Posts in

Compliance Insights

Top 5 Compliance Issues That Non-Profits Face And How To Fix Them
Feb 18, 2021

Operating as a non-profit organization in an overly competitive and capitalism-first economy means that there is no shortage of obstacles. Non-profits are bound by unending public scrutiny coupled with strict government regulations because of the special financial privileges they enjoy. The tax-exempt status combined with access to public funding is two very good reasons why compliance, on all fronts, can't be ignored. 


Yet, an increasing number of non-profits underestimate their exposure to risks and fail to employ the required risk-assessment and prevention safeguards. 


The data suggests that 3 key factors drive this negligence among non-profits: 

  • An unfounded belief that non-profits are protected against compliance risks
  • A critical lack of understanding about risk management among the administration
  • A belief that regular risk assessment isn't feasible for non-profits


Naturally, none of these validate or even pardon noncompliance, which is why it is extremely important for non-profits to comply with regulations. For greater insight into the matter, here are 5 compliance risks that non-profit organizations face and guidance on remedying them. 


Failing to submit tax documentation 

While it is known that non-profit organizations are exempt from all federal corporate taxes, they still have a responsibility to the IRS. To remain compliant and retain their tax-exempt status, non-profit organizations in the US must file Form 990 with the required tax information on a yearly basis. Additionally, non-profit organizations with staff are required to maintain a W-4 for each employee, and file Form 941 on a quarterly basis unless the IRS requests otherwise. 


Failure in meeting this requirement has serious consequences, for which a steep fine is just the precursor of what's to come. These fines accrue daily, meaning the longer this information goes undisclosed, the more money it costs. To make matters worse, it doesn't stop revoking the 501(c)(3) tax exempt status. Continual negligence in this regard can also lead to the administrative dissolution of the corporation. Naturally, managing this risk requires these organizations to have an internal control or risk management system to help mitigate these issues on time. 


Hosting auctions outside IRS regulations

Non-profit and for-profit organizations share some similarities when comparing the compliance protocols for making money. In both cases, compliance is stringent, even if the purpose of raising money, via an instrument like an auction, is for a good cause. For such undertaking, the non-profit organizations must follow IRS regulations to the tee or face a penalty, in the form of a fine. Some states even require non-profits to apply for a special fundraising license before hosting auctions. 


 With auctions, potential compliance issues could arise in 2 ways: 

  1. Against quid pro quo contributions
  2. Against non-cash gifts


In the case of quid pro quo contributions, where the donor exchanges money for goods or services, the non-profit organization must provide donors with a letter containing a disclosure. This letter's contents are the good-faith estimate of the market value of the goods or services the donor has received with their contribution. Failing to provide this acknowledgment letter can result in a fine of up to $5,000 per auction. 


On the other hand, when someone donates goods to an auction, the non-profit organization must submit tax-related information about the exchange. This includes: 

  • Name of the organization
  • A statement that details the services or goods exchanged by the organization
  • Description of the item that was donated

Managing this data is important as the regulatory bodies require it and doing it manually is asking for trouble. A neat solution would be a cloud-based software that gives non-profits seamless access to data caches, so that this type of crucial information is always up to date.  



Given the good that non-profits set out to achieve, it is no surprise that any political candidate would want the endorsement or backing of one. However, under the Internal Revenue Code, it is clearly stated that all section 501(c)(3) organizations are prohibited from participating in any form of political campaigning or lobbying. This includes any direct or indirect intervention of any sort.


Violating this tax code results in revoking the tax-exempt status applicable to the non-profit organization and may even lead to the imposition of additional excise taxes. Having a clear understanding of this compliance risk and ensuring that all organization members are aware of it is a good way forward. 


Earning substantial profits

Non-profit organizations are known to suffer from a lack of finances, but there is an excess of profits in some instances, and this is a problem. As per regulation, non-profits aren't allowed to earn sizable amounts of profit and doing so goes against compliance norms. Even though the money is meant to serve a good purpose, it is illegal as per the compliance regulations for the collection of tax on sale. 


However, there may be instances where a non-profit underestimates the profits earned and in such cases, experts suggest that any excess must remain within the organization. This surplus may be used to pay off debt or finance the non-profit's mission in the future. 


The Board, employees and volunteers of non-profits need to be aware of this fact to comply with regulations. 


Botched record-keeping 

Complete transparency is a mainstay of any non-profit organization, which is why maintaining records is crucial. Unfortunately, this is an area that many have been lacking, which brings about a plethora of compliance issues. Without proper records, the annual Form 990 will be incomplete and have discrepancies, leading to problems. Moreover, the IRS and other governing bodies quite frequently request information from non-profits, and botched record-keeping will stand in the way of this. 


