Four Key Insights from the 2021 Compliance Benchmark Report

Compare your compliance program to A-LIGN’s compliance benchmark report. 

In the world of security and privacy compliance, the rules and regulations change frequently. Current events such as the 2020 SolarWinds attacks raise new concerns, and evolutions in frameworks and new national or regional regulations, such as the California Privacy Rights Act (CPRA), drive the need for new controls, policies, and procedures.  

From risk managers and IT leaders to cybersecurity experts, compliance teams need to stay one step ahead of the latest regulations and avoid being caught off-guard, which could result in fines and lost customer trust. 

And, of course, the last year has been an especially trying time due to the COVID-19 pandemic. Ensuring compliance with cybersecurity and IT best practices is challenging when employees are working remotely or are using their personal devices for work. The actual process for completing an audit changed, too—both auditors and the internal teams supporting audit prep were working remotely. 

Given this shifting landscape many organizations are struggling to keep up with compliance requirements. 

Given that some compliance frameworks are more of a good idea than an absolute must, other organizations are also asking, “How do I compare to other companies like mine? ”

A-LIGN conducted a survey to help answer these questions. Today, we’re pleased to introduce our 2021 Compliance Benchmark Report, which includes: 

  • A compliance benchmark by industry, revenue, and company size 
  • Key findings around why organizations undertake compliance programs, what drives them, and their challenges  
  • Best practices your organization can use in 2021 and beyond 
  • And more 

In this post, we’ll share four of our top insights from the report. Read below for more and be sure to download the full report to see all the data and gain in-depth insight into our findings.  

1. COVID-19 Increased Remote Audits, But Not the Use of Audit Software 

The COVID-19 pandemic forced organizations of all shapes and sizes into a new work dynamic. Many different business functions had to be reimagined as fully remote workstreams, and our survey revealed this was the case with compliance programs. Audits and assessments continued despite the pandemic, and 85% of respondents kept their compliance programs on track.  

And, like other departments and business functions, compliance teams also embraced remote work. A huge 71% of respondents either conducted or planned to conduct a remote audit due to the pandemic. This is unsurprising, as many of the business functions involved in auditing and assessment—such as cybersecurity and IT—quickly adapted to remote work dynamics.  

That said, our survey also found that most organizations aren’t using software to support their audits, which can make conducting remote audits very challenging. When asked, only 25% of respondents were using a software solution to prepare for audits and assessments (such as an automated security and compliance or governance risk compliance tool). This doesn’t seem to be something many auditors are offering their clients either, as only 6% of respondents said their auditors provided technology to help complete the audit.  

Lack of software adoption hampers efficiency for compliance programs. We see adopting compliance technology and empowering teams to conduct remote audits as a significant opportunity for businesses in 2021 and beyond. We think this will become the norm as compliance management software becomes more widely adopted.  

Best Practices: How to Conduct a Remote Audit 

To succeed at conducting a remote audit, teams need the right processes, tools, and technologies to support year-round evidence collection, collaboration, and communication. While software alone will not magically make remote audits happen, the right technology can make audit preparation more efficient.  

For example, a good audit management tool can: 

  • Enable better collaboration 
  • Allocate evidence to multiple audits or assessments (reducing the need to duplicate data collection efforts) 
  • Create a centralized location for all evidence  
  • And more 

Organizations can ask their auditor for a recommendation. For example, A-LIGN offers our proprietary A-SCEND platform to clients, which allows for streamlined communication, ongoing collection of data, and more. 

2. Organizations Don’t Strategically Consolidate Audits  

How many audits or assessments does your organization handle every year?  

According to our report, most organizations are doing more than one. In fact, 85% of respondents conduct more than one audit per year, and 31% are doing as many as six or more.  

However, these audits and assessments are by and large happening without the benefit of a bigger vision or strategy—only a mere 14% consolidate their audits. In other words, the majority of respondents are doing multiple audits or assessments, but they’re planning for them individually.  

Conducting multiple, individually planned audits inevitably leads to inefficiency. Due to the overlap between audits and assessments, IT and cybersecurity teams are fielding the same requests for evidence repeatedly. Everything gets done just in the nick of time. That’s not a comfortable place to be. 

Best Practices: How to Consolidate Audits 

We recommend consolidating your audits and assessments wherever possible. Ideally, you would consolidate everything into a master audit plan that takes the long view.  

