Assessments, Audits, Certifications – Oh My!
In the world of industry lingo and compliance journeys, the trio of terms that includes assessments, audits, and certifications can be particularly challenging even for those of us who live amongst them every day. As organizations are increasingly required to manage third-party risk, internal compliance departments are not the only lines of business getting in on the risk management program of conducting and/or requiring completion of assessments, audits, and certification – so are legal, privacy, security, and risk departments. But, what do each mean and when do you use a particular one versus another?
There are two main ways I approach which term to use. The first is the most basic: what does the dictionary say that official meaning is? (My go-to resource is www.dicationary.com.) Assessing means judging or estimating the value or character of something – evaluating it. Auditing on the other hand is more objective, and is the “official examination and verification of accounts and records, especially of financial accounts.” Then, certifying something entails an attestation, a voucher, a guarantee, or an endorsement.
These definitions can help you when you are considering which method to choose and what path to take. Is your organization looking for an overall programmatic evaluation of performance and progress to mature internally or do you have a customer requiring a stamp or seal of approval from an official body endorsing your compliance with particular standards and practices? If the former, go with an assessment. If the latter, go with a certification.
Each type of these carries a price tag, whether through resource allocation, devotion of hours to complete, or with hiring an independent third-party to complete them. Don’t base your initial thoughts that an assessment will cost less than an audit or certification simply on the seeming lack of formality. Assessments can be more complex and comprehensive than some audits and certifications depending on structure and scope and therefore require a higher cost allocation.
The second way to consider which term to use is relevancy to a particular framework or standard. For example, AICPA’s SOC is an audit report – not a certificate. HITRUST and ISO have certifications that are awarded for compliance with standards. Also, while I have you, there is no such thing as HIPAA certification. HIPAA is a federal regulation; the federal government doesn’t promulgate certifications. However, you can be assessed as compliant with HIPAA – and some companies may give you a certificate that states you are HIPAA compliant. There’s a nuance there that is important, I promise.
No matter which way you evaluate your compliancy or maturity with frameworks or standards, rest assured that they all have their value and rationale to suit different requirements and expectations. The key thing is to fully understand what you are signing up for – and what you aren’t. To learn more about how Kuma can help you navigate and leverage the wide variety of assessments, audits, and certifications that are applicable to your organization, contact us at firstname.lastname@example.org. We’ll be happy to guide you down the compliance and maturity yellow brick road.