If you are subject to compliance with a regulation like HIPAA or Sarbanes-Oxley, you need to know your own internal systems are safe and secure and customer data is kept private, and you also need to know that the systems of your partners are equally protected.

That’s the hard part of compliance. You have control over how you implement security and impose email protections inside your own company, but you have less control over companies that are separate from yours but within your sphere of influence.

A study recently showed that 20 percent of security professionals are “cheating” to pass an audit, especially if it is a self-audit. In such audits, which are ran largely on the honor system, you attempt to satisfy your compliance requirements by providing a checklist to your partners that have access to your systems or data. The partner verifies that they have done certain things, or have implemented certain precautions, and sends the list back. All bases are covered, right? Not always–without an external auditor, there is no validation, and there may be a risk of falling out of compliance.