Experts believe that a failure to maintain records efficiently is a good way to break laws and is among the easiest ways to risk non-compliance. Thankfully, digitized solutions help solve this problem with cloud-computing and customizable control systems, thus ensuring records are maintained and secure.  


Considering the role that non-profits play in the economy, it is incredibly vital that they do not abuse their economic privilege. For this reason, non-profits need to implement internal controls and there's no better way to safeguard the organization than to do it pre-emptively. This is where VComply can be of great assistance to non-profits by providing fully integrated GRC Management Software. It gives organizations the option to establish controls and reminders to ensure that compliance obligations are the first priority. VComply helps non-profits with real-time data tracking, risk management, and compliance management without complications.


VComply Editorial Team
Read More
Banks Non-Compliance Fines Rose in 2020: Lessons Learned
Feb 16, 2021

Regulatory watchdogs around the world served stiff penalties in 2020, with major financial institutions being asked to own up for their deficiencies and malpractices. Citigroup faced a $400 million fine for risk management shortfalls, JP Morgan was charged $920 million for illicit market activity, Westpac agreed to a record fine of AUD 1.3 billion for anti-money laundering breaches, Goldman Sachs was fined $2.9 billion in connection with the 1MDB scandal, and Wells Fargo saw a huge $3 billion penalty for he fraudulent account fiasco.

The list could go on, but as the fines grow weightier, all eyes are on what compliance can do to protect organizations from not just economic damage, but the long-lasting reputational damage that accompanies financial abuses. Here are some compliance learnings one can glean from the Goldman Sachs and Wells Fargo cases.

Goldman Sachs

In the 1MDB scandal, Goldman Sachs came under intense scrutiny for its role in money being siphoned from Malaysia’s sovereign wealth fund, 1Malaysia Development Berhad. The ongoing investigation probes the bank’s role in underwriting 1MDB bond issues. About $6.5bn was raised in 2012 and 2013 and the bank is said to have earned over $600m in fees for the work. The complex global fraud saw Malaysian common folk deprived, private pockets filled, and Goldman Sachs staring at fines to the tune of $5 billion.

Recently, the bank’s chairman and CEO, David Solomon, called the scandal an “institutional failure”, noting that “certain former employees broke the law, lied to our colleagues and circumvented firm controls...we did not adequately address red flags...”

In the aftermath of the 1MDB scandal, experts from around the world have opinionated on what might have led to the massive corruption scheme.

Here are some insights compliance officers can gather from the 1MDB event.

1) Make compliance part of business strategy

Goldman Sachs intended to expand aggressively and dominate the South-East Asian market. The problem lay in the fact that the SEA market was also known to carry a high risk of money laundering. Turns out that Goldman’s compliance and risk management systems weren’t primed in keeping with the high-risk business model that the bank was adopting for the region. The US Department of Justice later noted that, “[ Goldman’s] business culture…particularly in south-east Asia, was highly focused on consummating deals, at times prioritizing this goal ahead of the proper operation of its compliance functions.” A key learning from this is that compliance is a crucial element of business strategy.

2) Ensure the ‘tone from the top’ safeguards     compliance

Central to the1MDB scandal was former chairman of Goldman Sachs in South-East Asia Timothy Leissner and he later pleaded guilty to conspiring to launder money.  Bloomberg reports Leissner as revealing that the “culture of secrecy” at Goldman led him to conceal wrongdoing from compliance staff.

“It must be presumed,” lecturer from the University of Alexander Dill says, “that he would not have attained partnership status, without executive management’s approval of his conduct and character. Who makes partner at Goldman is a true reflection of the company’s tone at the top.”

When the tone at the top upholds ethics and integrity, compliance has a firm footing. If ethical norms are brushed aside by an organization’s leadership, it can only be a matter of time before cracks emerge.

3) Avoid a siloed approach as it cripples compliance efforts

International fugitive Jho Low, is accused of having masterminded the 1MDB plot and Leissner tried to have him as a Goldman Sachs customer. The move was prevented by the bank’s Compliance Group and Intelligence Group on concerns they had over the source  of Low’s wealth. Yet Leissner continued to work with Low and financial regulation news analyst Regulation Asia points out that, “a siloed approach to KYC allowed its sales team to circumvent controls and onboard Low as an indirect customer via the 1MDB bonds.”

