Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Handling Multiple Certifications
Quick Take
On this week’s episode of Compliance Unfiltered, Adam gives you an in-depth breakdown of all the ins and outs of going up against multiple compliance standards.
- Why is it challenging?
- How do you do it?
- How does your industry impact the compliance standards you’re required to go up against?
Don’t worry, we’ve got your back.
Have additional questions about things like implementation of a new approach? You’re not alone. Adam has the keys to unlock that door and more – all on this week’s Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome into another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who literally has compliance pumping through his veins, Adam Goslin. Adam, how the heck are you today?
I’m doing great, Todd. How are you?
I can’t complain, sir. More copy is the answer. More copy is always the answer. Hey, it can’t hurt. These are facts.
These are facts. Today, we’re going to talk about something that actually has wide ranging applicability. And that is the topic of organizations who need to go up against more than one compliance standard or certification. So just as a reminder to the listener, you can follow us and interact with us at Compliance Sucks on both Twitter and Instagram. And we invite you to do so. We’re looking forward to hearing your feedback. If there are things that you want to cover in upcoming episodes of Compliance Unfiltered, we’d love to hear from you so that we can address those topics. But today, as I mentioned, more than one certification that companies have to go up against. I’m sure that that changes the landscape of their compliance needs. So Adam, why would a company be subject to more than one standard?
Well, there’s a number of different kind of cases why organizations would find themselves in that position. So, an example would be what industry they’re in. So, if I’m in healthcare, then HIPAA, et cetera. More often than not, so that’s kind of like the baseline, what do we need to do? And then you’ve got various customer mandates. We interact with you and we’re gonna need you to be SOC compliant or we’re gonna need you to be ISO compliant, et cetera, whatever their kind of flavor of the day is that that organization kind of centers around. They’ll typically try to make it easier on themselves and thereby, mandated on those that they work with. So, for a lot of organizations, one kind of, I’m gonna call it, especially for those that you kind of are just starting to get down that path, there’s a couple of problems that organizations will run into.
So, as an example, you won’t have any idea what legal agreements, as an example, were signed off on, let’s say you’ve been with the company for three or four years, the company’s been around for 10 years, then what legal requirements do we have? So, you’ve certainly got the clamoring from the existing clientele that, hey, I need you to be fill in the blank. But, one recommendation for organizations is literally go back to your legal agreements and go take a look. You never know what Martha signed off on, eight years ago type of thing, and we’re supposed to be adherent to, et cetera. So, if you haven’t done kind of that taking stock, then certainly recommend. And there are occasions where an organization isn’t in an industry that has kind of a de facto do a mandatory standard, nor do they have clients that are saying, thou shalt be fill in the blank compliant. And so, for those, the organization, more often than not, will go in and select a particular standard that they want to go into. Most of the time for them, they’re trying to be proactive. They just want to kind of make improvements and whatnot to the security for the organization so that they can kind of have something in place as a framework to follow.
That makes total sense, but now I have to ask you this, why can handling multiple certifications present challenges for organizations?
Oh, gosh, there’s, um… So, yeah, give you kind of some various talking points here. So, let’s say that you’re going through something like, you know, our organization does PCI today, and now we need to go get SOC 2, or we need to go get ISO. You know, between the more prescriptive standards, and you could literally have close to, you know, total coverage between the certifications you’ve got, you know, easily 85, 90% coverage between your certifications. So, you know, there’s a, you know, when you start layering in that second, you know, second, third, fourth, you know, certification, certainly the more you layer in, the greater the crossover, you know, becomes, it really just depends on which certifications we’re talking about that you’ve got, you know, kind of that you’ve got in hand, if you will.
