Portland, OR – January, 2017 – ARM Insight, Inc., a leader in transaction-based analytics and service, today announced that it has completed its PCI audit and received their Report on Compliance (RoC).  These reports verify that ARM Insight, Inc. adheres to the Payment Card Industry Security Data Standard and has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of ARM Insight, Inc.’s controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards.  In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted ARM Insight, Inc. in becoming PCI compliant.

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card.

“Keeping our data secure and protecting our customers is extremely important to ARM Insight,” said Jason Hills, Chief Revenue Officer.  “KirkpatrickPrice has been a great partner for us, their insights have helped us enhance our security policies and maintain PCI compliance.”

“Many of ARM Insight, Inc.’s clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, ARM Insight, Inc. has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the accounts receivables management services provided by ARM Insight, Inc..”

About ARM Insight, Inc.

ARM Insight is a big data and analytics company focused on the payments industry. The company provides payments based business intelligence solutions for Credit, Debit and Prepaid Card Processors, Investment Companies, Financial Institutions, and Retail Corporations. ARM’s platform is able to transforms the millions of raw transaction data from legacy processor platforms into actionable information, which enables companies to make intelligent business decisions and automate manual operational tasks. www.arminsight.com

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA and PCI QSA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com

The end of the year is rapidly approaching, and so is the deadline for those completing a Q4 audit! It’s not hard to imagine what Santa and his Elves feel like as they rush around to get everything in order and ready for their big day.

Just as the Elves help Santa to ensure everything gets done in time, our auditors are committed to helping you make sure you have everything in place working effectively to successfully complete your audit on schedule. Here are 6 tips on how to pass an audit in time for year-end.

How to Pass an Audit in Q4

To better prepare for your upcoming audit, here are six tips that companies across all industries can find helpful:

1. Perform a Risk Assessment

Risk Assessment. Risk Assessment. Risk Assessment.

It always starts with a Risk Assessment. What better way to identify your assets and prioritize your unique risks than by performing a regular risk assessment? Not sure if you have all of the necessary controls in place to properly protect your assets and mitigate risks? Don’t worry – your annual risk assessment will help you with that. Not only is a risk assessment mandated by most audit frameworks, but it’s also a critical component of any information security program.

2. Documentation Inventory

Are you maintaining audit logs? Do you have proof of employee acknowledgement of policies and procedures? Are you keeping all necessary records for your auditor to review?

Waiting until the last minute to pull all of your documentation together can make preparing to pass an audit seem much more tedious and stressful than is actually necessary. Veterans of the audit process will highly encourage companies to continuously collect and maintain necessary documentation in order to be prepared year-round for an audit.

3. Policy and Procedure Review

Reviewing your policies and procedures on an annual basis is a good way to ensure that there are not any gaps in your controls and processes. It is also the perfect opportunity to be certain that everything you say you’re doing as an organization is formally documented and communicated to all relevant personnel.

When it comes to compliance, we’ve all heard the adage, “If it’s not written down, it isn’t happening”. This is good advice when it comes to preparing for an audit because your auditor won’t be interested in hearing about your processes, but rather will need to see them documented on paper and see evidence that they are a living a breathing document that continuously changes and matures with your organization’s environment.

4. Employee Training

A strong defense is the best defense. Regularly training your employees on security awareness and the importance of security and compliance can help put your mind at ease when it comes to knowing they are taking the right steps and precautions to protect organizational assets. A culture of security awareness and compliance must start from the upper-management level and trickle down to the employee level in order to make the best impact. Security training programs should educate employees on policies and procedures as well as basic security awareness.

5. Vendor Compliance Management

Are you properly managing your vendors to verify that they are complying with information security and compliance requirements and best practices? Vendors pose a risk to every organization, so it’s imperative that you’re doing your due diligence to mitigate those risks. Do you have all of your documentation of proper vetting prepared and ready for your auditor to review? What is your onboarding process? Off-boarding? Do you have vendors sign a non-disclosure? Learn more vendor management best practices with our vendor compliance assessment.