If your organization’s sales teams, compliance departments, senior management, and board work in silos, information can slip through the cracks and controls in place to detect financial crime can give way. In case of money laundering, the first step of “placement” that is the act through which the fraudster seeks to insert tainted money into the legal system, is crucial. For KYC controls to work efficiently, it is best that all departments work together.

Wells Fargo

The account fraud scandal at Wells Fargo came to light towards the end of 2016.Over million fraudulent bank and credit card accounts were reportedly created on behalf of clients of the bank without their knowledge or consent. Wells Fargo betted hard on a cross-selling strategy and by 2012 had an average of .9 products per customer. However, by 2013, rumors had surfaced that employees were gaming the system to meet their cross-selling targets.


Cutting to the chase, a Shearman & Sterling report later pointed out that, “Many employees felt that failing to meet sales goals could (and sometimes did) result in termination” and that “certain managers explicitly encouraged their subordinates to sell unnecessary products to their customers in an effort to meet sales goals.”


It’s clear from this that the Wells Fargo fiasco boils down to aspects like a problematic business strategy, bad company culture, and poor tone at the top. Back in September 2016 the bank was fined $18 million and as recently as February 2020 Wells Fargo faced charges amounting to $3 billion.


What can compliance officers learn from Wells Fargo fiasco?


1) Have many parts working together to achieve compliance

Reports reveal that in mid-2014 Well Fargo attempted to curb the malpractice of creating fraudulent accounts with an ethics workshop. Yet, reports also indicate that bank managers allowed illegal conduct to persist until 2016. The point here is that compliance cannot really thrive or survive if there is discord between your Code of Conduct and company culture. You need to weed out rouge employees and correct a bad company culture if you are to be successful.


Stanford researcher Brian Tayan keenly points out that branch-level employees received incentives to cross-sell, but the senior-executive bonus system did not have the increase in products per household as a metric. Are there business-critical matters that are passing the oversight of senior members at your organization? Compliance is everyone’s responsibility and requires the entire team, right from the employees to the senior management and board, to protect the organization from known risks.


2) Use software to  manage compliance and risks

Assuming that you set realistic targets for your employees and have appropriate controls in place to mitigate risk, how do you maintain a controlled and cohesive environment, prevent stuff from slipping through the cracks, and avoid risks from growing unnoticed? A notable way of doing this is to use cloud-based GRC software that works on an organization-level.


VComply, for instance, gives you the tools you need to assign responsibilities, escalate matters, conduct gap analysis, monitor your risks, evaluate existing controls, distribute, and test policies, and a lot more. You may or may not have thousands of employees like Wells Fargo; nonetheless, overseeing the lifecycle of your compliance, risk, and policy efforts can be painstaking and even impossible if you do not have the tools to do so.


3) Remember compliance pays dividends in customer trust

Wells Fargo has been, and still is, among the biggest banks in the US. Imagine the shock and betrayal customers would have experienced on hearing that Wells Fargo created fraudulent credit cards or bank accounts in their name. The reputational damage of non-compliance is immense.  "Simply put, Wells Fargo traded its hard-earned reputation for short-term profits, and harmed untold numbers of customers along the way," US attorney Nick Hanna is quoted as saying.


The moral is that no one is above the rules of regulations. Regulatory compliance is not something you want to gamble with as it can wipe out your customer base and share holder value.


Whether t's anti-money laundering or nurturing an ethical business culture, Goldman Sachs and Wells Fargo teach us that compliance is more than a checklist. It evolves with your organization and having the tools to stay compliant best serves your growth.


VComply Editorial Team
Read More
What is SOC 2 Compliance?
Feb 25, 2021

With digitization of services progressing at a relentless pace, businesses are storing large volume of customer data . But with sensitive information being routinely handled by service providers and third-party associates, there is a pressing need for increased information security. Data breaches and cybercrime too are a threat to security. In such a scenario, it is not uncommon for clients to want an independent review of your internal controls for data security prior to partnering with you, especially if you are a SaaS organization.

This is the kind of guarantee that an SOC 2 audit provides, and many organizations seek to be SOC 2 compliant to possess more robust internal controls and improve their trustworthiness. To have an in-depth look at what is SOC 2 and the relevance of SOC 2 audits, read on.

What is SOC 2?

Framed by the American Institute of CPAs (AICPA),Service Organization Control 2 or SOC 2 lays down a framework for strong information security for cloud service companies. SOC 2 applies to SaaS companies and businesses that upload customer data to the cloud and aims to safeguard this data through 5 Trust Services Criteria.

