If your customers rely on you to protect consumer information, chances are you may be asked to produce an SSAE 16 audit report. An SSAE 16 audit is a reporting on the controls at an organization that are relevant to, or may affect a client’s financial statements. This standard is designed to demonstrate that an organization has proper internal controls and processes in place to address information security and compliance risks. It’s not uncommon to have a million questions the first time you decide to engage in an SSAE 16 (SOC 1) audit. Where do we start? What does this entail? Will we fail? Here are 10 things you can do to begin preparing for your SSAE 16 audit.

1. Risk Assessment

If you look at any compliance or information security framework, audit, or standard, they all require a risk assessment. That being said, performing a formal risk assessment is the best starting point in preparing for your upcoming SSAE 16 audit. A risk assessment helps you understand what you’re doing as an organization and can help identify any risks in your environment. Based on your assessment, the implementation of controls should be reasonable and feasible. A written, formal risk assessment should be performed by a cross-section of departments and employees.

2. Evaluate Client Requirements

Who are you serving as a market? Are you providing services to retail organizations? Healthcare organizations? Federal government? Financial services organizations? Based on your answers, that will determine the laws and regulations that apply to you and how you deliver your services. What do your clients expect from you? What does your contract say you’re providing? As a service provider, your audit’s scope is shaped by your service delivery methods and client requirements should be evaluated in order to understand what is expected and reasonable. Don’t forget to evaluate contracts and service packages to ensure that expectations have been properly documented.

3. Regulatory Implications

In order to prepare for your SSAE 16 audit, you must determine what your regulatory responsibilities are based on your locale and the customers you service. For example, if you’re serving the healthcare market, you’ll be responsible to comply with relevant sections of the HIPAA/HITECH Act. If you’re serving the financial marketing, then GLBA is relevant. If you’re serving publicly traded companies, SOX is relevant. If you’re serving the Federal government, you must comply with FISMA. Taking into consideration each regulatory framework that applies to you will help determine what’s important to consider when preparing for your SSAE 16 audit.

4. Service Delivery Controls

Possibly one of the biggest risks that businesses may overlook (since it’s not a security breach) are operational risks. As auditors, we look for things that deal with operational efficiency, catching errors, and quality assurance. These are all important factors that will help make up a set of service delivery controls. What controls do you have set up along the service delivery process? A helpful way to manage service delivery controls is by creating a data flow diagram of the life-cycle of your service delivery model. Take us step-by-step through the entire process.

5. Written Policies & Procedures

This isn’t the first time you’ve heard us say this, and it won’t be the last. The most important thing to remember when developing policies and procedures to prepare for any audit is “if it’s not written down, it didn’t happen.” Having a formally written and fully documented set of policies and procedures is paramount for an SSAE 16 audit because these are what we audit against. If your policy says you do X, Y, Z, we will perform a test against that policy to verify that you do, in fact do X, Y, Z. Having a formal set of written policies and procedures also helps guide employees on company expectations and consequences and provide guidance on the proper execution of service delivery. Policies and procedures should be fully endorsed by senior management, and updated by the authorized individual at least annually.

6. Training

When trying to prepare for your SSAE 16 audit, policies and procedures and training often can go hand in hand. It’s essential that employees receive job-specific training to ensure full compliance with all company policies and procedures. Did all employees attend? Did all employees comprehend? Is there some kind of acknowledgement form that was signed saying they have been presented with and understand what’s expected of them as an employee? Since, for example, HR, IT, and Production are all responsible for different aspects of the business, training should be as job specific as possible. Another type of training that is critical in this current threat-landscape is security awareness training. Employees should be trained annually to keep them vigilant in understanding the types of threats that are out there.

7. Vendor Management

Vendors represent a risk to every organization. Your vendor requirements for each vendor may vary based on the risk that vendor poses to your organization. For example, a VPN-connected vendor introduces different risks than a cleaning service. As far as managing your vendors, on-boarding and off-boarding procedures are just as critical for vendors as they are for employees. What are you going to require for the on-boarding process? A Signed non-disclosure? Ask to verify that they perform a background check on employees? Verify that they are in compliance with any relevant information security and regulatory compliance requirements? Effective policies, training, and monitoring can greatly reduce your vendor risk. Be sure to include the right-to-audit clause in your contract.

