Sarah Harvey, Author at KirkpatrickPrice

How SOC 1, SOC 2, PCI and FISMA Apply to Debt Collection

If you’re performing collections, you’re no stranger to regulatory compliance and the proactive supervision of government agencies such as the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and the Office for Civil Rights (OCR). It’s also critical to consider how you’re protecting consumer data and understand what information security audits are available and will best fit your organization based on the type of debt you’re collecting. Engaging an independent third-party to perform one of these many audits is not necessarily a requirement for collecting debt, but is highly recommended to ensure that the controls you have in place to protect sensitive data are appropriate and operating effectively.

What are the most commonly requested audits? Which audit is right for me? How can I prepare? Whether you’re collecting credit card, medical, student loan, or commercial debt, familiarizing yourself with the Alphabet Soup of information security audits – SOC 1, SOC 2, HITRUST, PCI, and FISMA – is the best way to begin making sense of the commonly requested frameworks and understand which one is right for you.

SOC 1

An SSAE 18 (formerly SSAE 16), or SOC 1 Audit, or Statement on Standards for Attestation Engagements No. 18, is the most commonly used framework for U.S. service providers. SSAE 18 reports were primarily designed to report on the controls of a service organization that are relevant to their client’s financial reporting. SSAE 18 engagements are performed solely by CPA’s and intended to aid service organizations in eliminating potential errors to protecting client data and attest to the effectiveness of the controls. There are two types of SSAE 18 (SOC 1) reports, a Type I and a Type II. Similar in the presentation of each control objective, a Type I attests to the controls as of a specific date in time, whereas a Type II attests to the controls through a specified period of time, offering a description of the tests performed for each control and the results of the tests.

If you’re working directly with a bank, have a client specifically requesting an SSAE 18, or are simply looking for a good place to start, I recommend pursuing an SSAE 18 audit. This could apply if you’re collecting on credit card, medical, student loan, or commercial debt. The SSAE 18, as many audit types do, utilizes a risk-based approach allowing you to identify your areas of risk and determine whether you’re appropriately addressing each risk. The SSAE 18 audit process helps you to design and implement internal control, thus demonstrating commitment to integrity and ethical values through policy and procedure.

SOC 2

I recommend selecting a SOC 2 audit if your client demands it, prospective clients are requesting, or if you’re specifically collecting on healthcare accounts. A SOC 2 audit, unlike a SOC 1, is prepared in accordance with AT 101, Attest Engagements. Similar to a SOC 1, SOC 2 engagements are performed by a licensed CPA. A SOC 2 reports on non-financial controls, focusing on what are known as the Trust Services Principles; Security, Availability, Processing Integrity, Confidentiality, and Privacy. Is the system protected against unauthorized access (logical and physical)? Is the system available for operation and use as agreed? Is the system processing complete, accurate, timely, and authorized? Is the information designated as confidential protected as agreed? Is personal information that is collected, used, retained, disclosed, and destroyed in conformity with the entity’s privacy notice commitments? This is what is addressed during a SOC 2 audit engagement.

A recommended practice for those working closely with the healthcare industry is undergoing a SOC 2 HITRUST audit. Pairing a SOC 2 with a HITRUST CSF (common security framework) component can help take the guesswork out of HIPAA compliance assessments. The HITRUST framework is a healthcare industry-created compliance protocol designed to address compliance and risk expectations of HIPAA’s Security Rule, variations in business practices, and third-party assurance expectations. Since the SOC 2 is designed to address the aforementioned Trust Services Principles, which are all concepts intrinsic within HIPAA’s Security Rule requirements and the HITRUST framework, it is an incredibly effective report that will provide internal and external value to your organization.

PCI

The Payment Card Industry Data Security Standard (PCI DSS) was jointly developed by the payment card brands to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. PCI DSS v3.2 is the current version, and applies to any merchant who stores, processes, or transmits cardholder data, and any service provider who stores, processes, or transmits data on behalf of a merchant. As a debt collection agency, you can be either a merchant or a service provider. You’re considered a merchant if you’re accepting credit cards as payment, and a service provider if you’re loading account numbers into your system to collect on. PCI DSS is a robust information security standard with approximately 394 controls, 12 Requirements, organized under six Control Objectives.

If you’re collecting on credit card debt, or accepting or processing payment cards, you must comply with PCI. You may become “PCI Compliant” by completing a Self-Assessment Questionnaire (SAQ). There are nine basic versions (with variations), and can either be signed by a Qualified Security Assessor (QSA) or can be a self-attestation. You may also become “PCI Certified”, and upon completion will receive an official Report on Compliance (RoC) from a QSA.

