11-17-14 | Blog Post
When you create a list of who you’re thankful for, your auditor may not jump to the top of your list. After all, isn’t that who asks for all those mountains of documents and relentlessly asks those probing questions?
Let’s face it: the relationship between a business and an auditor can be a contentious one. The high price of reports, resources spent compiling the information and remediating any issues can be more than enough to give any CXO heartburn and hair loss. Mix in an auditor’s desire to maintain independence and objectivity and you have a recipe for acrimony.
But the relationship doesn’t have to be contentious. With the right auditor, and some foresight by the business to realize the ultimate benefits of a relationship based on honesty, integrity and a shared commitment, it can be at least tolerable. In our case, we’ve found it to be incredibly valuable.
Let me introduce someone that Online Tech is grateful for. David Barton, a managing director at UHY LLP, produces six independent annual reports for Online Tech, attesting our compliance to SOC 1, SOC 2, SOC 3, HIPAA, PCI and Safe Harbor requirements. He is an expert in risk identification, assessment and evaluation, risk response, risk monitoring, IT control design and implementation and IT control monitoring and maintenance and serves clients in a range of industries including healthcare, manufacturing, financial services, gaming and hospitality. Barton is at once relentless, a consummate professional, generous with his expertise, and – despite the resistance his services sometimes inspire – completely committed to his clients.
Those who joined us at our Indianapolis Data Center open house heard Barton talk about the seven-year relationship he’s had with Online Tech, starting with a meeting with co-CEO Yan Ness “in a dingy little office in downtown Ann Arbor” and continuing through the opening of that data center in Indianapolis – our fifth across the Midwest.
As you might imagine, we wouldn’t invite a guy we don’t admire and respect to speak at our grand opening parties. And, as you might similarly imagine, we wouldn’t invite a guy to speak if we weren’t confident he felt the same way about us.
So how do you build and maintain a solid relationship with an independent auditor? We asked Barton and Online Tech’s Director of Product Management Jason Yaeger – the very person who has to answer to David’s “endless” documentation requests – to offer a few tips from both perspectives.
1. Pay attention at the front end of any engagement
Barton says the key to any auditor-business relationship is that there are no surprises on either side. He has learned that in some cases, the controls that management thinks are in place aren’t really the controls that are in place once you drill down to the folks responsible for those duties on a daily basis. “Sometimes what they think is happening isn’t really happening,” Barton says.
Yaeger says Online Tech’s culture of compliance helps with this issue. “We have complete buy-in and transparency, from our executive team to all employees, on what we do and in what areas we need to improve. At some organizations, lower-level employees are afraid to tell the management team where they have work to do. We encourage people to tell us what we’re not doing right.”
2. Be helpful generating or gathering required information
“There’s always a little bit of adversarial relationship when talking about independent auditors. We don’t end up on top of anyone’s priority list,” Barton says. “To most people that work for a company, getting an email from an auditor asking for information doesn’t always give them warm fuzzies.”
Warm fuzzies or not, Online Tech management creates a concerted effort to cooperate with auditors. It’s not a perfect process – Yaeger admits that sometimes it feels like it’s one of the last things to be done, “not because we don’t value it, but because everybody is so busy” – but it’s always done on time.
“One of the things we want to do is streamline the process so that we’re always sending them information before they need it,” Yaeger says.
Barton appreciates the cooperation, stating: “It certainly is refreshing to have the entire company working with you to get you what you need when you need it.”
3. Value the process
For Online Tech, successfully completing annual audits has allowed us to operate in the compliance space and serve the verticals that need to be compliant in those areas. For us, audits are a choice, not a requirement.
“We self-impose these restrictions on ourselves. There’s no reason we have to be HIPAA compliant, no reason we have to be PCI compliant,” Yaeger says. “Other businesses required to live up to HIPAA and PCI compliance find audits to be a burden. Call us crazy, but we’re actively seeking out areas where we can be more compliant.”
Rather than viewing audits as a burden, view them as what they are: A requirement to be able to operate in a particular space, and an opportunity to improve how you operate.
“In a lot of cases, these reports don’t get taken as seriously as they should,” Barton says. “Online Tech, from the very beginning, wants to use these reports as a way to improve their control environment. It’s not just ‘give me the report and go about my business.’”
4. Don’t underestimate the benefits of whole company buy-in
It’s probably the last think you’d think of to connect your auditor with your sales and marketing department, but Barton and his team have patiently taken the time to explain to us the role compliance plays in reducing risks to an organization. In turn, this has helped us understand the concerns of our prospects and clients and maintain credibility with them.
For example, you can’t go out there claiming to be “SOX certified” or to claim your cloud is “HIPAA compliant” without understanding that compliance is an organizational commitment and holistic process, not a stamp to affix to a single product or service.
It’s a rare and wonderful thing to say that we’re very grateful for our auditors! Happy Thanksgiving, David Barton and UHY LLP!