPRM audit criteria.

Download

CRISC

Certified in Risk and Information Systems Control (CRISC) is a certification program that recognizes knowledge and training in the field of risk management for IT. CRISC is one of many certifications available from Information Systems Audit and Control Association (ISACA) which is accredited by the American National Standards Institute (ANSI).

CRISC can provide IT security professionals with a visible marker of experience and knowledge in risk management for enterprise and financial sectors. 

CRISC Areas of Risk Management

CRISC breaks down areas of risk management specialization into 4 domains:

  • Identifying risks
  • Assessing risks
  • Responding to and mitigating risks
  • Controlling, monitoring and reporting about risks

Within these domains, CRISC measures an individual’s ability to deal with risks in an enterprise business and to use information system controls.

Prerequisites for CRISC include three years’ experience in a risk management role with one year at least in domain 1 or 2. Candidates must agree to uphold the ISACA professional code of ethics and comply with the continued education policy. The certification has one requisite exam with 150 questions.

Individual experience and relevant certifications often form part of a third-party risk management (TPRM) and Business Continuity Program audit.

Download

 

EBA

The EBA Guidelines set out the internal governance arrangements that credit institutions, payment institutions and electronic money institutions should implement when outsourcing internal services, activities or functions. 

The EBA Guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities.

These requirements represent a full set of controls implemented across the outsourcer organization and are well beyond the scope of a simple automated scan of external-facing infrastructure.

Download Guide

Guidelines on outsourcing-arrangements

EBA regulation and policy

EU Directive

EU Access Legal Act

Download

 

GDPR

Organizations who collect, store, process, or transfer personal data of EU citizens must comply with this regulation. These data protection obligations extend not only to organizations operating within the EU, but also to any companies (payroll service providers and their downstream partners) outside of the EU that offer goods or services to EU residents.

To be compliant with GDPR, organizations must take necessary steps to protect citizens’ data in their care, including data that is shared with third parties. Because many data breaches occur through third-party relationships, GDPR clearly states that third parties (known as data processors) must handle data privacy and security in a way that is compliant to the regulation. In fact, under this legislation, they are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for customers.

Under GDPR, regulatory authorities have greater power to act against companies that break this law, with fines totalling up to 4% of annual global revenue or 20 million euros, whichever is greater. It's therefore imperative to conduct due diligence of your organization's vendors, suppliers and other third parties to ensure they are adhering to GDPR requirements.

Download

 

HSAW

This documentation serves as an overview of Health and Safety at Work.

Work from Home is no different to Work from the Office – the employer has a responsibility to their employees Health and Safety and the investment in regular compliance audits help support wider and longer term Business Continuity Plans.

We and our partners know exactly what the law demands of your business. We have practical experience and understand how to balance compliance with commercial need. That’s why both small businesses and leading brands trust us to support their health and safety compliance. A business with a good reputation for safety is one that staff want to work for and other organisations want to do business with.

Risk assessments relevant to the law. P3 work with leading experts in region: 

We spot the health & safety hazards that put you on the wrong side of the law.  Then we help you cut them out.

Practical fixes.

We give practical advice on how to remove risk and deliver duty-of-care. So you can be sure you’re not breaking the law, without breaking the bank.

A watertight written report. 

You get a written risk assessment from a health & safety expert that stands up to scrutiny if you ever face a claim in court. 

Improved employee wellbeing. 

Safe workers make better workers. Your risk assessment reduces the chance of work-related sickness and increases productivity.

A plan for growth. 

We give you an action plan to improve your health & safety and get the best for your business as it grows.

Download

ISO 22301

Flood, Cyber attack, Supply chain failure or losing a key employee. Disruptions to your business can happen at any moment.

Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible. Whether it’s a business, public sector organization, or charity, you need to know how you can keep going under any circumstances.

A good BC plan recognises potential threats to an organization and analyses what impact they may have on day-to-day operations. It also provides a way to mitigate these threats, putting in place a framework which allows key functions of the business to continue even if the worst happens.

Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.

Download

 

ISO 27001

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

The ISO 27001, 27002 and 27018 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27001 is the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.

ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”

With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002 summarizes the requirements for securely dealing with various types of third parties.

Download

ISO 27031

ISO/IEC 27031:2011 describes the concepts and principles of information and comunication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity.

It applies to any organization (private, governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions. 

It also enables an organization to measure performance parameters that correlate to its IRBC in a consistent and recognized manner.

The scope of ISO/IEC 27031:2011 encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.

Download

ISO 9001

ISO 9001:2015 is an international standard that establishes the criteria for a quality management system. It is the only standard in the ISO 9000 family that results in a formal certification.  

The standard is based on several quality management principles, including clear focus on meeting customer requirements, strong corporate governance and leadership commitment to quality objectives, process-driven approach to meeting objectives, and focus on continuous improvement.

ISO 9001:2015 helps organisations improve customer satisfaction by focusing on the consistency and quality of products and services provided to customers.

Download

 

P3 Audit TPPPDS Validation

A comprehensive report covering gap analysis and exercise results with documented priorities to mitigate risks in accordance with Third-Party Vendor client Business Continuity Plan Priorities

Download

PCI DESS

The PCI Security Standards Council operates programs to train, test, and qualify organizations and individuals who assess and validate compliance, in order to help merchants successfully implement PCI standards and solutions. The Council also qualifies payment hardware and software so that merchants select and implement approved solutions for securing payment data and systems.

Becoming PCI DSS compliant depends on the complexity of your payments environment, and the data security measures you already have in place. In fact, you may already be compliant and not realise!

Becoming compliant isn’t just a one-time task – you’ll need to take measures regularly to ensure you’re still complying with the rules. 

Download

 

SSAE 16

Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is a deprecated auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 (SAS 70) and has been superseded by SSAE No. 18.[1]

The "service auditor’s examination" of SAS 70 is replaced by a System and Organization Controls (SOC) report.[2] SSAE 16 was issued in April 2010, and became effective in June 2011. Many organizations that followed SAS 70 have now shifted to SSAE 16.[citation needed] Some service organizations use the SSAE 16 report status to show they are more capable, and also encourage their prospective end-users to make having an SSAE 16 a standard part of new vendor selection criteria.

SSAE 16 has two different kinds of reports. A SOC 1 Type 1 report is an independent snapshot of the organization's control landscape on a given day. A SOC 1 Type 2 report adds a historical element, showing how controls were managed over time. The SSAE 16 standard requires a minimum of six months of operation of the controls for a SOC 1 Type 2 report.

SSAE 16 reporting can help service organizations comply with Sarbanes–Oxley's requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting.

SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set. In this respect, it is similar to ISO 27001:2013.

Service Organization Control (SOC) 2 is a standard that is designed to provide assurance that an organization's systems are set up to cover the security, availability, processing integrity, confidentiality, and privacy of customer data.

These five core subject areas are commonly known as Trust Service Principles. The purpose of a SOC 2 (also referred to as a Type 2 report) is for an organization to detail the operational effectiveness of their systems based on the five principles. To achieve compliance against a SOC 2 assessment, organizations must develop a clear documentation framework, built around security policies, security procedures and supporting documentation.

The five principles are further defined to account for criteria common to all five of the trust service categories (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories. Clear objectives of each principle are set out within the Trust Services Criteria and provide an organization with clear expectations to look for when validating or verifying security controls.

Download