This should include all audits, assessments, and certifications that are:

  • Needed now to continue operating in the organization’s current state 
  • Necessary to expand into industries or geographies in the near future 
  • Required to create new products or lines of business in adjacent industries or fields that are on this year’s roadmap 

This is especially important for organizations managing many audits or assessments, such as the 31% of respondents reporting six or more per year. 

Consolidating your audits may take quite some time—as long as several years. It will take careful planning and partnership with the right auditing partner to ensure you don’t fall into any compliance “gaps.”

Once your organization has a master audit plan in place and a unified timeline, you will save time and energy with a more organized and strategic process. 

3. Preparing for Audits is a Struggle for Many 

A successful audit brings together many moving parts, including people across departments and numerous pieces of evidence. The auditor showing up (or dialing in) is truly the last mile. 

We found that organizations spend significant time on prep. In fact, 51% of respondents familiar with their organization’s auditing process reported spending one to two months preparing for audits and assessments. And 17% of organizations spend six or more months preparing for an audit or assessment.  

In a fast-paced business environment, that is a lot of time to spend preparing for an audit. Beyond the needs of an audit, cybersecurity, IT, and other team members have the daily pressures of their jobs to contend with in parallel.  

Now imagine what it’s like in organizations with multiple overlapping audits—it’s no wonder our survey also found that 44% of respondents said that limited staff dedicated to compliance was their biggest challenge. Pulling together evidence was also named as a chore with 27% stating that tedious, manual collection was their biggest challenge. 

One thing is clear: there needs to be a better, ongoing process to ensure that preparing for an audit takes less employee time, requires less of a scramble for evidence, and allows employees to focus on their day-to-day duties.  

Best Practices: How to Make Audit Prep More Efficient 

One of the best ways to solve for a lack of resources is advance planning. When audits are a last-minute scramble, they drain resources and morale.   

Organizations should plan for assessments and audits all year round with an overarching plan broken into manageable steps. There are many best practices to enable an efficient audit. An ongoing, organized process can include: 

  • Assembling a dedicated team 
  • Assigning someone to be a compliance manager to run point (or hiring someone full-time, if you conduct enough audits) 
  • Establishing strong communication channels between departments and team members 
  • Creating a timeline of milestones and must-do activities, such as timely controls (see this PCI timeline as an example) 
  • Holding regular meetings to keep the team on track 
  • Collecting and filing evidence throughout the year  
  • Working with an excellent auditor who can partner with your organization all year, not just at audit time 

Compliance management software can also help tremendously with limited staff and manual processes.Combined with great processes and teamwork, compliance management software can greatly reduce the stress of (and time spent) preparing for an audit.  

4. Privacy Laws Present a Looming Challenge 

From the landmark General Data Protection Regulation (GDPR) to the upcoming California Privacy Rights Act (CPRA), privacy regulations are on the rise. Today, the impact of privacy laws means that organizations have to think about much more than just a public-facing privacy policy. Consumers, governments, and corporations are all concerned about the ways in which data is stored and what happens when it’s stolen in data breaches. 

We found that more than a third of respondents (35%) said they needed higher levels of cybersecurity controls as a result. The added need for privacy compliance is complicating programs, too, with 48% of respondents saying that privacy regulations were driving additional work.  

But privacy laws aren’t the only things changing in the compliance landscape. There are new rules for working with government organizations (such as the Cybersecurity Maturity Model Certification (CMMC) in the U.S.), and HITRUST will soon update their cybersecurity framework to version 2.0. Whether it’s privacy or cybersecurity concerns, organizations need to stay current—and one step ahead of their competitors. 

H3: Best Practices: How to Stay on Top of Changes in Regulations 

Organizations can stay above water in this changing environment with the right partners. Select an auditor who’s in it for the long haul. The right partner will not be a vendor who swoops in for a single audit and swoops out just as quickly. They will: 

  • Operate globally in the markets that matter to you 
  • Work closely with your organization year-round 
  • Help you plan for the future
  • Grow with you, no matter where your business goes in terms of geography or industry 

From privacy concerns to U.S. federal requirements and beyond, the right auditor will help you stay compliant and strategic because that is their job.  

A Compliance Benchmark to Aid Your Planning & Put it All in Perspective 

While many stare down an audit with dread, compliance doesn’t have to be stressful. In fact, your compliance program can support business growth. When your organization is in compliance with (or certified in) the appropriate regulations and frameworks, it builds confidence in customers, partners, investors, and others. It can open up new markets and new opportunities. 

Be sure to read our full Compliance Benchmark Report for more in-depth insights and a benchmark to help shape the strategic future of your compliance program. 

Read the Full 2021 Compliance Benchmark Report
Download Today