Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period? KirkpatrickPrice offers a wide variety of information security testing and auditing services. To learn more, contact a KirkpatrickPrice information security specialist today.

Organizations put valuable resources into completing SOC 1 audits: time, money, people, technology, and more. We know that often times, a SOC 1 audit can make it or break it for our clients’ business and we don’t take that lightly. When someone asks us, “Will I pass a SOC 1 audit? What if I fail the audit? What happens if I fail?”, we want to give them the best explanation we can in regards to reasonable assurance.

Reasonable Assurance Explained for SOC 1 Audits

When explaining reasonable assurance, there’s one important lesson to understand: SOC 1 audits do not work on a pass/fail system. The purpose of a SOC 1 report is to provide user entities reasonable assurance that their controls relevant to internal controls over financial reporting (ICFR) are suitably designed and operating effectively. Instead of passing or failing your organization, an auditor will issue a qualified or unqualified opinion. Understanding reasonable assurance changes your mindset from, “What if I fail the audit? Will I pass the audit?” to “How would an auditor assess these controls?”

If an auditor determines that a control was not in place or effective, then a qualified opinion would be issued. This would sound something like, “Except for Control X, reasonable assurance is there. The controls have been suitably designed and operating effectively.” An unqualified opinion means there are no qualifications or significant exceptions being issued and reasonable assurance has been determined.

Understanding the concept of reasonable assurance can help you approach SOC 1 audits in a healthy way. Instead of asking, “Will I pass a SOC 1 audit? What if I fail the audit?”, you can look at your organization’s controls and ask, “Would an auditor see that these controls are suitably designed? Are they operating effectively? Would we achieve reasonable assurance?”

If it’s your first time having a SOC 1 audit performed, we strongly recommend starting with a gap analysis of your organization’s internal controls in order to identify operational, reporting, and compliance gaps and to provide advice on strategies to manage control objectives going forward. If you have questions about SOC 1 audits or want help demonstrating to your clients your commitment to security and compliance, contact us today.

One of the questions that we get all the time is: will I be able to pass the audit? What if I fail the audit? The SSAE 16 (now SSAE 18) does not work on a pass/fail system. It works on a threshold of reasonable assurance. The auditor will issue an opinion about whether or not the controls are suitably designed and operating effectively during a period of time.

An unqualified opinion means that there are no qualifications or opinions being issued and reasonable assurance has been determined. Whereas a qualified opinion would be an opinion where there are some qualifications to that opinion. For example, “Except for this or that, reasonable assurance is there. The controls have been suitably designed and are operating effectively.”

Understanding the concept of reasonable assurance is good way to approach your audit so that you can understand if an auditor can achieve reasonable assurance when they look at your controls and determine if they’re operating effectively.

When considering having a SOC 1 audit performed, there are two different report options available. Knowing whether you need a SOC 1 Type I or a SOC 1 Type II report will depend on your client’s needs and timing constraints.

What’s the difference between a SOC 1 Type I and a SOC 1 Type II report?

A SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. The main difference to note is that a SOC 1 Type I report is an attestation of controls at a service organization at a specific point in time, whereas a SOC 1 Type II report audits controls at a service organization over a period of time (minimum six-month period) in order to attest to the operating effectiveness of the controls.

Do I need a SOC 1 Type I or a SOC 1 Type II Report?

If your client has requested a SOC 1 report from you but doesn’t require a specific type, how do you determine whether you need a SOC 1 Type I or a SOC 1 Type II report? If it’s your first time going through a SOC 1 audit, we commonly advise clients to begin with a Type I and then move to a Type II the following audit period. SOC 1 Type I reports are less constraining than a SOC 1 Type II report. SOC 1 Type I reports also give you the opportunity to work with your auditor on designing controls and ensuring that the description of controls would be fair and accurate in the report.

If you’re required to receive a SOC 1 Type II report, additional testing is necessary to determine that the controls are not only in place, but also operating effectively over a period of time. SOC 1 Type II audits take more time to conduct because you’re looking at controls over a period of time.

It’s important to consider these factors, client needs, and timing constraints, when trying to decide if you need a SOC 1 Type I or a SOC 1 Type II report. If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, contact us today.

The type of report that you should receive for your SSAE 16 (now SSAE 18), many times is determined by what your client is asking you to do. Sometimes your request from your client will be an SSAE 18 report, period. There are two types of reports. There’s a Type I and a Type II. If you’ve never done an SSAE 18 report before, it’s a good idea to begin in the first year with a Type I report. If your client is not requiring you to constrain to the Type II report, a Type I report gives you the opportunity to work with the auditor on designing your controls and ensuring that the description of your controls would be fair and accurate in the report. That’s the threshold for a Type I report.

If they are requesting you to do a Type II report, there is additional testing that must take place from the auditor in order to determine that the controls are not only in place, but also operating effectively over a period of time. A Type I is a good place to start because you’re able to address the design and description of the controls as of a certain date, whereas a Type II report takes a little bit more time to conduct because you have to look at those controls having been in place over a period of time. Please consider those factors as you determine if you need a Type I or Type II SSAE 18 report.

Are you being asked by a top client for a SOC 1 audit report? What is a SOC 1 report? Do you need a SOC 1 audit? Below, you’ll find answers to frequently asked questions about SOC 1 audit reports and learn how your organization can benefit from having a SOC 1 report and what you can expect from your SOC 1 audit process.

What is a SOC report?
Developed primarily for third-party service providers by the AICPA, SOC (System and Organization Controls for Service Organizations) reports are issued by CPAs and report on a service organization’s internal controls that could impact their clients‘ sensitive data. SOC reports help service organizations’ clients, or user entities, to comply with regulatory and contractual requirements. SOC reports allow user entities to obtain an objective evaluation of the effectiveness of controls that address compliance, operations, and financial reporting of a service organization.

What is a SOC 1 audit report?
SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation
Engagements No. 18 (SSAE 18), formerly known as SSAE 16. SOC 1 reports are specifically designed to report on the controls at a service organization that could ultimately impact their clients‘ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

Do I need a SOC 1?
Many organizations are legally required to verify the suitability of internal controls at a service provider prior to engaging with the service provider. Generally speaking, publicly traded companies looking to comply with Sarbanes Oxley (SOX), financial institutions looking to comply with the Gramm-Leach-Bliley Act (GLBA), as well as state and local government, have all standardized on SOC reports to meet this requirement. If your clients outsource any of their information technology systems management activities to your organization, you may be asked for a SOC 1 report so they can gain a better understanding of the controls at your organization and how they meet specific requirements.

What are the benefits of getting a SOC 1 audit?
SOX and GLBA (among others) require service organizations to have adequate internal controls in place. By being able to produce a SOC 1 audit report to your clients or prospects, you gain a competitive advantage and client trust by demonstrating that you have the proper internal controls in place and that they have been verified by a valid third party.

Who can perform a SOC 1 audit?
A SOC 1 audit can only be performed by an independent CPA. CPAs must adhere to the specific standards that have been established by the AICPA and have the technical expertise necessary to perform SOC 1
engagements.

How are SOC 1 reports used?
Generally speaking, your SOC 1 audit report will be requested and read by your client’s auditor. SOC reports are considered an “auditor to auditor report,” allowing the auditor to avoid having to audit the service provider directly. SOC 1 reports will be used by a service organization with current and potential clients and their independent auditors. It’s important to note that while the existence of a SOC report is marketable, the SOC reports themselves are restricted from being used for general marketing purposes.

What should I expect to see in my SOC 1 report?
Depending on your specific needs, a CPA can issue either a SOC 1 Type I or a SOC 1 Type II report. In a Type I report, your independent auditor will offer an opinion of the fairness of the presentation of the description of your system, the suitability of the design of the controls, and whether the controls have been implemented as of a certain date. A Type II report is your independent auditor’s description of the operating effectiveness of the controls over a period of time (minimum of six months), your auditor’s test controls, and the results of the tests.

How does the audit process work?
KirkpatrickPrice utilizes the Online Audit Manager to ask a series of custom questions regarding your current controls, policies, and procedures to prepare you for your specific requirements. Our process will efficiently document where your organization’s security posture currently stands, provide specific guidance on identified areas of weakness, and allow you to work through as much of the audit process as possible prior to conducting the onsite portion of the audit. Our unique online approach minimizes the cost and disruption associated with extended onsite visits. Our senior-level auditors will assess, guide, monitor, test, and help mature your organization’s information security program and internal controls.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

SSAE 16, SOC 2, HIPAA, PCI DSS, FISMA, ISO 27001. We’ve all heard of the Alphabet Soup, but what do they all really mean?