The 5 Trust Services criteria are:

●       Security

●       Availability

●       Processing integrity

●       Confidentiality

●       Privacy

Following this, SOC 2 compliance is about an organization being able to assure the security of customer data, based on these 5 principles, using adequate controls and systems. Beyond criteria, SOC 2 also provides an auditing procedure and a SOC 2 audit report aims to assure users, clients, stakeholders, and third parties that the organization is complying with the criteria in place for handling sensitive information.

That said, SOC 2 reports are unique to your organization and you have the power to design controls and systems to comply with the trust service criteria that are relevant to you. SOC 2 audits are performed by accountancy organizations or an independent CPA (Certified Public Accountant).

Do you need to be SOC 2 compliant?

Companies and clients you liaison with may not  require you to furnish SOC 2 reports. SOC 2compliance is not a strict necessity in that sense. However, being SOC 2 compliant has its share of benefits. Here’s a look at what they are.

●       When auditors attest to your organization’s system sand controls for data security, you possess a competitive advantage in the market. All things equal, clients are sure to prefer an organization that assures them of information security and integrity.


●       SOC 2 compliance can help boost your other compliance efforts, such as preparing to be compliant with ISO 27001.


●       Data breaches can cause grave financial losses and have legal ramifications too. Being SOC 2 compliant is an ideal way to safeguard yourself against such aspects.

So, while SOC 2 compliance is not mandatory, objectively speaking, it may be required for your organization on a practical level.

What are the SOC 2 Trust Categories?

The 5 Trust Services Categories outlined by AICPA are:

Security: Refers to information and systems being protected against unauthorized access, unauthorized disclosure, and damage that could affect the entity’s ability to meet its objectives.

        a. Information protection in this case covers the points of collection, creation, transmission, storage, processing, and use

        b. Systems under protection are those that employ electronic information to act on the information gained

The criteria of security seeks to safeguard customer data against aspects like theft and unauthorized disclosure. Consequently, tools like 2-factorauthentication can be used to secure data.

Availability: Refers to systems and information being available for operation and use to meet the entity’s objectives.

So, your systems need to be available and accessible as per the terms of your service agreement. Availability is vital, for instance, if you run a datacenter or a web hosting service, which requires data to be accessible 24/7.Likewise, if you sell a SaaS product, you need to ensure that it is available for use, as per the agreement.

Processing Integrity: Pertains to services provided or goods manufactured, distributed, or produced. It ensures that the audited system’s processing is valid, complete, timely, accurate, and authorized in such a way that the entity’s objectives can be met.

If you provide e-commerce services or transact on behalf of clients, processing integrity should make its way into your SOC 2 report. This ensures clients that data modification is authorized, processing errors are able to be detected, system output is accurate, and so on.

Confidentiality: Stipulates that information that is held as confidential is aptly protected to meet the entity’s objectives. This applies from the point of collection right till removal. While privacy pertains to personal information, confidentiality refers to other information as well, such as proprietary information, trade secrets, and intellectual property.

An example of data that needs to be protected is personal health information. If your organization collects and stores such information, an audit of confidentiality ought to be carried out as per the SOC 2 guidelines.

Privacy: Refers to the collection, usage, retainment, disclosure, and disposal of personal information to meet the entity’s objectives. Privacy has parameters such as:

       a. Notice and communication of objectives

        b. Choice and consent

        c. Collection

        d. Use, retention, and disposal

        e. Access

        f. Disclosure and notification

        g. Quality

        h. Monitoring and enforcement

The criteria of privacy verifies that your organization is handling customer data in accordance with the privacy terms agreed upon.

What is Type 1 and Type 2 of SOC 2?

SOC 2 has two types of reports. Type 1 reports attest to the design of controls and security systems at your organization at a specific point in time. Type 2 audit reports are broader in scope. They contain everything that is included in Type 1 reports and attest to the effectiveness of the controls in place evaluated for a period of 6 months or more. Thus, a SOC 2 type 2 report is more valuable.

What is the difference between SOC 1, SOC 2, and SOC 3?

An SOC1 report attests to financial controls only. It is mainly for other auditors. An SOC2 report attests to controls that come under the 5 Trust Service Criteria. An SOC 2 report is mainly for the company itself and while SOC 1 focuses on internal controls over financial reporting (IFCR), SOC 2 focusses on data handling as per the Trust Criteria. SOC 3 report is a general use report that is designed for public sharing. It is a high-level summary of the SOC 2 report but does not go into details of the information in it.

Can GRC software help you become SOC 2 compliant?

A GRC platform like VComply can help you design internal controls that keep your organization compliant with the criteria requirements of SOC 2. VComply provides an uncomplicated way for you to manage compliance and risk, allowing you to assign controls and track them through an intuitive interface. For instance, you can assign responsibilities for data security so as to comply with SOC 2’s primary criteria.

Being SOC 2 compliant is sure to throw open doors to business opportunities and improve customer confidence in your services. Go about it the smart way with a GRC solution by your side!

VComply Editorial Team
Read More
What is Operational Resilience?
Jan 7, 2021

Etymologically, the word resilience has roots in the Latin term resiliere, which means ‘to rebound’. In similar vein, operational resilience describes an organization’ stability to cope with change or misfortune. The ongoing global pandemic, COVID 19 is an extreme form of misfortune, but its impact has been so universal that it has laid bare each organization’s level of operational resilience and sparked renewed interest in the topic.  

Stress, threats, potential failures, disruptions, uncertainty, and change are part of the life of an organization, but one that is operationally resilient has the wherewithal to maneuver through it all. From climate change, power grid black outs, and cyber-attacks to a tainted image on social media and demand-supply disruptions, there are numerous factors that can cause an organization to buckle and crack. A resilient organization has the frameworks and mechanisms to bounce back when dealt the unexpected.

Operational resilience, however, goes further than an organization simply maintaining business continuity or managing risk.

What is operational resilience?

Here are two helpful definitions:

Gartner: Operational resilience is a set of techniques that allow people, processes, and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification.

PwC: We define operational resilience as “an organization’s ability to protect and sustain the core business services that are key for its clients, both during business as usual and when experiencing operational stress or disruption.”

The operational resilience definition offered by Gartner places a lot of emphasis on ‘techniques’, ‘abilities’, and ‘competencies’. PwC too focusses on ‘ability’ but brings the end goal in picture, that is, service of the ‘client’.

This article will elaborate more on these themes, while also providing some operational resilience examples.

Interconnected and futuristic

To work within a sound operational resilience framework means to consider risks in a holistic manner. It involves moving away from a vertical and siloed approach to a horizontal and organization-wide approach. This way you aren’t left facing collapsing dominos when one segment of your operations stalls. Similarly, key to the word resilience is the aspect of bouncing back and if your operational resilience strategy focuses on avoiding disruptions only, it is inadequate. Operational resilience is a trait by which your organization can get back to everyday business once a disruption occurs too!

Digital, data and cyber

Today, amid the pandemic, digital adoption is what has kept many businesses running and building a layer of digital resilience can help you put your best foot forward. With more and more touchpoints in the customer journey being digitized, it becomes important to live up to the customer expectation of having always-on services. Issues like server outages can dampen customer confidence.

Digital processes run on data as a fuel and your operations will be only as good as the quality of data you possess. Data resiliency includes aspects like restoring compromised data, preventing data loss, and establishing a sync point in case of a snag.

Alongside digitalization and increased data comes the need for cyber operational resilience. For instance, on 5 March 2020 the US Power Utilities were the subject of a cyberattack that used firewall vulnerabilities to cause ‘blindspots’. The system was resilient enough that actual flow of electricity was not affected. However, this incident shines light on present-day practices that hamper organizational resilience. These include using sensitive apps over home Wi-Fi, storing passwords on home devices, and limited awareness about data privacy.

Client is king

When an organization is in its nascent stages, everything revolves around satisfying the client. At such times, it is quite clear what the firm’s key business processes are, which add direct value to the client. However, as an organization scales, processes become more abstract and even at the C-level, one is not dealing with the client’s needs and aspirations directly, but with other contingencies. While it is required that, for instance, the CIO, COO, and CEO take up different responsibilities, resilience is built when these are ordered to the client’s needs.

This approach makes it easier to identify key products and services, meaning that business continuity planning becomes more strategic and secure when the client is at the center. The goal of a client-centric operational resilience strategy must be to uninterruptedly deliver critical operations, even amidst disruptions.

Human resource

At a certain level, your organization is only as good as your employees. Business staff man several key processes, without which products and services would never reach the client. Factors like employee attrition and wages are perennial issues that threaten business continuity, and hence operational resilience. But in the wake of the pandemic, newer issues such as employee wellness have surfaced. In an increasingly remote-first work environment, HR teams have the tricky task of accepting work from home’s olive branch of business continuity, while knowing that prolonged isolation is a deadly threat to creativity, collaboration, and long-term goals.

Third-party dependency

Whether you have an operational resilience manager or not, possessing a framework for managing third-party relationships that are interwoven with critical operations is a must. This is another way of saying that the client shouldn’t be at the receiving end of issues related to sourcing and other external dependencies. Achieving this includes performing due diligence and risk assessment according to your standards for operational resilience before entering into an agreement.