8. Physical Controls

Your physical controls talk about restricting access to your physical environment. These controls cover things like controlling how someone comes in and out of your facility, tracking visitors, and keeping a log. Access controls can generate logs to verify access granted and denied. Video footage can be helpful after an incident to determine the impact. Visitor procedures are important for documenting historical events. Are there additional checkpoints or limited access once inside? Sensitive areas should be controlled to restrict access on a strictly business-justified basis. Assessing your physical controls is important when you prepare for an SSAE 16 audit.

9. Security Controls

When we talk about controls that affect “security”, we are talking about CIA: Confidentiality, Integrity, and Availability. If an important document containing sensitive information is stolen, then the confidentiality of that document has been compromised. If you’re storing an important hardcopy document that has gotten wet and is now unreadable, then the integrity of that document has been compromised. If something has gone missing, like an important filing cabinet full of sensitive documents, but hasn’t been taken by an unauthorized person, then the availability of those documents inside the filing cabinet has been compromised. Placing Administrative, Technical, and Physical controls in place can help you address each of those areas of security.

10. Availability Controls

Availability controls include things such as Business Continuity and Disaster Recovery Plans. These are critical for maintaining availability to your customers. Other availability controls to consider when preparing for an SSAE 16 audit are data backups, network monitoring, and cross-training employees.

Companies are looking to do business with vendors who understand these issues. Being proactive about undergoing your SSAE 16 audit can mean the difference in winning your next big deal and earning the trust and respect of the clients you serve.

KirkpatrickPrice strives to be your partner. Engaging in an SSAE 16 Audit doesn’t have to be a scary thing and we are here to offer help every step of the way with recommendations and resources to help strengthen your environment. If you’re ready to get some help, contact us today.

We are here to help companies make managing compliance, well, manageable. We’ve defined the role and responsibilities of the Chief Compliance Officer. We’ve helped delineate what a Compliance Management System (CMS) is all about. We are now here to share the next best kept industry secret to achieving compliance success – creating a culture of compliance within your organization.

You can tell a lot about a company’s overall compliance posture by speaking with their employees. A positive attitude towards compliance means a positive working environment and employee buy-in. There are plenty of obstacles to overcome as a Chief Compliance Officer, so our goal is to help encourage steps you can take to create a positive culture of compliance within your organization, share some tips for creating incentive programs and overcoming bad habits and negative behavior, and discuss some ways to communicate risk in order to change management direction.

Creating a positive culture of compliance and driving cultural change within your organization requires strong leadership skills.  Your position as the Chief Compliance Officer gives you the authority, but that’s not all that’s required. An effective leader should have a vision, strong communication, and a clear strategy.

Developing a Vision of Compliance

Vision is the first step in driving cultural change in a positive direction. You can’t just spout change without having an end goal in sight. In what direction should the organization go? You’ll need an idea of what you are wanting to change before you are able to set out to change it. The oversight and guidance is there to help shape your vision for achieving your organizational compliance goals.

Communication is Key

The next step in achieving this culture of compliance is the importance of effective communication – starting with the Board of Directors/Executive Level Management. By understanding the requirements associated with your role as the Chief Compliance Officer, you can educate management by identifying associated business risks. Asking for their support will help spread the culture you’re after from the top down. Show them relevant enforcement actions so they can truly understand the risks associated with the industry. A common question asked by this level of management is “What’s it going to cost me?” Well, what’s at stake? Compliance has to come first. Show them what you’re protecting the company from. Show them specific cases and the ownership of what happened to each agency.

Communicating with mid-level management is also important. They should also be educated on the associated risk, but more importantly, should be involved in the risk management process itself. By developing and showing a risk/reward analysis, you can show how making a change can actually increase revenue and increase reward. A change in the culture of your organization is not a negative thing, and that’s what needs to be stressed and communicated effectively to this level of management as well. Demanding change without presenting a solution can be a risky move if you’re not wanting an operations team vs. compliance team war. Suggest things you can do within the organization to help reach common goals. Provide proof of your concept while making and implementing any changes.

