Compliance, for most, is a meticulous yet necessary process that can cause headaches and be left to the last minute by those who don’t wish to embark on it currently. But when your company is about to go public, compliance gets real, fast.
So, how can you start to take steps towards compliance in a way that doesn’t make everyone involved cringe? Two Systems leaders who have already gone through the process, plus one auditor, discussed this in detail at Biz Systems Magic, the first and only conference for Systems leaders. Chris Blaisure, Director of Support Operations at Elastic, discusses what it took for his company to stop pondering and start doing prior to their IPO launch in fall 2018. Brian Flood, Senior Director of Business Systems & Data at Fastly, then outlines action steps to lighten your compliance load as his company did with their IPO launch in spring 2019, and finally, Sumit Kalra, partner at BPM, an accounting and consulting firm, provides us with an auditor’s look at the process.
As an auditee-turned-auditor, Kalra referred to compliance as “an emotional journey,” but step-by-step, all three leaders got through it. Here are the action steps your team can use to move forward with compliance, as well.
Good Processes First, Compliance After
Blaisure from Elastic sees compliance through the lenses of two guiding principles:
1. Focus on Good Processes First
“We can worry about the policies, we can worry about risk assessments, we can worry about all the other compliance needs later, but just get your processes down first,” said Blaisure. Compliance procedures will of course follow, but they can’t succeed without a good foundation.
2. Be Prepared for Your Auditor
“When you speak with an auditor, you want to have a story ready,” said Blaisure – the story of your journey to IPO and any predicted challenges or changes along the way. He stressed that it doesn’t have to be perfect, but it has to be ready.
The Path Towards Compliance at Elastic
When Blaisure started at Elastic in 2007, there wasn’t a compliance program. His first step, therefore, was to understand his people and processes. He then chose a base control framework – or a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk – knowing that he wouldn’t have all of the answers but at least he would have a template to point back to. He even hired a project manager, and although she wasn’t familiar with controls, they were able to start thinking and working through the process of documenting their controls together, as well as a consultant to get them through the “final mile” of the program.
Through requirements from GDPR, the process of getting SOC certified, and an internal audit, Blaisure explained that minor control changes were needed, but their initial framework had prepared them to confirm to financial compliance regulations. When explaining the changes made for their IPO audit, Blaisure explained, “It was really about having a plan already in place and adjusting after that and maturing.”
The process of discovery and maturing Elastic’s controls happened over the course of 18 months. “We just iterated on it. It wasn’t our full time job. We were also installing other applications,” said Blaisure. For him, the focus was largely on progress. It was the iteration bit-by-bit that helped them complete “the first draft of controls before GDPR was in effect.”
Leaving the Top Down Approach for Compliance Behind
The common theme you’ll find online for compliance is a top-down approach, but this can be ineffective, says Blaisure. You have to take a thousand steps before even touching your controls. “So if I take that top-down approach to the way I was working at a business, I would have not been ready for GDPR, he said. “By flipping the approach,” he said, “I was able to take action, and then complete small adjustments to this base framework when needed.”
The proof is in the pudding, says Blaisure. With the bottom-up approach, Elastic was able to obtain certifications for ISO, PCI, FedRamp, AICPA, HIPAA, and CSA fairly quickly.
Takeaways from Elastic’s Compliance Journey
1. Processes First:
Blaisure says that if you are going to implement logical access control – a security technique that regulates who or what has access to computer networks, system files and data in a computing environment – just because an auditor came in and told you so, then you’re doing it wrong.
2. Frameworks Help
ISO, COBIT, COSO are all frameworks meant to make your compliance journey easier. If you have trouble deciding which one to implement or how to do it, don’t be afraid to ask for help. Remember, consultancy doesn’t have to be expensive.
3. Controls Should Mature
Controls should be similar to a “good bottle of red wine,” Blaisure says – they should “get better with time.”
Compliance Action Steps You Can Start Right Away
Flood from Fastly continued the conversation by reinforcing the need for action. When he started working at Fastly, he didn’t have a background in compliance, but because the company was nearing the launch of an IPO, he was tasked with figure it all out. Throughout his journey, he noted the following key takeaways – stressing that while these don’t cover the entire compliance process, they will definitely set you on the right path to get started.
