A data-driven look at how regulators actually enforce rules—and why operators save time by focusing on high-risk requirements.

Risk-based audits should be the norm in the cannabis industry, but we still see operators doing comprehensive audits far too often.

I’ll be blunt. Comprehensive audits are a very inefficient use of time. That’s right, the COO of a company that develops audit software is telling you not to waste your time! But before you jump to any conclusions, let me provide some context.

The short version: focus on the parts of your business that regulators actually care about.

Why comprehensive audits are fading?

Audits are an intrinsic part of every regulated industry. Auditors use them to determine whether a business is complying with the regulations. Audits can be conducted by internal or external auditors. They can be scheduled or unannounced. And they can be comprehensive or risk-based.

A comprehensive audit is just what it sounds like. It’s an audit that checks to see if a business is complying with every bit of every regulation. And since regulations tend to be long and detailed, comprehensive audits also tend to be long and detailed. If an auditor has ever subjected you to a comprehensive audit, you know it’s awful.

In Colorado, for example, the Marijuana Enforcement Division’s full regulation set approaches 300,000 words. The audit to comprehensively cover the regulations has 1,500 questions. Multiple employees in multiple departments must provide input. They need to retrieve files and take screenshots. The process of documenting compliance takes weeks, probably months if there’s any remediation work.

You want to run a compliant business, but the idea that you’re going to subject yourself to a comprehensive audit with any kind of regularity is, well, awful.

Have hot water or get in hot water

The least important details can suck up the most time. Let’s take a typical question from a comprehensive audit in California:

“Does your hot water (in facilities used for handling cannabis or cleaning equipment) reach a temperature of at least 120 degrees F from the faucet?” CA Health and Safety Code § 114192

You can’t answer that until you know the temperature of the water, so you pause the audit to get a thermometer. You test the hot water and find the temperature to be 118 degrees. You’re tempted to answer “yes” to the audit question because it’s close enough, but your conscience gets the better of you. After all, there’s no point in doing the audit if you’re not willing to do what it takes to be compliant.

So you stomp off in search of the water heater. The maintenance guy directs you to the basement. Trying not to hear the theme music from Friday the 13th playing in your head, you finally find the water heater in, of course, the darkest corner. Using your phone as a light, you crouch to find the thermostat and see that it is already turned up to the max temperature. Great.

You submit a maintenance request to have the water heater fixed. After a week, you get a response that the water heater is already at its max temperature. Duh. Frustrated, you submit a new request to have the water heater replaced, which, of course, requires management approval. Ugh.

Several months later, you bump into the maintenance guy who says, “Oh yeah, I got that new water heater installed a week ago.” You run back to the faucet and test the temperature. Hallelujah – 130 degrees! You restart the audit and proudly answer “yes” to the question. One down and 1,499 to go.

 

Understanding the ROI of compliance

So you’ve avoided getting into hot water by having sufficiently hot water, but it took a long time and a bit of money. Was it worth it? Probably not. Simplifya has yet to find an agency that has taken any enforcement action against a cannabis business for its water temperature.

The truth is that an auditor is highly unlikely to ask about the hot water temperature. It’s in the regulations, and you should be complying with the regulations, but it’s not a good use of your time or the auditor’s time to cover every regulation.

The origin of the comprehensive audit

At this point, you might be wondering how the cannabis industry got started with comprehensive audits. From Simplifya’s perspective, which is that of a tech company founded by several partners at a law firm specializing in cannabis, I would say it in one word: stigma.

From its inception, the legal cannabis industry has dealt with social and cultural biases that portray cannabis use as criminal or deviant behavior.  The enduring stereotype of the lazy and unmotivated pothead continues to influence public perception. These caricatures make it difficult for the public to see industry professionals as legitimate businesspeople.

Cannabis businesses often hire law firms to conduct audits, hoping to achieve a degree of legitimacy. Law firms typically conduct comprehensive audits, hoping to correct the stigma. It sounds something like, “If you think dispensaries are run by a bunch of potheads, we’re going to do this super thorough audit to show you they are 100% compliant.”

In hindsight, this was an emotional overreaction, and Simplifya was complicit. We built Protect to run these super-long, super-detailed audits that covered every aspect of every regulation, all in the spirit of helping to break the stigma.

We also had another reason for building comprehensive audits – in the early days of every state’s legalized cannabis market, we didn’t know which of the hundreds of requirements would become the focus of regulators. In the face of that uncertainty, the best option was to be comprehensive until we were able to develop accurate risk profiles of each state.

Why risk-based audits are on the rise?

Risk-based audits focus on the areas of the business that pose the greatest amount of risk. This strategy acknowledges that it’s more important for some areas to be compliant than others.

But it begs the question. How are we defining risk, specifically the risk of noncompliance? In the cannabis industry, the risk of noncompliance boils down to two things.

1. One is losing your license. The amount of time and money required to obtain a license varies from state to state, but it often takes years and hundreds of thousands of dollars. Licenses are even more valuable in states that cap the number of licenses.
2. The other is incurring a fine or penalty that results in significant financial hardship. Fines can be crippling, but we’ve also seen regulators take other non-financial actions that are just as debilitating. For example, regulators can mandate the destruction of inventory, initiate product recalls, require the installation of equipment, and even suspend or revoke a license.

