Posts

Cybersecurity at Work: Audits That Require Security Awareness Training

It is Cybersecurity Awareness Month! Every October we are reminded of the potential threats that are up against our cybersecurity. It is no surprise that employees make their way to the top of the vulnerability lists each year. It is time we created a culture of cybersecurity in the workplace.

Employees are often an organization’s weakest link. Whether it be the lack of funding or misunderstanding of cybersecurity best practices, security awareness training often becomes an afterthought. The reality is that security awareness training is a vital part of your cybersecurity that cannot go without doing. If there is even one person naive of cybersecurity best practices, they could unknowingly compromise the integrity of your security and dismantle your business processes. There is an endless number of ways this can happen, whether it be someone failing to recognize a phishing attempt, recycling weak passwords, not properly disposing of sensitive documents, neglecting company-wide security policies, or falling victim to any other attack tactics, techniques, and procedures (TTPs) of malicious hackers.

To battle the outbreak of human error in cybersecurity, many information security frameworks and regulations have made security awareness training a requirement.

  • What are the security awareness training requirements from each framework?
  • What does your organization need to do to ensure compliance with these standards?
  • How can security awareness training offer you peace of mind?

What Do Common Frameworks Require for Security Awareness Training?

  • SOC 2

    • AICPA (American Institute of Certified Public Accountants) explains that to earn compliance with common criteria 2.2, entities must “communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
  • ISO 27001/27002

    • According to Requirement 8.2.2 of ISO 27001, “All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”
  • PCI DSS

    • According to requirement 12.6 of the PCI (Payment Card Industry) DSS (Data Security Standard), entities must implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
  • NIST 800-53

    • According to requirement AT-2, an organization is responsible for “providing basic security awareness training to information system users.” There are also two control enhancements that encourage the practical exercise of insider and outsider cyber-attack simulations.
  • HIPAA Security Rule

    • According to the administrative safeguard, 45 CFR 164.308(a)(5), covered entities and business associates must “implement a security awareness and training program for all member of its workforce.”
  • HIPAA Privacy Rule

    • According to administrative requirements under the HIPAA Privacy Rule, 45 CFR 164.530(b)(1) says, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information… as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
  • GDPR

    • According to article 39(1)(b), Data Protection Officers are responsible for “monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits…”
  • FISMA

    • According to U.S.C. 3544. (b). (4). (A), (B) under FISMA, entities are required to implement “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”

Prepare Your People for Cyber Threats

How can the regular training of your employees be a critical component of your organization’s compliance and security? It can have everything to do with it. By offering these resources to your employees you are ensuring that they are aware of your company’s cybersecurity policies and industry’s best practices. Security awareness training can help minimize your organization’s risk of a data breach, thus protecting your sensitive company data and your brand reputation. Security awareness training costs less than 1% of what the average breach costs, this makes the regular training of your employees worth the investment 100 times over.

5 Components of Internal Control

Implementing Internal Controls for SOC 1 Compliance

When an organization pursues SOC 1 compliance, they’ll be tested against the COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. In order for an organization to successfully complete a SOC 1 audit, they’ll need to meet the three objectives of internal control, demonstrate that they have the five components of internal control in place and functioning, and implement the 17 principles related to internal control outlined in the framework. While we’ve already covered how organizations can meet the three objectives of internal control, let’s take a look at the five components of COSO and what they mean for SOC 1 compliance.

The 5 Components of COSO: C.R.I.M.E.

The five components of COSO – control environment, risk assessment, information and communication, monitoring activities, and existing control activities – are often referred to by the acronym C.R.I.M.E. To get the most out of your SOC 1 compliance, you need to understand what each of these components includes.

  1. Control Environment: How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that your controls are operating effectively and are achieving the results that they expect?
  2. Risk Assessment: How does your organization assess risk in order to identify the things that threaten the achievement of their objectives?
  3. Information and Communication: How does management communicate to their internal and external users what is expected of them? How do you make sure that you receive acknowledgement from those people that they understand what you’re asking them to do?
  4. Monitoring Activities: How does management oversee the functioning of the entire organization? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as you possibly can?
  5. Existing Control Activities: What are the controls that you currently have in place? Were they in place and operating effectively over a period of time?

Want to get started on your SOC 1 compliance journey? Ready to learn more about the COSO Internal Control – Integrated Framework and how you can implement the five components of COSO? Contact us today.

Video Transcription

In order to complete your SOC 1 audit, you have to have the five components of internal control in place and functioning. These five components are known by the acronym C.R.I.M.E. The “C” stands for control environment. How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that our controls are operating effectively and are achieving the results that we expect? The “R” stands for risk assessment. How does the organization assess risk in order to identify the things that threaten the achievement of their objectives? The “I” stands for information and communication. How does management communicate to their internal and external users what it is they expect from them? How do we make sure that they receive acknowledgement from those people that they understand what it is that you’re asking them to do? The “M” stands for monitoring activities. How does management oversee the functioning of the entire organization? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as you possibly can? The “E” stands for existing control activities. This is the largest section in your SOC 1 report because it talks about all of the controls that you’ve put into place and how the auditor tested those controls to make sure that they were operating effectively over a period of time.

3 Objectives of the COSO Framework and SOC 1

SOC 1 and the COSO Framework

If you’re new to the SOC 1 audit process, you might be wondering what framework is used to evaluate the effectiveness of internal controls. This would be the Committee of Sponsoring Organizations of the Treadway Commission, or COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. It outlines three objectives, five components of internal control, and 17 principles related to internal control that organizations must meet to demonstrate compliance.