These are the pieces you’ll want to have together in order to successfully pass your audit in Q4.

6. Work with your Auditor

When it comes to completing an information security or compliance audit, your auditor is your greatest resource and is not to be feared. Work with your auditor to show them you’re committed to the audit and remediation process and improving your environment. If they show you that a control you have in place is insufficient, work with them to make the appropriate changes for follow-up, and most importantly, be honest. A good auditor won’t work with you to simply check a box, they will work with you to ensure that your organization is secure and compliant.

So as you wrap up your Q4 audit this year, remember to not overcomplicate it. Gain audit participation from your entire organization by expressing the importance that security plays in your business operations. Working together with your organization and your auditor can help you achieve greater levels of security and compliance at your organization.

Petaluma, CA – December 2016– Optio Solutions, an accounts receivable management and debt collection agency, today announced that it has completed its PCI audit and received their Report on Compliance (ROC) and completed its SSAE 16 (SOC 1) Type II audit.  These reports verify that Optio Solutions adheres to the Payment Card Industry Security Data Standard and has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Optio Solutions’ controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards.  In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted Optio Solutions in becoming PCI compliant.

KirkpatrickPrice also performed the audit and appropriate testing of Optio Solutions’ controls that may affect its clients’ financial statements. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Optio Solutions’ controls as well as the detailed testing of its controls over a minimum six-month period.

“Successfully completing the SSAE 16 audit highlights our commitment to protecting our client’s brand by providing them with a high level of data security,” said Optio President and CEO Chris Schumacher.

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card.

“Many of Optio Solutions’ clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Optio Solutions has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the accounts receivables management services provided by Optio Solutions.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About Optio Solutions, LLC

Optio Solutions, LLC is a national debt collection agency focused on protecting its clients’ brand and improving ROI via extensive financial services experience, advanced technology, certified data security, legal compliance, and professionally designated staff. Optio is a member of ACA International and the California Association of Collectors.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA and PCI QSA firm providing assurance services to over 500 clients in more than 46 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com

With the holiday season always comes a rise in cyber crime and data theft. With that in mind, it’s a perfect time to remind ourselves of important information security tips to keep us safe and secure this holiday. So don’t let the Grinch ruin your holiday. Here are 5 things the Grinch can teach us about information security:

1. Beware of Social Engineering

“With this coat and this hat I look just like St. Nick!” These infamous words led the Grinch straight through Whoville, sneaking into homes, successfully impersonating someone they trusted, and stealing Christmas. This popular form of hacking, known as social engineering, can be avoided by training your employees to never give out sensitive information (e.g., username and password combinations or unauthorized access to an area) without fully identifying the other person.

2. Ensure Network Security

Don’t let the Grinch slide down your chimney unannounced. Ensure Network Security by implementing and maintaining a firewall configuration. As auditors, a common gap we see when performing audits is a poorly maintained firewall. Maintaining a secure firewall is important in order to monitor incoming and outgoing packet requests and blocking unauthorized requests. Ensure network security by having effective and fully documented policies and procedures.

3. Secure your Last Line of Defense

Train the little Cindy Lou Who’s to recognize security incidents when they happen. Regularly training your employees on security awareness and policies and procedures is a critical component of your organization’s security. You’re only as strong as your weakest link, so continually train employees on logical and physical security responsibilities to ensure your employees will know how to respond in the event of a security incident.

4. Perform Annual Risk Assessments

Don’t let the Grinch rob you blind – Protect your assets from theft and breach. The first step in safeguarding your business from theft or a data breach is by performing an annual risk assessment. Risk assessments are a way to identify assets and prioritize risks to those assets, allowing organizations to ensure the proper controls are put in place to protect those assets from vulnerabilities and threats.

5. Test your Incident Response Plan

The Whos didn’t let the Grinch ruin their holiday. They were prepared to move forward in light of a security incident. Have a plan in place that you have tested and train employees on your incident response plan policies and procedures. Your Incident Response Plan should include policies and procedures that dictate to your organization the immediate actions that are to be taken following the detection of an incident.

