When it comes to the Office of Compliance Inspections and Examinations (OCIE) audits, there are two recent trends CCOs at Registered Investment Advisor (RIA) firms need to pay attention to:
- The OCIE is increasingly concerned about cybersecurity.
- Audits are happening more frequently. Since 2013, the percent of firms audited has risen.
As audits become more common, you cannot afford to put off preparing for one. You’re well versed in the compliance rules and regulations, but do you know how to compile audit logs of remote sessions? Or can you show how information stored digitally complies with the NIST’s Framework for Improving Critical Infrastructure Cybersecurity?
This document plays an important role in the evaluation of an organization’s cybersecurity and should not be overlooked. Addressing what it outlines not only prepares your organization for an audit, it gives you peace of mind knowing that your data is secure and your firm is complying with regulations.
Originally developed to help protect the nation’s critical infrastructure, the framework has since been adopted by the OCIE. It is a multilayered document that becomes more detailed the further you drill down into it.
There are three main sections: the Core, Implementation Tiers, and Profiles. Within the Core, are continuous Functions—Identify, Protect, Detect, Respond, and Recover. The functions are then divided further, into key categories and subcategories, all of which have guidelines that need to be followed.
The Tiers and Profiles help set objectives and foster discussions about your appetite for risk. Taken as a whole, these different parts present a picture of how your firm manages risk.
The NIST Framework is extremely technical. Wading through it is a laborious task that only covers one aspect of an OCIE audit. As you prepare the necessary documentation for an audit, you’ll likely have questions for your managed IT services provider.
For instance, you might need to gather information detailing how client data is kept secure on devices and in emails. You could continually ask one-off questions, or you could engage your provider from the beginning.
Like complying with the SEC’s safeguards rules, having an expert who can assist with IT-related aspects of compliance is the best way to alleviate audit concerns.
Solutions offered by managed IT companies working in the financial sector probably already cover a majority of what OCIE regulations require. An IT expert will know the software, hardware, and applications needed to bridge the gap and make your organization fully compliant. They’ll also be able to align your overall IT strategy with compliance standards. This gives you a comprehensive solution that scales with your company.
When evaluating potential managed service companies, ask questions to test what their offering is. You want to find someone who alleviates all your audit concerns. A company may list “compliance” as an offering on their website, but that doesn’t mean they are ready to help you prepare for an audit. Ideally, the provider you work with will be able to create the necessary documentation for you.
You already know the devastating consequences of not preparing for an audit. The company could face significant fines, or worse, close entirely. Rather than shouldering all this responsibility, you can work with a managed IT partner who is prepared to handle compliance.
itSynergy’s professionals work with your compliance team to ensure you have a robust, compliant IT strategy. Our compliance management solutions include ensuring your company is audit-ready at any time an audit occurs. We offer multi-level IT services that cover managed services and cybersecurity. Contact us to learn more at 602-297-2400 or online.