Lastly, effective communication with collectors is key. You must deliver clear expectations with useful and accessible policies, procedures, and work instructions. You shouldn’t have any expectations without them being documented. Training and awareness will help your collectors understand the importance of compliance while helping them get on-board. If the tone is set from the top, they will follow. Creating collector buy-in should be done using fair and equal treatment, such as rewards for compliance as well as discipline for violations. Remember, it can take time to break bad habits and strive for positive change!

Planning Your Compliance Goals

The final step in creating a culture of compliance within your organization is having a fully developed strategy and plan for continuous improvement (Plan, Do, Check, Act). Use your monitoring and audit results to plan for further improvements. Part of your responsibilities as Chief Compliance Officer is to stay current with any new rules and regulations in order to react effectively. And lastly, continue to involve management in the evaluation of risks in order to help to continue to create a positive culture of compliance.

Looking for a consultation in regards to your CFPB compliance and compliance efforts? Contact us!

More Resources

Top Mistakes C-Level Execs Make When it Comes to Security and Compliance

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

How Your Org Chart Can Reflect a Culture of Cybersecurity at Work

It isn’t news that maintaining a secure web environment is extremely important in today’s technological climate. Performing regular scans and tests of your security posture is best practice and becoming an essential piece to maintaining security at your organization. Web applications have become a common target for hackers, thus the need for better practices.

Last week, we tapped into our own developers’ minds to help us put together a list of best practices for secure web application in order to educate and inspire our community of security-minded individuals.

Here are our top Secure Web Application Best Practices:

1. Training

If you’re a web application developer, you should always be aware of security risks and best practices for defending your application from those risks. OWASP is a great resource for learning about web application security. The OWASP Top 10 is a great list that creates awareness around some of the most critical web application security flaws. SANS is another great resource for information security training. Additionally, many web application frameworks publish security guides that cover built-in security features. (Ex. Ruby on Rails, Django, and .NET publish security guides to help you as you are building applications).

2. HTTPS Everywhere

HTTPS provides your users with the confidence that the web application they are connecting to is, in fact, yours. It also provides a secure channel for sending and receiving data. One risk involved in using HTTPS is when additional content is loaded insecurely over HTTP. While your site may be securely loaded over HTTPS, even a single JavaScript file loaded insecurely over HTTP is at risk to be intercepted and modified by an attacker. Ensure all your content and resources are loaded securely.

3. Strong Password Storage Practices

When storing users’ passwords, it is extremely important to follow best practices. Never, ever, store passwords in plain text. You should store your users’ passwords as hashes, making use of cryptographic algorithms that are designed for password protections. View the OWASP Password Storage Cheat sheet.

4. Keep Application Dependencies Up-to-Date

Your web application most likely makes use of a framework and several libraries or components. Each one of these components is potentially vulnerable to attack. It is best to identify all of the components and versions currently being utilized in your application. Once you have that, monitor public databases (CVE, NVD) for reported risks to the components you use. Also, keep up to date with security mailing lists relevant to the frameworks you use and immediately update any components that release security fixes.

5. Always Install Security Patches

Related to keeping your application dependencies up to date, you should also ensure your application stack is up to date. Ensure you OS, web server, application server, and databases are all up to date with the latest patches and configurations.

6. Web Application Firewall

A web application firewall (WAF) can be helpful in identifying and blocking threats to your application. A WAF applies rules to the HTTP traffic coming in to your application. If certain patterns are detected that are commonly associated with attacks, the request is blocked. These rules can be customized based on the specific threats to your application. Running a WAF requires maintenance and tuning, but it can be very effective in blocking many known attacks.

7. Logging

It is always important to know what is going on within your applications. Collecting logs is vital to having an audit trail of activity. You should collect all authentication and user access events including access to your servers and user access to your applications. Collect data access, user events, and errors. Logs should be centrally collected and stored where they can be reviewed and correlated.

8. Assume All Input from Users is Malicious

As a developer, you should always assume that all user input is malicious. This includes form data, URL parameters, query strings, cookies, and HTTP headers. Validate all input based on type, length, and a whitelist of allowed value ranges. Many attacks such as SQL injection and cross-site scripting take advantage of applications that trust user input without proper validation. View the OWASP Data Validation.