Governance, risk, and compliance

GRC is integral to operational resilience – and not just because organizations are increasingly coming under the scrutiny of regulatory authorities! A good operational resilience framework includes having a governance structure that can respond to disruptions. Ongoing risk assessment too is crucial to weeding out vulnerabilities and avoiding threats. As mentioned earlier, being resilient means moving away from silos and being more holistic and here, GRC software serves aptly as operational resilience technology.

Solutions like VComply ensure you have a better way to run your business. VComply is a comprehensive platform you can use to govern risks, stay compliant, and implement an operational resilience strategy in a way that you cannot with spreadsheets and binders. With automated reports, integrated workflows, data centralization and more, you can more reliably work towards making your business‘ disruption-proof’.

With a better understanding of what operational resilience is, proceed to define what it means in the context of your organization and grow your business strategically!

VComply Editorial Team
Read More
What is CCPA? How Do You Ensure Compliance with CCPA?
Jan 5, 2021

In this day and age, data is the most important asset that businesses need to protect.

All businesses, big or small, have access to more data than ever. This includes customer data, suppliers’ data, accounting data, and more. The CCPA (California Consumer Privacy Act) has been brought into existence in the state of California for the protection of consumer data and safeguarding their interests.

In this article, we will discuss CCPA in detail and cover topics such as:

● What is CCPA?

● Difference between CCPA and GDPR

● Which business does the CCPA apply to?

● What is personal information under CCPA?

● What are the consequences of non-compliance with the CCPA?

● Steps to become CCPA compliant

What is CCPA?

The CCPA act was introduced on the 1st of January, 2020, in the state of California to protect consumers’ personal information. This act allows consumers to investigate what information is collected by a business about them, and how the information is used or shared. A consumer can ask a company to delete or alter their information under Section 1 (AB 1146), if they feel it will have an adverse effect or their privacy will be hindered. For example, a customer may not want his photo to be shared after a hair transplant.

In order to comply with the CCPA, businesses should take the following steps:

● First, find out if the CCPA is applicable to your business.

● Update the privacy policy data as per the CCPA.

● Provide an opt-in option for prior consent of the users to sell their information, and from parents for users who are in the under-age category.

● Provide the option ‘Do not sell my data’ for users to opt-out from selling their information.

CCPA and GDPR: A comparison

The CCPA and GDPR both have the same objective, to protect consumers’ data and information from violation. However, there are a few differences between them as we'll see below:

● Commencement Date

The CCPA was effective from 1st January 2020, while GDPR came into existence on 25th May, 2018.

● Protection

CCPA protects information that will identify, describe, or is associated with the consumer, such as photos or videos. On the other hand, GDPR protects a specific piece of information about a consumer, for example, a credit card number.

● Region

The CCPA applies only for the state of California, while the GDPR is applicable to any data subjects who are citizens of the European Union.

● Regulation

Businesses that earn more than $25 million, collect data from more than 50,000 consumers, and generate more than 50% of the revenue by selling data accounts of consumers, come under the regulation of CCPA.

Any business around the globe that deals with private data of EU citizens comes under GDPR.

● Penalties

A fine of $2,500 to $7,500 is charged depending on the decision of the Attorney General of California if any law is violated under CCPA.

The penalty under GDPR can be 4% of the annual turnover of the company, or €20 million depending on which is higher.

Which businesses does the CCPA apply to?

The CCPA applies to all big and small businesses. All companies that are in the business of collecting data or information from the consumers need to comply with CCPA.

Specifically, businesses that come under CCPA compliance are:

● Businesses based in California or deals with consumers of California.

● Businesses that are engaged in collecting personal data of the consumers.

● Commercial organizations that make more than $25 million gross profit annually.

● Companies that are collecting and selling data for more than 50,000 users.

● Businesses that generate more than 50% of the revenue by selling data accounts of consumers.

● Additional obligations will be implied including the CCPA if the company is dealing with data exceeding 4 million users.

Businesses exempt from the CCPA are:

● Businesses not from California or those that don’t deal with California.

● Businesses not engaged in collecting data of consumers.

● Nonprofit organizations are also exempt from the CCPA.

● Agencies of credit reporting that come under the Fair Credit Reporting Act.

● Financial Companies that come under the Gramm Leach Bliley Act.

● Health care centers that are under HIPAA (Health Insurance Portability and Accountability Act).

What is personal information under CCPA?

