Cost of Compliance

Published February 10, 2021 by 3 min read

The exact cost of corporate compliance can be hard to quantify. Broadly speaking, the “cost of compliance” encompasses the costs of everything a company does to improve compliance efforts and meet all regulatory requirements. That includes the costs of the compliance program itself (compliance staff and technology, foremost); audits that must be performed; and other less visible costs, from HR to payroll to various operational procedures. 

The cost of non-compliance can be just as elusive, since most firms won’t feel that cost until they have an actual compliance failure on their hands. One thing, however, is certain.

When you add the costs of investigations, monetary penalties, employee man-hours, disaster recovery, civil litigation, lost business, and whatever other damage might befall you—the cost of all that will be significantly greater than the costs of a compliance program that worked well in the first place. 

Compliance Audits 

One of the most tangible costs of compliance are the audits that a business must undertake to demonstrate compliance with various regulations. Exactly which audits a company will need to complete will vary by industry and corporate structure, but the most common include:

  • PCI DSS Level 1 (Payment Card Industry Data Security Standard – Level 1)
  • SOC2 
  • HIPAA (Health Insurance Portability and Accountability Act)
  • SOX (Sarbanes-Oxley Act)
  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)

What Is PCI Level 1 Compliance?

PCI Level 1 derives from the Payment Card Industry Data Security Standard; Level 1 audits apply to the first “merchant level” out of four. 

PCI DSS is designed to protect credit card information used in consumer transactions. It applies to retail transactions, both physical and online. The audit levels differ based on the amount of transactions a merchant has in a given year. Level 1 audits are the most common.

What Is SOC2 Compliance?

SOC 2 audits assess an organization’s data security and privacy controls. The scope of a SOC 2 audit can vary enormously, but all SOC 2 audits are based on five “trust service principles:” privacy, security, availability, processing integrity, and confidentiality. SOC2 audits are tailored to fit an individual organization’s specific needs. Level I audits assess whether security and privacy controls are designed properly; Level II audits assess whether those controls also work effectively over time.

What Does HIPAA Stand For?

Any business that collects or processes personal health information must comply with HIPAA, the Health Insurance Portability and Accountability Act of 1996. HIPAA compliance requires regular audits to assure that protected health information (PHI) meets privacy and data security obligations spelled out in the law. 

What Is SOX Compliance?

SOX stands for the Sarbanes-Oxley Act, established in 2002. SOX is intended to assure the reliability of financial statements publicly traded companies disclose to investors. SOX expanded the requirements of companies’ annual financial audit, to include audits of the effectiveness of internal controls over financial reporting (ICFR). 

What Is GDPR Compliance?

The European Union’s General Data Protection Regulation, or GDPR, is an EU-wide privacy law that guarantees certain privacy rights to EU citizens. As part of compliance, businesses subject to the GDPR must perform regular audits of their privacy controls. 

What Is CCPA Compliance?

The California Consumer Privacy Act (CCPA) is a privacy law for the state of California. It’s similar to the GDPR in several ways, including the fundamental concept that businesses operating in California or collecting data about California residents must guarantee certain privacy rights to individuals. Again, audits of your privacy program are a key part of compliance. 

Compliance vs. Noncompliance 

There’s no question that the expense of noncompliance can far outweigh the cost of compliance. As one article from Investopedia says: “The cost of compliance, on average, is approximately $5.5 million; whereas the cost for noncompliance is approximately $15 million.” You could, essentially, be paying triple cost if you choose noncompliance, with innumerable other legal, personnel, and reputation costs as well.

Automation Software Can Lower Costs

Whatever the costs of compliance for your organization might be, automation software is one proven way to keep those costs as low as possible—and to lower those costs, if audits and other chores are becoming too unwieldy to manage manually. 

ZenGRC automates your compliance tasks, provides a baseline to help you improve and track ROI for compliance, and tracks all documentation and requirements in a single, central location so you always know your organization’s compliance posture for compliance certifications and requirements.

To better understand how ZenGRC automation can help you navigate your compliance needs, schedule a free demo today!

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo