If your customers rely on you to protect consumer information, chances are you may be asked to produce an SSAE 16 audit report. An SSAE 16 audit is a reporting on the controls at an organization that are relevant to, or may affect a client’s financial statements. This standard is designed to demonstrate that an organization has proper internal controls and processes in place to address information security and compliance risks. It’s not uncommon to have a million questions the first time you decide to engage in an SSAE 16 (SOC 1) audit. Where do we start? What does this entail? Will we fail? Here are 10 things you can do to begin preparing for your SSAE 16 audit.

1. Risk Assessment

If you look at any compliance or information security framework, audit, or standard, they all require a risk assessment. That being said, performing a formal risk assessment is the best starting point in preparing for your upcoming SSAE 16 audit. A risk assessment helps you understand what you’re doing as an organization and can help identify any risks in your environment. Based on your assessment, the implementation of controls should be reasonable and feasible. A written, formal risk assessment should be performed by a cross-section of departments and employees.

2. Evaluate Client Requirements

Who are you serving as a market? Are you providing services to retail organizations? Healthcare organizations? Federal government? Financial services organizations? Based on your answers, that will determine the laws and regulations that apply to you and how you deliver your services. What do your clients expect from you? What does your contract say you’re providing? As a service provider, your audit’s scope is shaped by your service delivery methods and client requirements should be evaluated in order to understand what is expected and reasonable. Don’t forget to evaluate contracts and service packages to ensure that expectations have been properly documented.

3. Regulatory Implications

In order to prepare for your SSAE 16 audit, you must determine what your regulatory responsibilities are based on your locale and the customers you service. For example, if you’re serving the healthcare market, you’ll be responsible to comply with relevant sections of the HIPAA/HITECH Act. If you’re serving the financial marketing, then GLBA is relevant. If you’re serving publicly traded companies, SOX is relevant. If you’re serving the Federal government, you must comply with FISMA. Taking into consideration each regulatory framework that applies to you will help determine what’s important to consider when preparing for your SSAE 16 audit.

4. Service Delivery Controls

Possibly one of the biggest risks that businesses may overlook (since it’s not a security breach) are operational risks. As auditors, we look for things that deal with operational efficiency, catching errors, and quality assurance. These are all important factors that will help make up a set of service delivery controls. What controls do you have set up along the service delivery process? A helpful way to manage service delivery controls is by creating a data flow diagram of the life-cycle of your service delivery model. Take us step-by-step through the entire process.

5. Written Policies & Procedures

This isn’t the first time you’ve heard us say this, and it won’t be the last. The most important thing to remember when developing policies and procedures to prepare for any audit is “if it’s not written down, it didn’t happen.” Having a formally written and fully documented set of policies and procedures is paramount for an SSAE 16 audit because these are what we audit against. If your policy says you do X, Y, Z, we will perform a test against that policy to verify that you do, in fact do X, Y, Z. Having a formal set of written policies and procedures also helps guide employees on company expectations and consequences and provide guidance on the proper execution of service delivery. Policies and procedures should be fully endorsed by senior management, and updated by the authorized individual at least annually.

6. Training

When trying to prepare for your SSAE 16 audit, policies and procedures and training often can go hand in hand. It’s essential that employees receive job-specific training to ensure full compliance with all company policies and procedures. Did all employees attend? Did all employees comprehend? Is there some kind of acknowledgement form that was signed saying they have been presented with and understand what’s expected of them as an employee? Since, for example, HR, IT, and Production are all responsible for different aspects of the business, training should be as job specific as possible. Another type of training that is critical in this current threat-landscape is security awareness training. Employees should be trained annually to keep them vigilant in understanding the types of threats that are out there.

7. Vendor Management

Vendors represent a risk to every organization. Your vendor requirements for each vendor may vary based on the risk that vendor poses to your organization. For example, a VPN-connected vendor introduces different risks than a cleaning service. As far as managing your vendors, on-boarding and off-boarding procedures are just as critical for vendors as they are for employees. What are you going to require for the on-boarding process? A Signed non-disclosure? Ask to verify that they perform a background check on employees? Verify that they are in compliance with any relevant information security and regulatory compliance requirements? Effective policies, training, and monitoring can greatly reduce your vendor risk. Be sure to include the right-to-audit clause in your contract.