Stay safe over the holidays, and don’t forget these 5 important tips to ensure the Grinch doesn’t ruin your holiday.

Stoneleigh Recovery Associates, a third-party debt collection company, continues to show their commitment to compliance and their brand by the recent completion of their SOC 1 Type II and SOC 2 Type II audits. Headquartered in Lombard Illinois, Stoneleigh has been in business since 2007 and has been receiving third-party audits on their compliance since 2010.

Understanding the importance of compliance as a critical business function has given Stoneleigh a strong competitive advantage in the accounts receivables industry. This focus has enabled the company to watch the business and its operations grow and mature over the last decade.

Taking a Proactive Approach to Compliance

Although some of their clients now require SOC compliance, Stoneleigh has been receiving third-party SOC compliance validation long before they were being asked for it. Why take a proactive approach? Stoneleigh Recovery Associates sought to demonstrate to their clients that they have had an independent third-party review verifying that the policies and processes they say they have in place are in place and are functioning effectively.

Thanks to the annual completion of their SOC 1 Type II and SOC 2 Type II audits, Stoneleigh is able to proactively address client requirements and win business over other companies who have not built in compliance as a foundational aspect of everyday business operations.

Benefits of SOC 1 and SOC 2 Compliance

Throughout the years of undergoing regular third-party SOC audits, Stoneleigh has been able to continuously fine-tune their policies and procedures, proving to be the most notable benefit of SOC compliance. Stoneleigh’s policies have become much more detailed, clear, and robust, offering them and their stakeholders a sense of security and confidence that they are delivering secure, compliant, high-quality services to their clients. This mentality has driven all of the members of the executive management team to think critically about the types of issues covered in their policies and procedures and how they can keep them top of the line.

Stoneleigh’s policies and procedures are reviewed and updated on a regular basis to constantly reflect industry trends, and have become a living, breathing document, rather than a static, untouched, and outdated set of processes. As any successful compliance management program should, Stoneleigh’s compliance journey has been a cumulative effort. This program has brought members of all departments (e.g. IT, Compliance, and Operations) together to focus on how they can manage their processes effectively in a way that won’t hinder productivity, but rather enhance security and confidence in the way they’re doing things. Stoneleigh’s policies and procedures clearly indicate who is responsible, who they apply to, and who they are reviewed and approved by, providing clear direction and instruction for all necessary personnel. Nikki Noyes, Stoneleigh’s Director of Compliance, commented, “Since working with KirkpatrickPrice, we have controls we have put in place to be more effective and we have learned to continually mature and improve our processes.”

Understanding the Importance of “Tone from the Top”

For Stoneleigh, executive level buy-in has been key. The executive management team lives by the company’s policies and procedures and are thinking critically and communicating regularly with all departments about changes necessary to further ensure compliance. This approach helps to set a culture of compliance that permeates throughout the entire organization. Because executive management is engaged in the entire process, this culture trickles down, even to the collector level, giving all employees an understanding of the importance of compliance. Stoneleigh’s open line of communication and thorough understanding of the importance of the tone from the top has helped make compliance and security a daily part of their operations.

Advice to Other Companies in the ARM Industry

Nikki Noyes has some advice for other companies in the ARM industry when it comes to documentation: “If you do it, document it.”

This is excellent advice. If you say you’re doing something, but it isn’t documented in your policies and procedures, then you aren’t doing it. All practices must be included in your policies and procedures in order to see any gaps and deficiencies you may have in your processes. When it comes to developing your policies and procedures it’s okay to start simple and add on as you go.

KirkpatrickPrice is thankful to have committed clients like Stoneleigh who can share their successes through working with our company.

“We are forever grateful for our partnership with KirkpatrickPrice and the guidance they’ve provided,” commented Nikki Noyes.

Learn more about Stoneleigh Recovery Associates, here.

More Resources

Combining SOC 1 and SOC 2 Audits

Will I Pass or Fail the SOC 1 Audit?

Top Mistakes C-Level Execs Make When It Comes to Security and Compliance