Which one is right for me? Which one should I pursue? Why would I get this audit over that audit? As auditors, these are the questions we are most frequently asked.

To help answer these questions and truly familiarize you with the different audit frameworks, we’ve broken down the Who’s, What’s, and Why’s for the most commonly reported on frameworks.

SSAE 16/SOC 1

Who asks for an SSAE 16? If you work with publicly traded companies, financial institutions, or state or local government, you will frequently be required to have an SSAE 16 (or SOC 1) audit performed by a third party. It is the most commonly used form of attestation for service providers in the US. So what is an SSAE 16? It’s an audit and report on internal controls (whether related to information security, financial, operational, or compliance controls) at a service provider that are relevant to their client’s data. The SSAE 16 audit takes a risk-based approach, with specified objectives that are created to address client risk, and controls, or activities, to accomplish each objective. A third-party auditor would be looking at your environment to make sure your objectives are appropriate, your controls are effectively designed, and that you are doing what you say you are doing. An SSAE 16 audit is as good as its scope.

SOC 2

Typically, the same clients who are asking you for an SSAE 16 will be the ones asking you for a SOC 2 audit. Whereas SOC 1 was designed to validate internal controls at a service provider that relate to client financial reporting and validate information security, SOC 2 was a framework specifically designed for companies delivering technology related services. The SOC 2 framework is finally gaining popularity. SOC 2 was specifically designed to report on one of five principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The established criteria for each principle address the following questions: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

HIPAA

If you are working for a healthcare provider or a Business Associate who services a healthcare provider, you are going to be asked for validation of your compliance with HIPAA laws. Any entity who handles Protected Health Information (PHI) will be responsible for compliance with HIPAA. Legislation requires appropriate Physical, Administrative, and Technical Safeguards to protect PHI. Much like the SSAE 16, HIPAA compliance is risk-based. You must begin by performing a Risk Assessment to determine what the appropriate physical, administrative, and technical safeguards are, implement those, and then perform regular monitoring to ensure the safeguards are still appropriate. There is no “hard list” of requirements for HIPAA, and there is no certification. A third-party audit would provide validation of your controls and their appropriateness and effectiveness.

PCI

The PCI Data Security Standard applies primarily to the payment card industry. If you store, transmit, or process cardholder data, you will be required to comply with PCI DSS. Additionally, if you have a client who is required to comply with PCI DSS, they are required to validate your compliance with the standard as well. PCI DSS is a very robust information security standard, and is also sometimes used as a best practice, even without handling credit card data. A PCI audit is an information security audit focused on the protection of credit card data. All PCI audits are performed by a PCI Qualified Security Assessor (QSA). There are over 200 controls and 1,000 audit tests that make up the framework and process. There are six control objectives with 12 subject areas. When a third-party auditor performs a PCI audit, it results in a PCI Report on Compliance (ROC).

FISMA

FISMA Compliance is required of anyone working with the federal government, a federal contractor, or a sub-service provider of a federal contractor. FISMA is the law. NIST Special Publication 800-53 is the actual standard that lists the individual security controls required to comply with FISMA. A FISMA audit is a thorough assessment of your information security practices as it relates to NIST SP 800-53 requirements. It involves a detailed risk assessment, and a selection of comprehensive controls determined by whether you are a low, moderate, or high category. Out of the frameworks we’ve covered so far, FISMA is the most extensive.

ISO 27001-27002

If your customers are doing business globally, chances are you’ll be asked for an ISO 27001 audit. It is a very mature, holistic, information security standard that is widely recognized and highly revered on an international level. 27001 is the entire standard, and 27002 refers to just the controls. An ISO 27001 audit is a complete audit of your Information Security Management System (ISMS). This includes management system, risk management, internal audit, management review, continual improvement, and information security controls.

What is Meant by Audit Framework?

If you are unsure what is mean by an audit framework, please read over these Kirkpatrick Price resources:

Chief Compliance Officer Series: Constructing an Internal Audit Framework

6 Steps to Construct Your Internal Audit Program

Determining which audit framework is the best for your organization depends on a number of things; who your clients are, who your clients’ clients are, and what kind of information you process. For more information on a specific framework, or if you are interested in speaking with an Information Security Specialist for a consultation, contact us today.