FISMA

The Federal Information Security Management Act (FISMA) is a U.S. federal law, enacted in 2002, to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems to protect the three pillars of information security; Confidentiality, Integrity, and Availability. FISMA is the law; NIST Special Publication 800-53 is the comprehensive standard that contains the individual security controls required to comply with FISMA. Certification is achieved when an Authorization to Operate (ATO) is signed by a federal agency’s senior management official.

If you’re collecting on student loan debt, working with the federal government, a federal contractor, or a sub-service provider of a federal contractor, you are required to meet the National Institute of Standards and Technology (NIST) 800-53 standards.

There’s not a cookie cutter approach to determining which information security audit is right for you. The important things to consider are best practice recommendations, who these audit frameworks apply to, and the type of debt you’re collecting. Whether you choose to undergo an information security audit or not, the best place to start is making sense of the alphabet soup. To learn more about how KirkpatrickPrice can help you achieve your compliance goals, contact us, today.

More Resources

Combining SOC 1, SOC 2, and PCI Audits

4 Reasons to Start a PCI Audit Right Now

Using the Online Audit Manager to Complete Multiple Audits

Sterling Heights, MI – November 08, 2016 – Custom Data Solutions, Inc., a data processing services provider, today announced that it has again completed its SSAE 16 (SOC 1) Type II Audit. This attestation verifies that Custom Data Solutions has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Custom Data Solutions’ controls that may affect its clients’ financial statements. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Custom Data Solutions’ description of controls as well as the detailed testing of its controls over a minimum six-month period.

Brian R. Harris, Vice President of Finance, stated, “I am proud to receive this certification on behalf of our team for the third consecutive year. It is a testament to our Company’s commitment to excellence that drives the quality and accuracy of the work we perform for all our clients. Our team translates their deep knowledge of the industry we serve to provide our clients with the strongest level of internal controls to protect their information.”

“Many of Custom Data Solutions’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Custom Data Solutions has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Custom Data Solutions.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About Custom Data Solutions

Custom Data Solutions is a leading provider of data collection, processing and data warehousing services to the Vending, Foodservice, Fund Raising, Specialty, Micro Market, Office Coffee Service, and Concession channels. They provide best practice solutions that have been applied to the automated collection and processing of their clients’ sales data. This approach gives each of their clients a tremendous competitive edge by providing them with fast and accurate real-time sales information, available 24/7 from anywhere in the world. www.custdata.com

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 400 clients in more than 46 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on HIPAA, SSAE 16, SOC 2, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

SOC 1 vs. SOC 2 Reports: What’s the Difference?

As a service organization, you are familiar with audit requests from clients who are required to meet specific compliance and audit requirements, and you have most likely been asked whether your organization is SOC 1 compliant or SOC 2 compliant.

We often get asked:

What are the differences between a SOC 1 vs. SOC 2 audit?
Which SOC report should you get?
Do you need both audit reports?

Let’s take a look at the differences between a SOC 1 vs. SOC 2 audit, and why you could be asked for either, or both, as you continue to grow your business.

Do I Need a SOC 1 Audit?

A Systems and Organization Controls 1, or SOC 1 engagement, is an audit of the internal controls at a service organization which have been implemented to protect client data.

SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). A SOC 1 assessment is comprised of control objectives, which are used to accurately represent internal controls over financial reporting (ICFR).

In other words, if you are hosting financial information that could affect your client’s financial reporting, then a SOC 1 audit report makes the most sense for your organization to pursue, and it will likely be requested of you.

Do I Need a SOC 2 Audit?

If you are hosting or processing other types of information for your clients that does not impact their financial reporting, then you may be asked for a SOC 2 audit report.

In this instance, your clients are likely concerned whether you are handling their data in a secure way, and if it is available to them in the way you have contracted it to be. A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures.

However, the difference is that a SOC 2 reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization. These categories are known as the Trust Services Criteria and are the foundation of any SOC 2 audit engagement.

Do I Need a SOC 1 and a SOC 2 Report?

If you have clients that fall under both categories, then there is a chance you may be asked for both.

In some circumstances, you may determine that you need a SOC 1 and a SOC 2 report in order to effectively ensure that your controls meet the demands of a variety of clients and stakeholders. Fortunately, KirkpatrickPrice utilizes a unique Online Audit Manager that allows you to combine a SOC 1 and SOC 2 into one audit process resulting in two deliverables.

How Can KirkpatrickPrice Help?