You know, the other part with multiple certifications is, you know, one certification, it contains a certain amount of complexity as you’re going through the process. Now you’re, you know, now you’re talking about potentially, you know, having two and three different standards now that you’re juggling, you know, I won’t call it double and triplicating the complexity, but certainly you’ve got complexity that’s going to come into play. Sometimes, depending on what certifications it is that we’re talking about, you know, maybe you started off with a, you know, with a SOC auditor, but that SOC auditor doesn’t do PCI. Well, now I’ve got to go and find a QSA. I’m going down the path of HIPAA, now I need to go to ISO, but my, you know, whoever I was, you know, kind of working with to navigate the waters for HIPAA, isn’t somebody that can side off on an ISO certification. So, you know, oftentimes there’ll be multiple assessors that end up getting involved, and especially with those organizations where this has kind of happened organically over time, the more, you know, you’ll see that kind of, you know, well, you know, we don’t have any, you know, none of our existing assessors, you know, currently will support fill in the blanks, so now we’re going to go layer in another one type of thing. So, you know, you end up oftentimes with multiple assessors. If your engagements are, you know, are running internally, you know, if they’re run separately internally, you know, so that you don’t have continuity between the various certifications, well, now I’m going to whatever, let’s just pick on the developers for the sake of this discussion. I’m going to the development team, and I’m asking them for my list of things I need for certification one, then, you know, four months later, now I’m asking them for all the stuff to do with certification two, you know, et cetera. The, you know, the one, this kind of brings up a point surrounding the timing of these, you know, of the multiple certifications. You know, one of the big challenges is when you have your certifications, I’ll call it running off cycle, right?
So for the sake of ease, let’s say that my PCI runs from January 1st to December 31st, and then I layer on a SOC and, you know, just trying to get through the process and blah, blah, blah, we end up rounding out our SOC in May as an example. Well, now I’ve got a PCI cycle January through, you know, January through December. I’ve now got a SOC, you know, SOC engagement that’s going June through May. You’ve got all of these things kind of mistimed, if you will, that’s a lot of challenge.
It’s just kind of keeping all of that together. You know, and when we look at, when we look at just, you know, let’s say that it’s an individual certification. This is more to kind of give the listeners some type of an idea. And I mean, if you’re the parcel that is, you know, dealing with this, if you will, then you know exactly what I’m talking about. But if the person listening is, you know, is in some other department that ought to deal with it directly, this might be insightful. So, you know, as I’m going through, let’s say a PCI style engagement, you know, this whoever’s at the enter of it, they’re trying to juggle like thousands of individual requests on a, you know, across a series of certifications, or PCI alone is going to be hundreds type of thing. But you’ve got a lot of moving parts there. You know, when you spread those, you know, those, if I had three to five certifications, well, now I’m into thousands or thousands of, you know, line items that were simultaneously kind of coordinating. You know, meanwhile, you’re pulling evidence, you know, across that, you know, thousand to 2000 different, you know, different line items, you’re pulling evidence from, I don’t know, let’s call it like eight different internal departments. Maybe there’s 25 people that are involved across those departments in terms of provisioning evidence. Maybe we’ve got, you know, 10 to 20 critical vendors that are involved that need to, you know, need to provide answers, input, things along those lines. You know, and that’s just some of the factors of pain that, you know, organizations have to go through when they’re doing, you know, these, you have these style of engagements.
That’s just the insight, you know, now we get the joy, we can exacerbate the headache by, you know, go throw in, you know, two, three different assessment firms into the mix and six to 12 different assessors or various QA personnel from them, you know, and, you know, and, you know, sorry, the six to 12 assessors, and that’s before it even goes to their QA departments, you know, so you start doing all of these multipliers and whatnot, and it is a big, it is a really, really big deal, and it’s very, very challenging for, you know, for these organizations to navigate.
Okay Adam, throw me a life preserver here. What are some of the current ways to handle multiple certifications? This seems like an avalanche.
Yep, that’s for sure. Well, I’ll start it off with, you know, kind of a you know, kind of a relational story, if you will, you know, this will be a this will be a story of a of an organization that, you know, needed to go up against, you know, four or five different certifications, etc. You know, as they started to layer it in, they started, you know, started with, you know, with a couple of, you know, kind of more directional certs quite a long time ago. And then as their maturity progressed, as their clientele progressed, you know, they started, you know, becoming, you know, getting these, you know, receiving these requests or mandates for, you know, additional certifications, they went through exactly what I was talking about before, which is, you know, they had one, you know, one particular assessor, that was, you know, initially the centerpiece. And then somebody came along and said, Yeah, but we want you to be filling the blank compliant. And the current assessor didn’t do it. So, you know, now they needed to, you know, needed to go ahead and fold in a second assessment firm, they got another request for another cert. Neither of those, you know, folks were doing, you know, who were doing that particular certification, they had a third one that got thrown into the mix. So, you know, it just over time, it ended up growing and morphing and getting bigger and bigger. And the, you know, just the snowball, you know, snowball effective at all, you know, just you can kind of see it in, you know, in the organization, you know, the struggle to be able to, you know, kind of deal with it.
