Ask the Auditor: PCI DSS Requirements 3 & 4

by Sarah Harvey / June 13, 2023

We had another chance to interview one of our Information Security Auditors, Tim Cunningham, on some frequently asked questions about PCI DSS Requirements 3 and 4. Here are the highlights from the interview: Q: When we consider the concept of protecting stored cardholder data, what is the first thing to consider when planning compliance with Requirement 3? An organization’s approach to PCI Compliance should be a top-down, management driven approach.…

Top 10 Risks Found by Our Auditors

by Sarah Harvey / December 16, 2022

Are you in the process of getting your annual audit performed? Are you preparing for your annual audit? We have compiled a list of the Top 10 Risks we most commonly find when auditing information security to help you better strengthen your own environment. Take a look at what our auditors have found to be common shortcomings and make sure you’re not making those same mistakes at your organization. 1.…

business people walking

6 Steps to Construct Your Internal Audit Program

by Sarah Harvey / June 15, 2023

Why is an internal audit program important? The CFPB Examination Manual has become the ruling guidance for those in the collections space, and internal audit is a topic that can’t be taken too lightly. According to the manual, an effective compliance management system should have four interdependent control components: Board and management oversight Compliance program Response to consumer complaints Compliance Audit When these four control components are strong and well-coordinated,…

Style Guide to Writing Good Procedures

by Sarah Harvey / June 14, 2023

Last week, we explored the process of writing effective policies. This week we will take a look at what goes in to writing effective procedures; the policy counterpart. Procedures are the process or task instructions on how, exactly, a policy is followed. They communicate the responsibility for a task or a process. Where a policy defines the rule as a guide to employees making decisions and mandatory rules that require…

Style Guide to Creating Good Policies

by Sarah Harvey / June 14, 2023

Countless regulatory compliance and client requirements depend on clear and appropriate policies and procedures to demonstrate how organizations are conducting their business. Without defined policies and procedures, you face the threat of heavy fines from regulatory governing bodies, loss of business, or loss of data. As auditors, we find that many of our own clients struggle with understanding the organization of a policy, what does belong in a policy, what…