top of page

Compliance - The trends

Compliance trends
Compliance trends-Tendances conformité

Large companies have always had regulatory and compliance requirements that they cannot avoid. However, in recent years, small organizations have had to comply with different security and compliance standards. What happened?

Financial compliance requirements

Since the dawn of time, companies have had to meet certain regulatory frameworks. A major event, however, has changed the level of requirements for financial internally. In the early 2000s,

the "Enron" scandal forced the institutions' regulation to be heavily involved. In addition

to the fact that the prestigious CPA office Arthur Anderson is dismantled, a new law is put

into effect by Congress Sarbanes-Oxley Act (SOX) was passed in 2002.

All public companies had to make an annual report on their internal financial control. ​ The

Enron scandal and the arrival of SOX ensure that the compliance and auditing companies

become watchdogs of their internal financial control. This situation results in many SOC 1

reports (financial controls) required of the various service suppliers of these large

Companies. ​


The decade of 2000 turned out to be the decade of financial auditors.


Since the early 2000s, with the growth of social media, cloud computing, decentralized

technologies and all the other new developments technology, organizations realize that

their level of risk concerning data theft, intrusion and other malicious acts becomes very

high. However, while awareness is present, actions and investments in information security

were not on the agenda to ensure that companies track risks. 


Several large companies (e.g., Marriot, Facebook, British Airways, etc.) had to experience significant security or privacy breaches to see a shift from financial investments to security and privacy controls. 

In 2010, AICPA released the SSAE 16 certification standard, which replaces the "SAS 70" standard. With this new standard, AICPA introduces the SOC 2 report with the five (5) main principles (security, confidentiality, integrity of treatment, availability, and privacy) that can be used in a SOC 2 report.   

​In the first half of 2010, the SOC 2 report was still in low demand. In fact, it was not yet well known, and it must be remembered that in companies, financial controls still had priority. In the second half of 2010, large companies become uncompromising about IT risks, and there is a shift in priorities to IT controls. IT security and compliance teams then take on a more significant role and require IT audit reports from their suppliers and other stakeholders considered at risk. 

Initially, the small business was somewhat untouched by the compliance requirements of large companies. However, since 2016 and 2017, this is no longer the case, and even micro-companies are being asked for compliance requirements. ​

When signing contracts with their suppliers, significant national or international companies take the opportunity to insert clauses requiring the implementation of a compliance program. For example, in America, often the SOC 2 ratio and sometimes ISO 27001 are accepted. In Europe, ISO 27001 is in high demand by large European companies.


Extensive social media companies have created a new level of risk that has never been seen before. Facebook, Amazon, Twitter, etc., host millions of data considered private. Data theft affects many people and puts people's privacy at risk. Just remember the Facebook-Cambridge Analytica scandal in 2015-18 that put the personal data of more than 80 million people at risk. ​

We are at the very beginning of a significant paradigm shift regarding private data. Although most Western countries all had laws on personal data, the arrival of the European Union's General Data Protection Regulation (GDPR) in May 2018 marked a turning point; this regulation will become a model for all major countries. Moreover, the fact that there is the possibility of significant fines will have inevitable consequences on the operations of organizations that host or process information from European citizens.   

We can anticipate that large organizations will increasingly shift some of their investments to information security and privacy. As a result, these two areas are now high on the agenda regarding managing business risks.

bottom of page