You know, with organizations that are handling the multiple certs, generally speaking, you know, there’s a lot of manual process, there’s a lot of manual tracking, there’s, you know, there’s a, you know, the notion or need for, you know, going out getting sources of truth for mapping your various certifications together. You know, typically, it involves the bane of my existence, which is Excel, when it comes to compliance, and, you know, having, you know, whatever, one sheet for this cert, another sheet for that cert, you know, taking the sources you had for mapping and, you know, going ahead and now doing comparisons and mappings between the various sheets that you’ve got. So, you know, what all is going to get covered by what versus where we actually need net new, right? So, let’s say I’m doing PCI, and I’m doing, and I’m doing like an ISO engagement. One of the, you know, one of the areas that typically kind of falls off to the side, you know, that needs to be deliberately done for ISO would be, you know, kind of system, you know, mechanical maintenance, you know, activities, things along those lines. Well, that’s not going to necessarily get covered under PCI. So, that one needs to kind of sit on its own and get assigned off of the ISO side of the fence. You know, all of the tracking that they’ve got to do at line item by certification.
You know, and then, you know, you go and you look at this right now I’ve got, let’s say I got three certs, three different sheets, I’ve done all of these various mappings, etc. Well, you know, now I have to go and make an update to a piece of evidence that splays across all three of these certifications. Well, now I got to go in and, you know, kind of update my, you know, update my tracking so that I, you know, realize that, oh, no, it’s not that document. It’s now this document, you know, things along those lines.
So, somebody’s got to sit in between all of this and kind of hold it all together. You know, and certainly one of the biggest challenges, it becomes amazingly evident on a multiple certification style, you know, style engagement, is just, I call it disparity and evidence delivery. So, you know, you figure, you know, you’ve got a list of tasks, you’ve given them out to the team, you know, I mean, they’re doing things like, and these are all just kind of examples, but you got to get to the point, you know, they’ll send you an email, hey, I’m done with such and such, and I put it over here on our, on the file server. You know, let me know if you need anything else, they’ll send you a text message to let you know that they’re finished. You’ll be sitting in the middle of an of a meeting about something else. And then somebody will go over and whisper, hey, by the way, I’m done with blah, blah, blah, blah. And you’re like, oh, gosh, now I got to go ahead and note that somewhere. You know, they’re passing me in the hallway. Oh, yeah, I forgot to tell you that you know, they’re you’re, you know, you’re getting stuff through conference calls, they’re leaving voicemails on your phone, you know, and, and, and it doesn’t matter. It doesn’t matter, Todd, it doesn’t matter. You can tell you can tell the team until you’re blue in the face, I want everybody to go ahead and put their stuff into this folder on SharePoint, even if you just give them an easy peasy dump zone, you know, to go dump stuff into, um, you know, even if you do that, it’s not going to work, it will not work. I guarantee you, guarantee you, you know, you’re going to be getting it coming at you from all these other directions, you know, and then, you know, I touched on the drop zone, which is, which is another element of challenge, right?
So, you know, you get this you get this folder right where you to let’s say you did convince, you know, two thirds of the team to actually drop it into the dump zone. And of course, you told them going in, I want you to make sure that you name your files, but the fuck, well, you bet somebody’s flying and they went in and basically took a screenshot or something or pull the file off of a server. And the, and the, and the, and the file name is, you know, EJ X four to five underscore, you know, STB dot text or whatever dot ping. And what is that?
Oh!
So now you’re sitting there trying to go in, you don’t even know who the hell loaded it, you’re trying to figure out what piece of evidence it’s gonna meet to. You’re basically kind of pinning all this together and it’s honestly, it’s just a freaking nightmare when you’re trying to deal with it, kind of call it in the traditional sense, if you will.
