Are you being asked by a top client for a SOC 1 audit report? What is a SOC 1 report? Do you need a SOC 1 audit? Below, you’ll find answers to frequently asked questions about SOC 1 audit reports and learn how your organization can benefit from having a SOC 1 report and what you can expect from your SOC 1 audit process.

What is a SOC report?
Developed primarily for third-party service providers by the AICPA, SOC (System and Organization Controls for Service Organizations) reports are issued by CPAs and report on a service organization’s internal controls that could impact their clients‘ sensitive data. SOC reports help service organizations’ clients, or user entities, to comply with regulatory and contractual requirements. SOC reports allow user entities to obtain an objective evaluation of the effectiveness of controls that address compliance, operations, and financial reporting of a service organization.

What is a SOC 1 audit report?
SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation
Engagements No. 18 (SSAE 18), formerly known as SSAE 16. SOC 1 reports are specifically designed to report on the controls at a service organization that could ultimately impact their clients‘ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

Do I need a SOC 1?
Many organizations are legally required to verify the suitability of internal controls at a service provider prior to engaging with the service provider. Generally speaking, publicly traded companies looking to comply with Sarbanes Oxley (SOX), financial institutions looking to comply with the Gramm-Leach-Bliley Act (GLBA), as well as state and local government, have all standardized on SOC reports to meet this requirement. If your clients outsource any of their information technology systems management activities to your organization, you may be asked for a SOC 1 report so they can gain a better understanding of the controls at your organization and how they meet specific requirements.

What are the benefits of getting a SOC 1 audit?
SOX and GLBA (among others) require service organizations to have adequate internal controls in place. By being able to produce a SOC 1 audit report to your clients or prospects, you gain a competitive advantage and client trust by demonstrating that you have the proper internal controls in place and that they have been verified by a valid third party.

Who can perform a SOC 1 audit?
A SOC 1 audit can only be performed by an independent CPA. CPAs must adhere to the specific standards that have been established by the AICPA and have the technical expertise necessary to perform SOC 1
engagements.

How are SOC 1 reports used?
Generally speaking, your SOC 1 audit report will be requested and read by your client’s auditor. SOC reports are considered an “auditor to auditor report,” allowing the auditor to avoid having to audit the service provider directly. SOC 1 reports will be used by a service organization with current and potential clients and their independent auditors. It’s important to note that while the existence of a SOC report is marketable, the SOC reports themselves are restricted from being used for general marketing purposes.

What should I expect to see in my SOC 1 report?
Depending on your specific needs, a CPA can issue either a SOC 1 Type I or a SOC 1 Type II report. In a Type I report, your independent auditor will offer an opinion of the fairness of the presentation of the description of your system, the suitability of the design of the controls, and whether the controls have been implemented as of a certain date. A Type II report is your independent auditor’s description of the operating effectiveness of the controls over a period of time (minimum of six months), your auditor’s test controls, and the results of the tests.

How does the audit process work?
KirkpatrickPrice utilizes the Online Audit Manager to ask a series of custom questions regarding your current controls, policies, and procedures to prepare you for your specific requirements. Our process will efficiently document where your organization’s security posture currently stands, provide specific guidance on identified areas of weakness, and allow you to work through as much of the audit process as possible prior to conducting the onsite portion of the audit. Our unique online approach minimizes the cost and disruption associated with extended onsite visits. Our senior-level auditors will assess, guide, monitor, test, and help mature your organization’s information security program and internal controls.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Independent Audit Verifies CBOSS’s Internal Controls and Processes and PCI Compliance

Poland, OH – CBOSS, an e-payment service provider, today announced that it has completed its SSAE 18 (SOC 1) Type II and PCI audits. This attestation verifies that CBOSS has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of CBOSS’s controls that may affect its clients’ financial statements. In accordance with SSAE 18 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes CBOSS’s description of controls as well as the detailed testing of its controls over a minimum six-month period. The standard demonstrates that an organization has adequate controls and processes in place.

KirkpatrickPrice also performed the audit and appropriate testing of CBOSS’s controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards.  In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted CBOSS in becoming PCI compliant. The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card.

“Many of CBOSS’s clients rely on their systems to protect consumer information, process or store sensitive data, and protect information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, CBOSS has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions and accounts receivables management services provided by CBOSS.”

