How to Turn Compliance Audits into A Strategic Opportunity
For many companies, compliance audits are seen as a necessary evil and a cost that must be minimized. Sure you could try to shop your auditor, but you certainly wouldn’t do that because their fees are too high. You’d only really look for alternatives if they’ve allowed you to be surprised by their findings.
Since compliance audits aren’t going away any time soon, companies should stop complaining about how burdensome they are. Instead, your challenge to perform audits more effectively and more efficiently.
With potentially thousands of suppliers, vendor compliance audits can be a huge opportunity for improvement. A small improvement in efficiency can create enormous financial and organization cost savings.
Most Compliance Audits Create Lose-Lose Situations
If you really think about it, compliance audits are a lose-lose situation for both the supplier and the company. From the vendor’s perspective, answering the questionnaire has no value other than to satisfy their customer. If that supplier has many customers, they likely have to hire people solely to complete audits. As a result, some vendors may cut corners or do as little as possible to get through the audit. This provides little value to the customer who is looking to minimize risk.
Three Ways to Make Compliance Audits Strategic
Vendor-customer relationships present wonderful opportunities to elevate the relationship to something synergistic and strategic. As a large customer, you have a huge opportunity to benefit due to the number of suppliers you work with. By providing each of those vendors an opportunity to be strategic to your business, you’ll ensure your audits get results.
Here are three ways you can improve the effectiveness of your vendor compliance audits:
1. Provide value to the vendor
Ensure the result of the compliance process provides some value to the supplier. They should get something out of it—like a report, a score or some response that has value they can use in the future. The more actionable the take-away, the more likely they’ll feel like they got something out of the process. A bonus in this category would be to link downstream contract renewals and additional contract competitions to their maintaining successful compliance status.
2. Show respect for the vendor’s time and resources
The compliance audit process should show respect for the time and effort the supplier will put into it. For example, the process should show a way to leverage the unchanged items from last year. This is not corner cutting, but a representation that they are still doing the same good job they were last year. In my opinion, 99% of the vendor compliance audit processes out there show disrespect for the supplier’s time. These processes essentially say, “We don’t care about your time. You should be grateful to be our supplier, and this is a minor price to pay for being our supplier.” And this usually happens after a tough procurement negotiation, so it’s no wonder that there may be some bitterness among your vendors.
3. Be proactive in helping the vendor address issues
Don’t just take a pass/fail approach. Help the vendor take an approach that can help them address problems and issues. The customer may recommend several ways to address a weakness that would make the supplier pass the audit. For example, if the vendor doesn’t have a strong password process, show them a few ways and different cost models to implement a strong password process. Also, for more minor issues, allow provisional status and/or more time to fix the problems.
Follow these three tips, and you have a vendor compliance process that adds value, creates a stronger relationship and reduces your business and IT risk. As a result, your vendor will be able to shift compliance from a cost burden to a revenue center. Why? They’ll be able to demonstrate improved compliance and sell more because of it. And the next time you conduct a compliance audit, you can be sure they’ll give you their best.
What are some ways you’ve turned compliance audits into a strategic advantage?
Photo credit: guiguibu91
About the Author: James M. Anderson is President of Professional Assurance, LLC, an advanced enterprise security consultancy. Over his 30-year career, he has served as Vice President, Global Information Security Services for Visa, head of the information security unit of Morgan Stanley and as Director of Security and Information Services at Lexis-Nexis, Inc. He holds the CISSP, CISM and CGEIT certifications. You can follow his writing on the Evantix blog or connect with him on LinkedIn.
How Can Shared Assessments Make Compliance Auditing a Win-Win?