Personal information under the CCPA is anything that describes or is associated with a consumer, household, or device directly or indirectly.

Personal information covered under the CCPA includes the following:

● Customer Identification

Information that identifies a customer such as a name, age, gender, photograph, and other related identifiers.

● Customer Information

Information such as signature, social security number, driving license number, bank account, etc comes under customer information of the CCPA.

● Biometric Data

Information detected and recorded electronically such as fingerprints, eye color, retina scan, and similar other biometric data.

● Commercial Details

Information such as bank details, transactions such as purchase and sale of goods and services, payment of utility bills, etc are all commercial records of a customer.

● Educational Background

This refers to information on how qualified a person is, such as a graduate or a postgraduate.

● Professional Information

Professional information refers to what a person is professionally engaged in.

● Location

Where people live, which places they visit and check-in, where they travel are information records of their location. The new trend of Facebook, Instagram check-ins are examples of showing the location of where a person has visited.

Consequences of non-compliance with CCPA

A company that doesn’t comply with the CCPA can be penalized with charges of thousands of dollars. If a business violates any CCPA law and fails to pay the charges, it risks complete shutdown of the business, website, or channel. Consumers are also in a position to sue companies for breach of their private information after a notice period of 30 days. Another body that can sue the business is the Attorney General of California for the violation of any law of the CCPA.

Here are some specific penalties businesses might incur if they fail to comply with the CCPA:

● Charges from $100 to $750 fined per violation if a company doesn’t prove itself just and fair in front of the consumer.

● A fine of $2500 can be charged by the Attorney General of California if the law was violated unintentionally.

● A fine of $7500 will be charged if the Attorney General feels that you have violated the law intentionally.

Steps to become compliant with the CCPA

Here are some steps businesses can take to ensure compliance with the CCPA at all times:

● Know Your Business

First, you need to know if your business falls under the category to be compliant with the CCPA. To fall under the jurisdiction of the CCPA, your business should be a commercial organization collecting data of consumers of California and generating income of more than $25 million, making 50% profits by selling data, and selling data of more than 50,000 users.

● Keep a tab on data collection

Be sure to keep an eye on all personal information your business is collecting about your consumers. This includes data collected on your website, data your employees are collecting, and so on.

● Create a data map

A data map is a very important part of data privacy management. It shows what data you collect, where it is stored, how secure it is, who has access to the data, and the purposes it is used for.  

● Update your privacy policy

Consistently review your policies and procedures regarding the handling of personal information in your company. Your employees should not be allowed to download data of customers on their devices. For example, accounting data for audit purposes.

● Include an opt-out link

Create a process for customers to opt-out and delete their data from your records. This is an important part of the regulation. Customers can opt-out or delete the sharing or selling of their data. This link should be prominently accessible on your website.

● Improve customer communication

A company should promptly respond to customers if they have any requests to change their data usage. Companies should be able to provide information if the consumer asks about their private information and how it is being sold.

● Vet all third-party contracts

Review contracts with the third party vendors on your policies about managing and using customer data. Determine things that need to be changed related to the privacy policy. Outline the responsibilities that will be handled by the third party and include them in the contract.

● Have security controls in place

The CCPA has strict fines for data breaches. Thus, it's essential that data collected is fully secured and encrypted. Review your security control measures and make sure they're sufficient to protect your business against breaches.

● Invest in employee training

Employees must be adequately trained and educated regarding the  CCPA. They must be aware of the consequences of mishandling data, and how best to communicate with customers regarding their personal information.

Wrapping up

The goal of the CCPA is to protect consumer information from being misused and mishandled. Businesses complying with the CCPA are thus likely to enjoy more loyalty and goodwill from customers.

If you're struggling to keep up with the various laws and regulations your business must comply with, we've got a solution for you. VComply's GRC software makes it easy for businesses in all industries to manage compliance and governance in a hassle free way.

VComply Editorial Team
Read More
5 Ways Internal Audits Can Go Beyond Tick Marks And Spreadsheets
Dec 11, 2020

The tick mark has grown to become a symbol of the internal auditor’s raison d'être, but the primary role of internal audit is not, in fact, defined by stationery and workpapers. The Institute of Internal Auditors (IIA) notes that:

“The role of internal audit is to provide independent assurance that an organization's risk management, governance and internal control processes are operating effectively.”