Risk-based audits, then, account for the enforcement activity in a given state. The regulations vary by state, and so do the goals and resources of its regulators. This is why Simplifya analyzes enforcement reports, product recall notices, and advisory bulletins. It helps us understand where the agency is actually focused and what issues the agency most often addresses through enforcement actions.

The benefits of risk-based audits

Audits take time, and time is money. The primary benefit of a risk-based audit is that you are spending your time ensuring compliance in the areas of your business that regulators are most likely to inspect. The corollary is that you are not spending time in the areas that regulators are least likely to inspect.

This efficiency is why risk-based audits should be the new standard in the cannabis industry. We’re getting there, but we’re just now reaching the compliance model that has been the standard in other regulated industries for decades.

• Finance: Banks use risk-based audits to manage complex and diverse risks such as credit, market, and liquidity risks, as well as operational risks. 
• Pharmaceuticals: Due to stringent requirements for product safety and efficacy, companies focus audits on risks related to the entire quality management system, such as production processes and data integrity. 
• Manufacturing: Companies in this sector, from food and agriculture to general manufacturing, use risk-based audits to address quality control, supply chain, and operational efficiency risks. 
• Technology: Companies with sensitive data use risk-based audits to focus on cybersecurity risks, IT controls, and the security of third-party vendors who may have access to customer data.

A secondary benefit is a byproduct of the first – since risk-based audits are more efficient, you’re more likely to do them. We have more than a few clients who use the audit feature in Protect less than they should. That’s only partially their fault. It’s because we put these massive, comprehensive audits in front of them. They might do it once or twice, but it’s such an awful experience that they quickly learn to procrastinate.

Risk-based audits are strategic

It’s natural to think a risk-based audit looks like a comprehensive audit, but with fewer questions because it’s covering fewer topics. Conceptually, that’s correct. In practice, however, risk-based audits take a more strategic approach to compliance.

The “tip of the iceberg” principle

For example, marketing tends to be a hot spot for regulators. The rules can be very detailed, right down to the font sizes that you use on signage. And because they are so thorough, it’s important to understand that the risk isn’t really about any one detail. It’s about how a failure on a detail gives a regulator a reason to look more closely.

Suppose an auditor goes into your dispensary and sees a promotional poster that happens to show children in the background. It’s clearly a violation of a marketing rule, but minor in the sense that the children are in the background and not the focal point of the poster. Also, the remediation is simple, just take it down. But that’s not what the auditor is thinking. 

The auditor is thinking that if you made the mistake of using this poster, it’s likely you also made other marketing mistakes. It’s your decision-making that is suspect. Now he has reason to check all of your marketing collateral, the signage in your store, point-of-sale displays, etc. The more he finds, the deeper he digs. It’s the “tip of the iceberg” principle. Suddenly, what started as a minor fine snowballs into a major fine and maybe even a license suspension.

An example of a more strategic approach

And so, rather than eliminating the detailed marketing questions because they don’t present high risk individually, we acknowledge the risk is high in summary form. For example: 

“Do any of your advertisements or marketing activities contain any of the following?

• False, deceptive, or misleading statements

• Images that could be considered attractive to anyone under 21 years of age

• Any likeness to images, characters, or phrases that are popularly used to advertise to children

• Any depictions or images of minors or anyone under 21 years of age

• Irrelevant, scientific, or technical information that tends to create misleading impressions

• Statements about a brand or product that are inconsistent with the statements on the brand or product labeling

• Offers of free cannabis goods or cannabis accessories, including “buy one, get one free” promotions.”

Risk isn’t always easy to spot

Sometimes, the rule may seem trivial, but the risk is high because regulators consistently signal it’s important to them. Here’s an example from California.

“Since your last audit, have you made any changes, alterations, or modifications to your licensed premises or your operations that did not require pre-approval from the Department? Did you notify them within three days of the changes?” CCR 4-19-1-3 15027(h)

In a comprehensive audit, it’s easy to blow past a question like this, but the Department of Cannabis Control regularly punishes operators for doing things like changing the layout of the facility and forgetting to notify them. Even conscientious operators make the mistake of thinking that if the modification doesn’t require pre-approval because, say, it doesn’t require changes in the site’s capacity or surveillance cameras, it also doesn’t require notification.

Conclusion

I started this post by saying comprehensive audits are a waste of time. That wasn’t true in 2016 when Simplifya launched. Everybody wanted comprehensive audits because it was important to fight the stigma.

But now, we’ve had a decade to observe how regulators across many legal states have chosen to enforce their markets. It allowed us to see that while comprehensive audits are not a complete waste of time, they waste time covering parts of the business that pose little to no regulatory risk.

As a result, Simplifya is deploying risk-based audits via Protect, its compliance tool for licensed operators. We are evolving to meet the needs of a maturing cannabis industry. See how Protect identifies your highest-risk compliance areas in minutes – schedule a demo today!