Determining what your business objectives are is a vital first step in deciding which SOC audit you should pursue. KirkpatrickPrice can provide free consulting services to help you determine which SOC report makes the most sense for your organization and assist in determining the scope of your engagement.

Think you may need multiple reports?

We can help with that too. KirkpatrickPrice’s Online Audit Manager was designed to help take the stress away from meeting multiple audit demands by streamlining them into one efficient audit process.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

It’s no secret that the PCI Data Security Standard is one of the most robust information security standards that exists. With approximately 400 controls, understanding all of the ins and outs of the standard can cause quite the headache without the proper resources and expertise.

When selecting a third party Qualified Security Assessor (QSA) to perform your PCI audit, we recommend choosing an auditor that can help with readiness as well as perform your actual audit. Working with an auditor on the front end of the audit process can help you to identify any gaps in your current controls and processes, and allow you time to mitigate and make any recommended changes before being audited for PCI compliance. Partnering with your QSA can lead to a truly educational and successful PCI audit experience.

To help ease the burden of information security requirements, KirkpatrickPrice has developed an innovative tool, known as the Online Audit Manager, that helps to streamline the audit process. This unique online methodology can help save you time, resources, and the headache that comes along with strenuous audit requirements, such as PCI DSS.

The Online Audit Manager is a tool that was developed based on experienced information systems and senior-level security auditors’ expertise. The OAM connects you with your specialized auditor quickly, so you can begin to receive remote guidance early in the PCI audit process. Your experienced auditor will work with you while you upload necessary documentation to complete your PCI audit, enabling you to complete 80% of the audit before your auditor ever steps foot onsite. Within the Online Audit Manager are loads of free resources that are available to help you create the most effective policies and procedures, ensuring that you have the proper controls in place to demonstrate your PCI compliance. The Online Audit Manager also gives you the flexibility to work on your PCI audit as you have the time and be able to easily divvy up the workload amongst appropriate personnel. Throughout the PCI audit process, you will have created the perfect audit trail that will demonstrate how you continue to improve and mature your security practices.

If you’d like to experience a free demo of the Online Audit Manager, contact us today. You won’t want to miss the opportunity to see the Online Audit Manager that will help make your PCI audit process, well, manageable.

Our customers generally find that our approach is what sets us apart from anybody else that they might be talking to about their compliance needs. So, our approach is based on very experienced information systems and information security auditors, and also based heavily on an Online Audit Manager portal that is unique to KirkpatrickPrice.

What does that mean? The Online Audit Manager gives you the flexibility to work on your audit when you have the time to work on it, and to also connect you with our experienced auditors and then work through this process over a period of possibly several weeks, collecting the majority of that information before we actually come on site.

How does that help you? That helps you because now we’re able to spend a shorter time on sight, impacting your business even less than any other audit approach would.

Why do our customers choose us? Because we have a streamlined approach, we have efficient tools that create a great process and we have very experienced auditors to help them through their compliance needs.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

You deserve a compliance tool that makes your life (and audit) easier.

Whether you’re ready to start your audit, need some help preparing, or just want to manage your compliance practices, the OAM will make sure you accomplish your compliance goals. Download our guide to learn how.

What’s the purpose of an SSAE 16 audit and should I pursue one? If you’re new to the world of information security audits, check out this comprehensive guide on the history of SSAE 16, why it replaced the SAS 70, and how becoming SSAE 16 compliant could benefit your business.

Outsourcing critical business functions, such as IT or HR, is a common practice among many businesses, today. While outsourcing is a great way to cut operational costs and acquire resources that aren’t available internally, it doesn’t come without its risks. It is especially crucial to consider how outsourcing functions to service organizations could impact your internal control over financial reporting (ICFR).

In accordance with Sarbanes-Oxley (SOX), publicly traded companies are responsible for maintaining an effective system of internal control over financial reporting (ICFR). Such emphasis on governance and risk management when it comes to reporting on controls at a service organization, is the reason many organizations have chosen to require their vendors, who may have an impact on their ICFR, to obtain an SSAE 16 (SOC 1) Attestation Report.

What is SAS 70?

SAS 70 is the Statement on Auditing Standards No. 70, an older auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It provides standards for reporting on controls and processes at service organizations, but, unlike later standards, did not require auditors to obtain a written assertion concerning the design and effectiveness of controls. SAS 70 was superseded by SSAE 16 in 2011, and more recently, by SSAE 18.

What is SSAE 16?