9. Security Testing

Testing your application for vulnerabilities is an important step in finding and fixing flaws before you suffer from an attack. This can include static code analysis and penetration testing. Static code analysis will scan your source code for flaws and potential security risks. These tools can be integrated into the development lifecycle, alerting developers to potential hot-spots in their code. Web application penetration tests simulate attacks in order to analyze the security of your system. These tools are necessary in order to ensure your application is secure.

For more information or help regarding the security of your web applications, contact us today.

As a Chief Compliance Officer, call monitoring is a big part of managing the compliance within your organization. It’s your responsibility to determine: Are your collectors compliant with federal and state laws? FDCPA? CFPB? Are they meeting contractual agreements with clients? An effective call monitoring program is essential to your overall compliance.

Call Monitoring Scorecard

One of the ways you should monitor your collector calls is by developing and using a Call Monitoring Scorecard to ensure that your collectors are following the policies and procedures you have set forth in regards to communications with consumers. Developing your own Scorecard isn’t necessarily a “one size fits all” process. There are many components to be considered.

You must first take into consideration your own risk assessment. Utilize a weighted score of components based on the risk level and exposure is the first place to start when developing your own scorecard components. What kind of consumer complaints have you received? What about overall consumer lawsuits? CFPB complaint statistics? What should you be monitoring to ensure that your collectors are using compliant practices when collecting on a debt?

There are many things you should include on your Scorecard to ensure compliance with consumer financial law. We’ve compiled a list of the Top 10 Scorecard Components based on activity we’ve seen to give you some guidance to get started.

Top 10 Scorecard Components

  1. Call Recording Disclosure
  2. Proper Identification of the Consumer
  3. Mini Miranda
  4. FDCPA Third Party Disclosure
  5. UDAAP (Tone, Language, Deception)
  6. Proper Account Updates
  7. Payments Applied According to Consumer Instructions
  8. Regulation E (Disclosure & Authorization) as Applicable
  9. Proper Voicemail Instructions Followed
  10. Proper Communication Regarding the Consumer Credit Report

Do you need assistance with developing your Compliance Management System to meet CFPB regulatory requirements? Contact us today for details on how KirkpatrickPrice can help.

More Resources

Top 4 Critical Components of an Effective Call Monitoring Program 

Risk Assessment Checklist: 5 Steps You Need to Know

A Culture of Compliance

Are you curious about the steps you can take to create a positive culture of compliance within your organization? Are you looking for tips on how to create incentive programs, overcome bad habits, and eliminate negative behavior? Are you interested in learning about ways to communicate risk in order to change the direction of your management? This webinar will provide an overview of the ways in which you can create and implement a culture of compliance in your organization as a Chief Compliance Officer.

What is the Role of the Chief Compliance Officer?

As a Chief Compliance Officer, you should…

  • Maintain the authority to lead a compliance program independent from business units
  • Have strong leadership and communication skills
  • Be qualified and experienced
  • Administer the Compliance Management System (CMS)
  • Understand the requirements associated with the role
  • Identify and educate yourself on associated business risks
  • Ask the Board of Directors/Executive Management for their support
  • Involve management in the risk assessment process

What Makes an Effective Chief Compliance Officer?

We believe that there are three key components of being an effective leader, including the following:

  1. Vision: In order to drive change, you must have an idea of where you want to go. How can you inspire and lead others into this culture of change?
  2. Communication: In order to drive change, you must effectively communicate. How can you deliver clear expectations to your employees?
  3. Strategy: In order to drive change, it is imperative that a Chief Compliance officer should have a strategy or plan for continuous improvement. How is management demonstrating support of compliance? How are your continuing to create a positive culture of compliance?

Ultimately, the Chief Compliance Officer position is multifaceted; they are typically problem solvers, leaders, and bridge builders. By combining their leadership responsibilities with the leadership of other management personnel, management will act as a collective front to emphasize the importance of compliance throughout all areas of the organization.

To learn more about how you can create a culture of compliance for your organization, download the full webinar. For more information, contact us today.

More Chief Compliance Officer Resources

Creating a Culture of Compliance within Your Organization

Auditor Insights: Compliance from the Start

The Importance of a Culture of Compliance: CompuMail’s Insights