That makes sense. Now, I’m a big plan your work, work your plan sort of person. I know you are as well.
How should organizations properly prepare? Like what planning steps needed are needed for an organization facing more than one certification?
Well, you know, the one thing that I would encourage, you know, listeners to, you know, listeners to kind of consider, if you will, is, and this is something that I, you know, that I, you know, in different ways, I’ll kind of, I’ll kind of hear it, if you will. Well, we’ve been, our, our company’s been doing, you know, doing this for, you know, a number of years, you know, why, why would we bother to change the process? You know, the bottom line is, is that, you know, well, to bottom line it, to avoid all the crap that I just mentioned.
I mean, if you think about it, the, the, the reality is that, you know, organizations oftentimes will be able, we’re just going to go do what we’ve done before because it quote works. But is it efficient? Are we, you know, making good use of our time? Are we burning hundreds and hundreds of hours of just useless crap, you know, because of the way we’ve done it? Sure. Does it work? Sure. But, you know, that’s kind of like, that’s kind of like, I don’t know. It’s kind of like giving somebody a, you know, a soup spoon and, and telling them to go level a lot that we’re going to, you know, that we’re going to prepare for building a house. Could you do it? But
Not a day. Why? Why?
So anyway, but no it things that people need to need to kind of consider and whatnot, I mean, certainly there is a lot, lot of planning that’s involved period, you know, you’ve got to plan it out right. You know what stuff am I doing today. What types of evidence do I have this new certification, you know, blah, you want to make sure that you got all those kind of planets align.
You know, as you’re walking into this process, you know, certainly visibility to mappings of evidence, you know, one of the one of the complexity areas that folks generally don’t think about all that much Is that, you know, kind of the mappings you can go get from wherever, whatever source you happen to get them from. It depends on the headspace of whoever did the mappings right. If the only thing that they put into the mappings were things that completely met, you know, the objective and that’s all they put on there. Well, you could have all sorts of intersections in there with partial evidence so You know, does this item fully meet the requirements of the secondary certification does it partially meet the requirements of the of the secondary certification and if it partially meets it what’s left, you know, things like that. And does it not meet anything to do with the, you know, with the target certification. So getting all of that visibility to the mappings, even if you go get it from somebody else. Then that’s something that that you’ve got to kind of put put a little bit of put a little bit of thought into. You okay with that.
I’ll manage, I’ll manage.
I had this visual, I had a dog that loved to play, you know those those little door stoppers on the on the back door with the with the spring? It’s a freaking dog, what’s the thing? Anyway, that’s what it sounded like.
Sorry, I’m back now.
fell out and bounced on my desk.
I made a great sound though. You’re gonna love it. You’re gonna love listening to it again.
So anyway, the synergy in the sharing of evidence to make things more efficient. So, you know, just knowing an easy one, right? Is your information security policy. Well, I don’t care what two search you’re putting together. Your kind of mainstay centerpiece, you know, data protection policy or whatever you call it, information security policy. That is gonna be something that, you know, that you wanna have a kind of a clean way to be able to know where all do I need to get that attached to, you know, references for, you know, for the sections, you know, by line item, et cetera. You know, in the other area that you’ve gotta, you know, put some, you know, kind of forethought and planning into is really the assessor arena. You know, going back to that story that, you know, that I was talking about earlier, where, you know, you start with one, you know, assessment firm, then you layer in the second assessment firm, then you layer in the third assessment firm. At some point in the game, you know, you’ve almost got a, and I encourage folks to do this kind of as you’re, you know, heading toward the next year, right? You’re still in the midst of trying to close out this year, but I’m looking toward next year. That’s about the right time to start thinking through, you know, is what we’re doing, is what we’re doing good, is what we’re doing efficient. Do we wanna make any modifications? You know, planning either the interplay between the assessors, the, you know, delivery and timing of each of the assessments, you know, and, you know, do we consolidate, you know, to consolidate our assessments under, you know, kind of one umbrella or two, instead of three or four, you know, that type of thing. So, you know, planning through your various certifications or standards, as well as the assessor arena, that’s something else that will be, you know, that will be super, super, super helpful.
Okay, well, how should organizations be doing this?