8. Physical Controls

Your physical controls talk about restricting access to your physical environment. These controls cover things like controlling how someone comes in and out of your facility, tracking visitors, and keeping a log. Access controls can generate logs to verify access granted and denied. Video footage can be helpful after an incident to determine the impact. Visitor procedures are important for documenting historical events. Are there additional checkpoints or limited access once inside? Sensitive areas should be controlled to restrict access on a strictly business-justified basis. Assessing your physical controls is important when you prepare for an SSAE 16 audit.

9. Security Controls

When we talk about controls that affect “security”, we are talking about CIA: Confidentiality, Integrity, and Availability. If an important document containing sensitive information is stolen, then the confidentiality of that document has been compromised. If you’re storing an important hardcopy document that has gotten wet and is now unreadable, then the integrity of that document has been compromised. If something has gone missing, like an important filing cabinet full of sensitive documents, but hasn’t been taken by an unauthorized person, then the availability of those documents inside the filing cabinet has been compromised. Placing Administrative, Technical, and Physical controls in place can help you address each of those areas of security.

10. Availability Controls

Availability controls include things such as Business Continuity and Disaster Recovery Plans. These are critical for maintaining availability to your customers. Other availability controls to consider when preparing for an SSAE 16 audit are data backups, network monitoring, and cross-training employees.

Companies are looking to do business with vendors who understand these issues. Being proactive about undergoing your SSAE 16 audit can mean the difference in winning your next big deal and earning the trust and respect of the clients you serve.

KirkpatrickPrice strives to be your partner. Engaging in an SSAE 16 Audit doesn’t have to be a scary thing and we are here to offer help every step of the way with recommendations and resources to help strengthen your environment. If you’re ready to get some help, contact us today.

Download and share this Infographic here.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Text Recap: Information Security Tips for 2015

The New Year is here, and if Information Security trends from last year are at all telling, 2015 will be a very important year to pay close attention to the security of your sensitive data. Here are 5 Information Security Tips to keep in mind to protect yourself and your organization in 2015.

  1. Cybersecurity – Organized crime in the 21st century has a new name – Cybercrime. We are all too familiar with the headlines declaring the most recent retail hack. However, in 2015, the possibility of a breach is not only threatening to our credit card numbers, but also healthcare information, intellectual property, personally identifiable information, and more. Now that companies are beginning to “understand” the increasing severity of these attacks, they need to fully prepare to withstand any attack by investing in security.
  1. Privacy and Regulation – Laws and regulations that mandate safeguards and the use of Personally Identifiable Information (PII) are nothing new. What’s changing? Reactionary fines have been replaced with proactive supervisory The government isn’t waiting for a breach to inspect your compliance. However, thinking about implementing appropriate safeguards only for the sake of compliance with these laws to avoid heavy fines and penalties can be dangerous. Privacy should be looked at from a risk-based perspective. Following these laws and regulations can help prevent against loss of business and reputational harm.
  1. Vendor Management – Strategic outsourcing of consumer focused business processes comes with significant risk. According to federal legislation, the risk itself cannot be outsourced, it must be managed. Increasing governmental scrutiny has only magnified that risk. Threats from third-party providers demand that you control the supply chain. Do you have evidence to support that your vendors are compliant?
  1. Wearable Technology – Wearable technology is everywhere. While simplifying the ability to “connect”, these new pieces of technology also introduce new risk to your organization. Be proactive about securing wearables just like any other mobile device, and make sure your BYOD policy is up-to-date and enforced. Minimize the threat of a data leak.
  1. Your Weakest Link – Your People – Everyone’s heard “you’re only as strong as your weakest link”. In the world of Information Security, this adage should be on the forefront of every business owner’s mind. Protect your people. Educate your people. Setting the tone from the top is essential when promoting healthy security awareness in the workplace. When those who “sign the checks” focus on security, everyone else will too.