Compliance professionals today are dealing with numerous challenges. At the same time, their companies face increased scrutiny and cyberthreats, and compliance teams have fewer resources and reduced headcount. It's a lot for even the most sophisticated and experienced teams to manage.
As a result, compliance professionals are seeking out ways to do more with less. Sometimes the solution is utilizing technology, such as automated software tools that streamline processes or leveraging AI for greater efficiency. In other circumstances, individuals responsible for compliance are choosing an easy path to simply check the box on compliance with a flimsy, budget audit. This may be enough to get the C-suite off their back, but it leaves the company open to significant risk.
Each year, A-LIGN surveys hundreds of compliance leaders to learn more about the current state of compliance and better understand the factors that impact their decisions. What are the driving forces behind their compliance program? How much time, money, and resources are devoted to the audit process? How are they thinking about the role of AI?
To find out the answers to these questions and more, we surveyed nearly 700 compliance professionals and business leaders and compiled insights into A-LIGN's 2024 Compliance Benchmark Report. Keep reading to discover the four key themes from this year's report.
Quality: Not all reports are created equal.
The notion of quality has been a hot topic among compliance professionals over the past year. As organizations pursue more certifications, basic reports like SOC 2 and ISO 27001 have become table stakes. But not all audit reports — or auditors — are created equal. 79% of survey respondents said they noticed a difference in quality among auditors, and 11% said they received audit reports that were too short.
We also asked survey participants about the significance of quality when it comes to compliance reports, and overwhelmingly, they said it was "extremely important" (69%). This makes sense given that a record number of organizations (38%) have had a report rejected by a vendor or prospect due to quality. It's no longer enough to have a SOC 2 report – CISOs are going to dive deeper to make sure the report is detailed, accurate, and comprehensive.
These findings emphasize the importance of quality, but what does "quality" really mean? The top two factors that organizations cite for whether a report is high quality is the reputation of the auditor and an explanation of best practices or other helpful content in the final report. Companies want their audit reports to come from an experienced compliance partner who can offer practical guidance about how to improve their security posture.
Efficiency: Companies must do more with less.
In our survey, companies said their greatest challenge in the audit process is limited staff resources dedicated to compliance. In fact, only 20% of companies have a dedicated compliance department.
This means organizations must prioritize efficiency. Consolidating audits with a single auditor is one of the best ways to streamline the process and realize efficiencies when juggling multiple audits. Survey respondents agree – nearly all (96%) believe consolidating multiple audits could save them time, money, or both.
But most organizations are failing to take this critical step. Only 16% reported that they consolidate their yearly audits into a single event. The overwhelming majority (83%) conduct multiple audits per year but plan for each one individually.
Clearly, audit consolidation is easier said than done. Compliance professionals see the opportunity for efficiency, but it requires an upfront investment of time and resources to switch auditors, consolidate timelines, and change processes. We anticipate that the pain of managing two or more audit partners and processes will eventually become too much and force companies to make a switch. But, we applaud the compliance leaders who are thinking ahead and making the change on their own timeline.
Culture of security: It's more than checking the box.
In prior years, survey respondents indicated that the driving force behind their compliance programs was to increase revenue or win new clients along with pressure from the board or C-suite. Together, these reasons made up nearly half of all responses in 2023. This year, they were the two least popular answers.
This year, two driving factors rose through the ranks: establishing trust with customers and stakeholders (up 36% over 2023) and validating the effectiveness of security controls (up 55% over 2023).
This demonstrates that organizations are moving away from a check-the-box compliance strategy that prioritizes doing the bare minimum to win over clients and protect the bottom line. Instead, we are seeing a culture of security emerge: one that values security and trust as valid business concerns in their own right.
Partnership: Experience + tech are the winning combination.
With many audit partners to choose from, we wanted to know the top factors compliance professionals consider when making that decision. 32% of companies said auditor experience is the top reason to choose a compliance partner, followed by report quality (22%) and a tech-enabled audit (19%).
Working with an experienced audit team directly impacts the quality and effectiveness of the audit process. Whether this is your first audit or your fiftieth, it is still beneficial to have the knowledge and expertise of auditors who know requirements inside and out. Especially with limited resources, the wealth of knowledge that an auditor brings to the table can be the difference between passing or failing your audit.
The survey results also signal that technology, while a powerful tool, is not a substitute for experience. 19% said a tech-enabled audit was the most important factor for them, compared to 32% who chose an experienced audit team. Technology can enhance the efficiency and accuracy of the audit process, especially when it comes to evidence collection, but it takes skilled professionals to analyze data, make informed decisions, and provide strategic guidance.
Download the report
For even more insights into the state of compliance in 2024, download the Compliance Benchmark Report.
Brandon Thompson — CISO at A-LIGN https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3qi1WjKrgEqhzi2w-jeAbb0_FVxi26khHzSiMVbjfONCR4mtoHNMBfQCLM32dIUvm58qU1JQ8Y9BT76noHg6qfOadGhLaMHfotSy2RgB3_HYV_T6EOkDw2KZypONXPnVgngmzPuJpN4LMSuTYz3NemqnOaS6CI-Ib0YdGmTmf5z3dj1eDh0SvkCrQslfR/s100-rw-e365/j.png