Well, you know, certainly the planning elements that I talked about, you know, those are things that need to be done, you know, kind of period. But, you know, areas where you can get some assistance is, you know, certainly we talked about the various delivery mechanisms and whatnot earlier, your world will be so much easier when you’ve got one system to store and receive all of your compliance data. And really, you know, what I would say to folks is that, you know, if you leverage kind of that, that, you know, that kind of systematic approach, the bottom line is that what you need to do is you need to press on people to say, no, I’m not going to accept your email, please put it into the system, you know, whatever, return their text, tell them to go put it in the system, call them back and leave them a voicemail, tell them to put it in the system. If you get everybody kind of going there, then that in and of itself is going to be, is going to make overall the entire process more streamlined because now I’ve got consistency in, you know, in what I’m doing.
You know, and certainly that is, I would say that that should be the objective period for a couple of different reasons. Number one is that that means that when I get around to next year, I only have one spot to go back and look at. I have one point of truth. I have one place that I need to go and refer to. If I get, you know, personnel turnover, I get new people in the mix. I have to train somebody internally positions change. Guess what? I don’t have to send them to the crap show, which is the 28 different places that people were dumping things and wish them luck or hope that they’ve got to go to this, you know, sort of outdated, you know, Excel sheet that got abandoned in the last final days because they were just, you know, basically on the phone with the assessor and winging and flinging documentation left, right and sideways so they could get it wrapped up. You know, no, I’ve got, I actually have a systematic point of truth with all of the history, all the updates, all of the evidence, all of the comments, what worked, what didn’t, you know, if the assessor had a problem with whatever evidence was provided, what was their feedback? What were they looking for? You can see all of that stuff if you’ve got it integrated into a single place.
Certainly, you know, the one major benefit of gaining that consolidation is instant updates. You know, instant updates to things like who has what? Whose hands is this in? What is the status of these items? Where are we at in the grand scheme of things? How much movement have we made since last week? These are questions that I could just, I can almost watch people listening to this that have gone through this. They’re sitting there going, uh-huh, uh-huh, uh-huh, you know, because they know what I’m talking about, you know?
We talked about the assessor consolidation, but, you know, honestly, you know, doing things systematically is the key because it will effectively gain the organization so much in terms of future use of that now consolidated single point of truth, you know, just as well as operationally the, you know, the benefits that the organization will get over, you know, kind of over the course of the, you know, the playing out of the engagement. Not the least of which is the ready capability to come back, answer questions, and provide inputs to leadership that are, you know, that are asking justifiable questions, you know?
Where are we at? What have we done? And things like that. You know, the last element of the notion of, you know, kind of how to do is making sure that you’ve got all of the players that provide inputs, all of them able to participate in this directly. So it seems like in a lot of organizations, there’s a kind of a tendency for people to be gatekeepers, right? I’m gonna, you know, I’m the head of this department, so I’m gonna be the gatekeeper to this team of 50 people of which I’m gathering evidence from ultimately five. You know, the problem is is that those choke points end up kind of causing issues, if you will. The person that happens to be the choke point, they get overloaded, they’re too busy, you know, et cetera. So, you know, if you can get the direct end players in, if you got the right system, you can do things like integrate frontliners flow to, you know, kind of that management person or, you know, kind of pre-QA before it goes to the next step. You can integrate all of those capabilities and features. The other piece that a lot of folks will kind of miss, if you will, is the integration of the vendors into the process, giving them, you know, if they’ve got direct line responsibilities, et cetera, get them access to the system, you know. There’s ways with the right systems that you can certainly, you know, kind of put users into, you know, where they can only see items assigned to them, not the entire spectrum, things along those lines. And so take advantage of, you know, of things along those lines, you know, okay. Yeah, and certainly the, you know, kind of the internal, you know, the internal personnel, you know, having them all integrated into the same thing and your, and really your assessors, if you’ve got consultants, if you have assessors, you know, get them in on the party too, because the more synergy you can gain in the overall approach for your compliance, then the better and more streamlined it is for everybody and them.
And that seems to, I’m starting to hear a theme here, Adam. So tell me, what are some of the things that you should look for in kind of this systemic approach that is needed in order to make this consistently successful?