Today, in the wake of the pandemic, organizations across the world are not just realizing the importance of internal audit, but also appreciating the merits of internal audit that go beyond the confines of ticking and tying. With automation, AI, and ML brining data-driven insights to the table, C-suites and boards are better able to realize why internal audit departments should exist. What is the primary objective of auditing? It’s about offering an independent opinion. But how many times do auditors unearth matters that are of immense importance? The crux of the issue lies in going beyond sheets and into strategy. For that, it is helpful to list out some best practices that can change how internal audit works.

Carefully define the scope of internal audit

This applies to what and how much. After all, internal audit teams help boards and the C-suite steer the ship. It is of prime importance that auditors are trained to look at the big picture and not just at minute details, which very often have no significant consequences on decision making. As the pandemic unfolded, many organizations were confronted with realities they had, hitherto, turned a blind eye to and if internal audit can unmask threats with well-timed counsel, it will well and truly have done its job.

The objectives of each audit too must be defined so that teams do not get overwhelmed with scope creep. This is when you aren’t able to audit in a modular way and land up investigating and rummaging through everything. To define the scope of the undertaking it can be helpful to learn from past audits and factor an element of structure into the internal audit process by drawing out a schedule, assigning responsibilities, setting a budget, and so on.

Prioritize insights and advice

One thing the pandemic made clear is that a spotless past is no absolute guarantee of a seamless future. Many ways of working were condemned to at least temporary obsolescence and today, many organizations question their preparedness for things to come in the future. Hence, internal audit has the chance to evolve into the role of a dependable advisor. The emphasis here lies on what lies ahead. Yes, GRC is important, but consulting must come to the fore too.

Shining a spotlight on issues that have occurred, and even diagnosing them is one thing, investigating processes for issues that may occur in the future is quite another! This is the kind of value that leadership and stakeholders seek, especially after the pandemic. Forward-looking internal audit can take many forms: providing data on how much of a cybersecurity risk work from home poses, probing into current employee morale and what a company needs to do to avoid attrition, alerting management to current ways of working that are likely to come under environmental sanctions in the future, and so on. The advantages of internal audit multiply when you add strategy to assurance.

Invest in the right skills sets

You’ll note shifting the focus from hindsight to foresight is not so much about an internal audit process, it is more about the competence of the team. As such it makes sense to recruit and retain top talent. Besides technical audit skills there are several competencies that you should look to your auditors having.

Data analysis: There is a reason that data science is in vogue and people from all professions are taking to it. With operations and processes becoming increasingly digital, there is a dire need for professionals who can work on that data, make sense of it, and churn out insights from a heap of 1s and 0s. This means that if an audit lead, for instance, were to be able to process data, he or she could instantly steer the internal audit team towards bringing data-driven insights to the executive table.

Soft skills: Irrespective of the internal audit procedure and the technical skills it mandates, what does not change is the requirement for soft skills like exemplary communication. Often, these are hard to teach and given that internal auditors communicate with persons at different levels of the organization, the audit committee, board, C-suite, employees, and stakeholders alike, soft skills can be the factor that determines the efficacy of an audit.

Cybersecurity: With online work going mainstream and unsafe cyber practices being commonplace a fragile digitally-connected world is now a reality. Along with this is the increased probability of a cyber pandemic that can cripple to industries on a global scale. Far from being conspiracy theory, this is what entities like the World Economic Forum are talking about. Having an internal audit department that understands cybersecurity is almost a necessity today (why wait for the next pandemic to strike!).

Cultivate a culture of transparency

Ancient philosophers believed that what is received is received according to the mode of the receiver. Meaning that an internal audit report may be only as good as the way it is accepted. Since it is to comprise of an independent opinion, it becomes necessary to foster transparency across the organization, and definitely between the auditors and the people they are reporting to. If internal audit reports to an audit committee, things become easier, but, for instance, in a small organization, if auditors must report to the department they are auditing it becomes tricky.

An interesting way to improve transparency across the organization is to reduce the gap between employees through collaboration. If auditors work with other employees and vice versa mutual trust will be formed and further, cross-team projects give internal audit an opportunity to glean strategic insights.

Deploy an organization-wide GRC solution

The traditional internal audit checklist is replete with items like repetitive tasks, manual data extraction, spreadsheet-intensive work, and report preparation. Not only are many of these time-consuming but in other fields tasks such as these have already been automated. It is this gap that GRC solutions like VComply seek to fill, offering internal audit capabilities such real-time metrics, easy reporting and dashboarding, advanced data analytics, compliance management, and remote auditing tools.

Deploying such a software organization-wide increases the scope of internal audit instantly and is in fact a clear sign that you want to move beyond tick marks and spreadsheets, and into the realm of data-driven insights and advice. Good luck!

VComply Editorial Team
Read More