When undergoing a SOC 1 audit then, organizations should strive to meet COSO’s three objectives for internal control: operations, reporting, and compliance. Let’s take a look at what those are and how they could impact your SOC 1 compliance journey.

How Do the 3 Objectives of COSO Impact a SOC 1 Audit?

Because a SOC 1 audit places a large emphasis on the concept of internal control, meeting the three objectives of COSO is especially important. To do so, consider the following questions:

  1. Operations: Are the controls that you’ve put into place operating effectively so that you can be certain about the ways that your operations are running the ways you’re expecting them to perform?
  2. Reporting: What types of reports do you provide to your clients? What is it that they rely upon from you to verify that your services are operating the way they expect them to operate?
  3. Compliance: What laws and regulations apply to the services that you’re performing so that your clients can rely on your services and be in compliance as well?

Want to get started on your SOC 1 compliance journey? Learn more about the COSO Internal Control – Integrated Framework and how you can meet the three objectives of COSO. Contact us today.

Video Transcription

A SOC 1 audit focuses quite a bit on the concept of internal control. There’s a publication out there from COSO known as the Internal Control Framework, and there are three objectives that you are striving for internal control. The first one has to deal with operations. Are the controls that you’ve put into place operating effectively so that you can be certain about the ways that your operations are running and the ways you’re expecting them to perform? The second one is reporting. What types of reports do you provide to your clients? What is it that they rely upon from you to verify that your services are operating the way they expect them to operate? The third objective is compliance. What laws and regulations apply to the services that you’re performing so that your clients can rely on your services and be in compliance as well?

What is a SOC 1 Report?

What is a SOC 1 Report?

Once you’ve made it through the evidence gathering portion of the SOC 1 audit process, our specialized team of professional writers will take the information gathered by our auditors and provided by you in our Online Audit Manager to create a final SOC 1 report. What is a SOC 1 report? It is a report that is based on the Statement on Standards for Attestation Engagements Number 18, Section 320 (SSAE 18) and reports on the effectiveness of your internal controls that may be relevant to your client’s internal controls over financial reporting (ICFR). What’s included in this report? How do you use a SOC 1 report? Let’s find out.

What’s Included in Your SOC 1 Report?

When you’ve finished your SOC 1 audit, you’ll receive a SOC 1 report that begins with an opinion letter that’s issued by an independent certified public accountant. This opinion letter will include the following:

  • The scope of the engagement
  • What the service organization’s responsibilities were
  • An opinion on the design of the controls
  • The description of the controls that management provided
  • An opinion on whether or not the controls were in place and operating effectively
  • The auditor’s final opinion on the effectiveness of an organization’s internal controls

In addition to the opinion letter, the report will also include a description of the tests conducted throughout the audit as well as an analysis of exceptions to the effectiveness of internal controls.

How Do You Use a SOC 1 Report?

Once you’ve received your SOC 1 report, you might wonder how you can actually use your report. If you pursued SOC 1 compliance because a client requested it, you’ll provide this audit report to their auditors for review. If you proactively pursued SOC 1 compliance without being asked for it, there’s many ways to leverage your compliance efforts to give your organization a competitive advantage.

Want to learn more about how we can help you get started on your SOC 1 compliance journey? Contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

Video Transcription

What is a SOC 1 report? A SOC 1 report is an audit that is specifically designed for service organizations. It’s based on a Statement on Standards for Attestation Engagements, and in this case, SSAE No. 18. Section 320. The way the report is formatted is that it starts out with an opinion letter. The opinion has to be issued by an independent certified public accountant. An auditor that is independent from the service organization issues an opinion that covers what the scope was of the engagement, it talks about what the service organization’s responsibilities were, it talks about what the service auditor’s responsibilities were, and ultimately, it provides an opinion on the design of the controls, the description that management provided, whether or not the controls were in place and operating effectively over a period of time for a Type II report, and what the auditor’s opinion was after conducting all of the testing and the examination. Once you  have the report in hand, the service organization can hand that to their clients, which are known as user organizations. User organizations rely upon that report usually in the course of their own audit as they are concerned with internal control over financial reporting. You should look for a qualified, independent CPA who has particular expertise in performing SOC 1 engagements.

Explaining Audit Periods

The Difference Between SOC 1 Type I and Type II: The Audit Period

While SOC 1 Type I audit engagements evaluate a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) at a specific point in time, a SOC 1 Type II audit evaluates a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) over a period of time, usually between six and twelve months. How do go about choosing your audit period? There are a few things you need to know.

Choosing Your Audit Period for SOC 1 Type II Engagements

One of the first steps that organization’s must take when pursuing SOC 1 Type II compliance is choosing their audit period. When choosing your audit period for a SOC 1 Type II audit, you’ll pick a period of time from the past as auditors cannot make statements about what would happen in the future. Once you’ve determined the length of your audit period, your auditor will review the effectiveness of your organization’s internal controls during that time period.

To find out what audit period works best for your organization’s SOC 1 Type II compliance efforts, contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

Video Transcription

One of the things that you have to do to prepare for a SOC 1 Type II audit is to define what the audit period is going to be. These reports are based on the AICPA’s standards, and just like in SSAE 18, the audit period will be a period of time that’s in the past. We’ll be looking back at what did happen during that period; we can’t make any forward statements about what would happen in the future. An audit period is typically six months or twelve months, and the auditor issues an opinion and performs testing on controls that were in place over a period of time. So, get with your auditor at KirkpatrickPrice and talk about what your audit period should be and what would be most appropriate for your situation.