“Our partnership with KirkpatrickPrice has been instrumental in our efforts of security and compliance; crossing over multiple frameworks,” said Douglas Carr, General Manager with CBOSS. “As a result, CBOSS is able to more effectively manage security and compliance and to deliver on our promise of securing our client’s data as part of our online payment service offering.”

About CBOSS

From enterprise software solutions to managed services, CBOSS specializes in the design and implementation of portal solutions for e-payment processing using industry-standard platforms and tools. Since 1994 over 700 businesses and government agencies have looked to CBOSS to deliver feature-rich services and solutions that are cost-effective, reliable and secure. CBOSS has renewed its Level I compliance with the Payment Card Industry (PCI) Data Security Standard, which provides the highest levels of security for e-commerce and other e-payment processing services. For more information, visit www.cboss.com, follow CBOSS on Twitter (@CBOSSInc), connect with CBOSS on LinkedIn, or like them on Facebook.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Equifax, one of the three largest consumer credit reporting agencies in the U.S., announced last week that a web application flaw exposed 143 million customer records to malicious hackers. Although not the largest breach in size, the Equifax breach may be the largest to date in severity considering the type of PII that was exposed. While mixed reports are speculating over the cause of the breach, criticisms are rising over Equifax’s lack of security practices and safeguards. Here is what you need to know about the Equifax breach and how you can prevent a similar attack at your organization.

What Happened During the Equifax Data Breach?

Equifax executives stated that the breach was discovered on July 29th and that exposure lasted from mid-May to July 2017. Of the compromised data were names, social security numbers, birthdates, addresses, and driver’s license numbers of millions of U.S. consumers, labeling this the most sensitive breach in history. Reports also noted that 209,000 U.S. consumers suffered exposed credit card numbers as well.

Cybercriminals gained access to this information by exploiting a vulnerability found in a web application. Web application vulnerabilities are the most common target for hackers to exploit, making it critical for organizations to incorporate secure coding and development practices for all web-facing applications. Equifax did not realize the breach right away, reporting that their databases didn’t show any evidence of unauthorized or suspicious activity.

Learning from Equifax’s Mistakes

There are many lessons to be learned from the Equifax breach that can help you to prevent your organization from suffering a similar fate. Here are five key takeaways from the Equifax breach:

Risk Assessment

Performing an annual risk assessment is an important first step for all organizations to maintain a mature security posture. A risk assessment provides an ongoing, systematic approach for identifying and prioritizing risks, allowing organizations to mitigate potential threats before they happen. A formally documented risk assessment should occur on a yearly basis and after any significant change.

Secure Web Application Coding and Development

Web applications can present a serious threat to organizational security. While there haven’t been many details released by Equifax at this time, we do know that the breach occurred due to a flaw or vulnerability in a web application. Incorporating secure coding and web application development into your security practices can help to prevent this type of attack from happening to your organization. Developers should be trained on an annual basis on secure coding best practices to avoid attacks such as SQL injection. Consider the OWASP Top 10 for a list of the most critical web application security risks to ensure secure coding and development.

Web Application Penetration Testing

Web application penetration testing is a form of permission-based ethical hacking in which a certified pen tester attempts to gain access to an organization’s applications. The purpose is to find weaknesses that could potentially be exploited by a malicious hacker as part of a routine security check. Finding the holes in your security infrastructure before someone else does allows organizations to protect themselves from a devastating attack like the one Equifax has suffered. Penetration testing should be performed, at minimum, on an annual basis, however, with the rapidly changing cyber-threat landscape, many IT security professionals recommend a biannual assessment.

Layered Security Controls

Implementing a defense-in-depth strategy is a good way to present more obstacles to a determined attacker, delaying and detecting them before they become successful. The Equifax breach uncovered the fact that, despite having security issues in the past, there were not many layered safeguards in place to help mitigate an attack. A multi-layered security posture is the best defense. Some examples of layered security controls include antivirus, firewalls, multi-factor authentication, intrusion detection/prevention software (IDS/IPS), and monitoring.