SSAE 16 is the Statements on Standards for Attestation Engagements no. 16. It provides a set of standards and guidance for attestation reporting on organizational controls and processes at service organizations. Audits using SSAE 16 generally result in System and Organizational Control (SOC 1) reports. Unlike earlier standards, SSAE 16 requires a written attestation from a service company’s management, stating that its description accurately represents organizational systems, control objectives, and operational activities that affect customers. SSAE 16 was superseded by SSAE 18 in 2017.

What is SSAE 18?

SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. It supersedes SSAE 16 and is intended to update and simplify previous standards. Like SSAE 16, SSAE 18 is used in SOC 1 reports, but also in SOC 2 and SOC 3 reports, which were previously conducted under AT 101. Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors. SSAE 18 is the current standard that SOC 1 audits use.

Out with the Old: Replacing the SAS 70

To make a long story short, CPAs in the past were using the SAS 70 to report on things other than financial reports, however, the SAS 70 was never intended to do so. By introducing a new attestation standard to assess service organizations, the AICPA developed improved assurance by replacing the SAS 70 with the Statement on Standards for Attestation Engagement No. 16, or SSAE 16.

Not only does the SSAE 16 provide a more comprehensive and descriptive assessment of controls, it also allowed user organizations to appropriately assess the reliability of the controls at a service organization.

SSAE 16 vs. SAS 70: What are the Differences?

SAS 70, Cruising with The Auditing Standard

What’s the difference between SSAE 16 and SAS 70? One of the key differences between the SAS 70 and the SSAE 16 is that the SAS 70 is an “auditing” standard, whereas the SSAE 16 is an “attestation”. When the AICPA made the decision to replace the SAS 70, they thought it more appropriate for a service organization audit to be an examination of a system, which is different than an audit of financial statements.

SSAE 16, Going Deeper with Attestation

The SSAE 16 report requires a description of a system along with a written assertion by management on the design and operating effectiveness of the controls being reviewed. The SAS 70, however, lacked the level of detail that the SSAE 16 offers. The SAS 70 simply provided a description of controls and did not include any type of management assertion.

New and Improved: The SSAE 16 Audit Report

The SSAE 16 has been around long enough now to have gained popularity and familiarity by both service organizations and their clients. However, we still receive a fair amount of questions regarding the purpose of an SSAE 16 audit report, the components, and the benefits of a service organization obtaining an SSAE 16 audit report.

As mentioned before, the purpose of an SSAE 16 report is to report on the controls at a service organization that may have an impact on their clients’ financial reporting.

If you’re an organization who provides hosting services, data management services, etc. to a publicly traded company, it is likely you have been requested to pursue an SSAE 16 audit, and if not, you probably will at some point. An SSAE 16 report allows organizations to assess the risks associated with doing business with particular service providers.

Components of an SSAE 16 Audit Report

There are not set controls for an SSAE 16, as each is unique to the service organization and the type of business they are doing. However, there are common criteria and common control objectives that typically make up the components of an SSAE 16 or SOC 1 report. This includes the independent service auditor’s report, management’s written assertion, a description of the system, control objectives and the testing of operating effectiveness of the controls.

Type I vs Type II Reports

There are two basic types of SSAE 16 reports, type I and type II. SSAE 18 SOC 1 reports concern the accuracy of a service company’s description of its controls and systems, and their effectiveness in achieving control objectives. They are similar in many ways, but the key difference is the period of time covered by the report.

SSAE 1 Type I reports are “point in time” reports; they report on systems and controls at a specified date.
SSAE 1 Type II reports, in contrast, report on the suitability of controls over a period of time of no less than six months.

It is often recommended that service organizations begin with an SSAE 16 Type I report, and then move to an SSAE 16 Type II report to demonstrate the maturing of their environment.

Learn more about Type 1 and Type 2 reports in What is the Difference Between SOC 1 Type I and SOC 1 Type II?]

Benefits of Pursuing an SSAE 16 Audit Report

There are several benefits associated with obtaining an SSAE 16 audit report. First, it is a great way to demonstrate your commitment to delivering high quality services to your clients. It is also an important step in gaining the client trust you need to develop and grow your business. By engaging a third-party auditing firm to conduct an SSAE 16 audit engagement, you will not only satisfy current client demands, but gain a competitive advantage and have the opportunity to win new business.

The evolution of the reporting on controls at a service organization has inevitably brought more assurance and opportunity to the marketplace. The SSAE 16 audit report is a great way for organizations to demonstrate that they have the proper internal controls in place to protect client data. If you have any questions regarding obtaining an SSAE 16 audit report, whether it is the appropriate engagement for your organization, or how to prepare for your SSAE 16 audit, contact us today.