Why Compliance Can Be Delayed
1. Simple Excuses
There are often excuses for putting off selecting controls and proper frameworks (especially for smaller companies in the “emerging growth” category), but you shouldn’t wait for someone to come in and tell you to implement better processes, Flood says – it’ll save you a lot of trouble later.
2. Knowledge Gaps
Additionally, compliance can be delayed by waiting to build up significant compliance knowledge. “People build their whole careers around compliance and to think that you can get it done in a month or two is not realistic,” Flood said. “It’s best to get started where you are.”
Steps to Get You Started
1. Documentation
“If you haven’t documented your controls, your auditors won’t believe they exist,” Flood said. Documentation is one of the crucial parts of the compliance journey, but is often left behind as companies quickly expand.
Helping to expose this is making sure documentation is kept in a centralized location and accessible to all. If you store it deep in personal folders, said Flood, no one’s ever going to find it or look at it. “This helps remote employees and stakeholders get a better idea of how processes are working,” he added.
2. Change Management
When you’re working on new projects, it’s essential to have a change management process. Don’t just say you’re going to work on controls – have a process in place to make sure it gets done and that ownership and tasks are clearly delineated to all. Having documentation of who approved your projects, and a process that takes gating factor into account, as well as knowledge of the downstream effects of your systems’ projects will make your auditing process much smoother.
As Flood said before, all change management documentation should be visible. At Fastly, change management documentation is put into Jira, making that they are easy to find.
3. Access Management
“It’s a big project to start thinking about [in terms of] what are all the roles and responsibilities in your company that need to have specific permissions in every application,” Flood said. That’s why it’s often put off, especially in big companies, but getting it done will make compliance much easier. To do this, Flood says you should have a formal access approval process, keep track of who needs permissions revoked and when, and periodically review your access permissions.
4. Monitor Everything
Your engineers are used to the process of monitoring projects and data and capturing logs, but SaaS tool log management is often overlooked. You should be able to give an auditor documentation on when tasks happened and who did them.
5. Back Up Everything
Don’t assume that vendors have backed up your data. When something goes wrong, you’ll need to be able to restore your data quickly and efficiently, without shelling over tons of money for vendors to it for you.
At the end of the day, your compliance process is in your hands. From backing up data to cleaning up access management, you can start building a base for a successful compliance journey.
Lastly, the Auditor’s Perspective
After a 20-year career as an auditor, Kalra from BPM (the last presenter of the panel) gave insights on how to make the compliance process for you and your auditor much smoother.
- Be ready for you auditor: Running around the day of your auditor’s visit will be of no value. It’s best practice to be ready at least a week beforehand.
- Don’t be afraid to get written up during your first audit: The most important aspect of a write up is going back and fixing it.
- Make sure you do a readiness assessment before your auditor comes in: You can complete one yourself or hire a consultant to complete it.
- If you don’t know how to write controls, make use of the illustrative document of the framework you choose: It will clearly state the steps that need to be taken.
- Make sure that the policies and procedures you are documenting are the actual ones being conducted in your organization: Sounds straightforward, but could save you a lot of time.
- Do not write wordy policies: Create a policy workflow that is easier for your auditor to read with bullet points.
- The less people that have to talk to the auditor, the better: Only have employees well versed in your audit process speak to your auditor to avoid misunderstandings.
- Define the scope of your audit and don’t let auditors expand it: If there are conversations that need to be added, then the auditor will add them, but try to keep the audit topics relevant.
- Automate as much as you can: Kalra explains that the more you automate, the less samples your auditor is likely to pick.
The Most Important Insight: Number 10
As stated earlier, Kalra refers to compliance as an “emotional journey.” Although mistakes come with the territory, little step by little step, your team can push toward successful compliance. As seen from both Elastic and Fastly’s experiences, nothing about compliance is easy, and it is definitely OK to fumble – in fact, according to Kalra, it’s only way you’re going to get to the finish line.