Update Patches and Software

Updating security patches, specifically critical patches, is important for preventing a malicious cyber attack. The number one target of cyber criminals is known flaws left unpatched. Although not directly related to this security breach, security experts reported that Equifax had failed to patch an XSS vulnerability that the company was warned about in 2016. It was also noted that Equifax was using a mix of old technology such as IBM WebSphere, Apache Struts, and Java, leaving their infrastructure vulnerable. Keep patches, software, and all technologies current and up to date to prevent flaws in your security.

Don’t let your organization be the next major data breach headline. Implement these five lessons learned today. For help securing your IT infrastructure and testing your security posture, contact us today.

More Resources

What is Web Application Penetration Testing?

Think Like a Hacker: Common Vulnerabilities Found in Web Applications 

Secure Coding Best Practices

Independent Audit Verifies Harvest Strategy Group’s Internal Controls and Processes

Denver, CO – September 5, 2017 – Harvest Strategy Group, an accounts receivables management firm, today announced that it has completed its 6th annual SOC 1 Type II Audit. This attestation verifies that Harvest Strategy Group has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of Harvest Strategy Group’s controls that may affect its clients’ financial statements. In accordance with SSAE 18 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Harvest Strategy Group’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

Brad McCurnin, EVP with Harvest, said “Process controls and the protection of personal information is critical to the delivery of Harvest’s services to all clients. KirkpatrickPrice has the experience and knowledge to validate that all necessary controls exist and are being consistently followed with proper documentation.”

“Many of Harvest Strategy Group’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Harvest Strategy Group has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Harvest Strategy Group.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About Harvest Strategy Group

Harvest Strategy Group, Inc. is a recognized leader in national accounts receivable recovery solutions that deliver best in class results for their clients, which include leading banks, finance companies, credit unions, debt buyers and medical debt servicers. Utilizing a highly selective national network of collection attorneys and collection agency partners, Harvest’s model is driven by ProScore™, a proprietary litigation recovery scoring model. Harvest’s account management team work with its recovery partners to ensure zero defect compliance and maximum recoveries are realized.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

What is the HITRUST Maturity Model?

So far in this webinar series, you’ve learned who HITRUST is, what the HITRUST CSF is, how to scope your environment, and which risk factors affect your defined scope. In this webinar, Jessie Skibbe outlines HITRUST’s Maturity Model for control scoring, the assessment process, report options and timeline projections, and some strategies for maintaining compliance.

HITRUST Maturity Model

You will be required to score your organization’s compliance with the controls according to the HITRUST Maturity Model. This model acts as assurance that each control in the HITRUST CSF has been properly implemented. The Maturity Model used by the HITRUST CSF is categorized into 5 steps, which is to be a continuous improvement cycle. The intent behind the Maturity Model is to avoid the practice of “implementing and forgetting.” The five steps of the HITRUST Maturity Model are as follows:

  1. Policy – Does an organization know what it is supposed to do? Requirements must be stated in a policy or standard and understood by the organization.
  2. Process – Also known as procedure. Does the process follow the policy, assign responsibility, and give further instruction for carrying out the policy? Is the process understood by those who it applies to? Processes are necessary to ensure the control can be implemented in a repeatable and consistent way.
  3. Implemented – Has the control been implemented? Does the organization implement all elements of a specified control and is it implemented everywhere it should be implemented? Can it be tested? Evaluation of the control’s implementation across the organization is the most common way of assessing a control’s effectiveness.
  4. Measured – Are you able to measure the performance of the control? How is that control being measured for success? Can you provide a statistical analysis? You cannot manage what you do not measure.
  5. Managed – Does the organization correct any problems that are identified while monitoring the effectiveness of the control? Do you understand and are you managing security vulnerabilities? Are controls being adapted to emerging threats and the changing landscape? This level of maturity provides additional assurance that the control will not fail.

Strategies for Maintaining Compliance

  • Where certification is granted, certification is valid for two years (24 months) from the certification date on the condition that the interim review and continuous monitoring requirements are met.
  • The interim review is vital. It should be completed as close as possible to the one-year anniversary of the initial report date.
  • Your Corrective Action Plan should describe the specific measures that are planned to correct deficiencies identified during the assessment for validation or certification.
  • Be aware of de-certification criteria.

Listen to the full webinar to hear evaluation examples, see timeline projections, dive deeper into the HITRUST Maturity Model, and learn more about how to maintain HITRUST compliance. Contact us today to get started on your HITRUST journey.