Sure. Well, and especially now with, you know, right, right now we happen to be going through, you know, what, near almost two of, you know, COVID. And, you know, the reality is is that more and more and more, you know, we need to support remote personnel and make the system be available from wherever people are at. So certainly the capability to kind of connect in from wherever.
Other features, the ability to, you know, to preserve or save, you know, any attachments at requirement level, associated explanations of any of that, any of that evidence that would be helpful or necessary, you know, for going through the, for going through the process. Certainly, you know, gaining an easy way to be able to link evidence within your, you know, within your certifications and across them is another, you know, kind of key factor to be able to be able to leverage. It’s huge when you can take, you know, like we were talking about the information security policy. I’m, you know, if I’m within a PCI cert, I mean, I’m going to have over 100 different, you know, different arenas where I need to go and connect that particular documentation to. And if I now layered on a HIPAA and a SOC and an ISO, then I’m going to have, you know, probably a thousand plus places that I’ve got to go and, you know, go and link that same document to. So you want to be able to do it both within the cert and across certs.
You know, certainly, you know, the use of a system, you know, which will be able to extend out to whatever certifications you’ve got or are coming, that’s a huge bonus. There’s a there’s a lot of there’s a lot of tools, a lot of systems out there that, you know, they’re kind of engagement specific, right? Oh, this is this is my HIPAA system and this is my PCI system, you know, and whatnot. But none of this stuff plays together, you know, getting something that, you know, that that allows for that extensibility certainly is an important element.
Making sure that you get something that can handle whatever workflows you’ve got, right? I want to be able to have the frontliners hand over to an internal QA goes to your consultant, you know, to maybe a consultant that’s helping with some oversight and audit prep, hands to the assessor, hands to their QA department goes to complete it, right? You know, being able to handle, you know, any of that kind of workflow, you know, through the right through the tool is important. We talked about earlier, you know, kind of the integration of all the various personnel with their appropriate permissions and things along those lines that’ll come into play. Automated status updates is huge, like status current state, if you will. So, you know, you want to be able to have that effectively at your fingertips, right? You don’t want to be spending time, you know, two to four hours of manually updating sheets so that you can answer the executive’s question about the time that you’re finished with that extravaganza while eight other things or 10 or 12, 20 other things changed in just that two to four-hour period,
right? So automated status updates, another big one. You know, one of the big pain points on engagements is, I don’t know, it was various expressions, but herding cats that, you know, that whoever, you know, gets the baton of centerpiece of the, you know, kind of of the engagement gets to do. But, you know, reminding people and, you know, tell them, hey, I’m still waiting on blah, you know, hey, you’ve got eight items that, you know, that are overdue, you know, things along those lines.
So from a systematic approach, just making sure that the system that you’re leveraging can automate all of that for you. You know, there’s absolutely no reason you should be going and counting people’s items and having just manually send them an email, you know, get the system to go do the work for you. And we talked about earlier that ability to, you know, kind of map and, you know, link evidence within the certification, but also the ability to, you know, kind of map evidence between certifications. One of the, you know, one of the important elements, especially when you’re doing multi cert, is the ability to, you know, kind of, you know, have the updates automatically flow or, you know, I call live linking. But, you know, live linking the, you know, the evidence across your various certifications so that if I’ve got, let’s say my PCI, you know, my PCI centerpiece, you know, information security policy. I want that to automatically flow out and drop onto my HIPAA track and my ISO track and, you know, and whatnot. All of that should happen, you know, be configured and happen when I make the attachment. And then that way, if I make an update to that, you know, particular attachment, which is now connected to 120 internal requirements and another 450, you know, other certification requirements. If I’ve got to go in and create another version, I don’t want to have to go update it everywhere. Instead, I go update it at the source of truth, poof, it, you know, goes and splays out across the, you know, across the remaining. It just keeps everything in sync as you’re, you know, kind of going through the process.
That makes a lot of sense. So just key takeaways on this.
If you’re growing, you’re most likely going to go up against multiple certifications. Do the best you can to align your ducks prior to getting started. Implement some sort of automation in order to save yourself from cat hurting. And ultimately, above all else, make sure that you have a systemic approach so that this can be replicable and you’re able to do this year over year.
Agreed.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
