The end of the year is rapidly approaching, and so is the deadline for those completing a Q4 audit! It’s not hard to imagine what Santa and his Elves feel like as they rush around to get everything in order and ready for their big day.

Just as the Elves help Santa to ensure everything gets done in time, our auditors are committed to helping you make sure you have everything in place working effectively to successfully complete your audit on schedule. Here are 6 tips on how to pass an audit in time for year-end.

How to Pass an Audit in Q4

To better prepare for your upcoming audit, here are six tips that companies across all industries can find helpful:

1. Perform a Risk Assessment

Risk Assessment. Risk Assessment. Risk Assessment.

It always starts with a Risk Assessment. What better way to identify your assets and prioritize your unique risks than by performing a regular risk assessment? Not sure if you have all of the necessary controls in place to properly protect your assets and mitigate risks? Don’t worry – your annual risk assessment will help you with that. Not only is a risk assessment mandated by most audit frameworks, but it’s also a critical component of any information security program.

2. Documentation Inventory

Are you maintaining audit logs? Do you have proof of employee acknowledgement of policies and procedures? Are you keeping all necessary records for your auditor to review?

Waiting until the last minute to pull all of your documentation together can make preparing to pass an audit seem much more tedious and stressful than is actually necessary. Veterans of the audit process will highly encourage companies to continuously collect and maintain necessary documentation in order to be prepared year-round for an audit.

3. Policy and Procedure Review

Reviewing your policies and procedures on an annual basis is a good way to ensure that there are not any gaps in your controls and processes. It is also the perfect opportunity to be certain that everything you say you’re doing as an organization is formally documented and communicated to all relevant personnel.

When it comes to compliance, we’ve all heard the adage, “If it’s not written down, it isn’t happening”. This is good advice when it comes to preparing for an audit because your auditor won’t be interested in hearing about your processes, but rather will need to see them documented on paper and see evidence that they are a living a breathing document that continuously changes and matures with your organization’s environment.

4. Employee Training

A strong defense is the best defense. Regularly training your employees on security awareness and the importance of security and compliance can help put your mind at ease when it comes to knowing they are taking the right steps and precautions to protect organizational assets. A culture of security awareness and compliance must start from the upper-management level and trickle down to the employee level in order to make the best impact. Security training programs should educate employees on policies and procedures as well as basic security awareness.

5. Vendor Compliance Management

Are you properly managing your vendors to verify that they are complying with information security and compliance requirements and best practices? Vendors pose a risk to every organization, so it’s imperative that you’re doing your due diligence to mitigate those risks. Do you have all of your documentation of proper vetting prepared and ready for your auditor to review? What is your onboarding process? Off-boarding? Do you have vendors sign a non-disclosure? Learn more vendor management best practices with our vendor compliance assessment.

These are the pieces you’ll want to have together in order to successfully pass your audit in Q4.

6. Work with your Auditor

When it comes to completing an information security or compliance audit, your auditor is your greatest resource and is not to be feared. Work with your auditor to show them you’re committed to the audit and remediation process and improving your environment. If they show you that a control you have in place is insufficient, work with them to make the appropriate changes for follow-up, and most importantly, be honest. A good auditor won’t work with you to simply check a box, they will work with you to ensure that your organization is secure and compliant.

So as you wrap up your Q4 audit this year, remember to not overcomplicate it. Gain audit participation from your entire organization by expressing the importance that security plays in your business operations. Working together with your organization and your auditor can help you achieve greater levels of security and compliance at your organization.

If your customers rely on you to protect consumer information, chances are you may be asked to produce an SSAE 16 audit report. An SSAE 16 audit is a reporting on the controls at an organization that are relevant to, or may affect a client’s financial statements. This standard is designed to demonstrate that an organization has proper internal controls and processes in place to address information security and compliance risks. It’s not uncommon to have a million questions the first time you decide to engage in an SSAE 16 (SOC 1) audit. Where do we start? What does this entail? Will we fail? Here are 10 things you can do to begin preparing for your SSAE 16 audit.

1. Risk Assessment

If you look at any compliance or information security framework, audit, or standard, they all require a risk assessment. That being said, performing a formal risk assessment is the best starting point in preparing for your upcoming SSAE 16 audit. A risk assessment helps you understand what you’re doing as an organization and can help identify any risks in your environment. Based on your assessment, the implementation of controls should be reasonable and feasible. A written, formal risk assessment should be performed by a cross-section of departments and employees.

2. Evaluate Client Requirements

Who are you serving as a market? Are you providing services to retail organizations? Healthcare organizations? Federal government? Financial services organizations? Based on your answers, that will determine the laws and regulations that apply to you and how you deliver your services. What do your clients expect from you? What does your contract say you’re providing? As a service provider, your audit’s scope is shaped by your service delivery methods and client requirements should be evaluated in order to understand what is expected and reasonable. Don’t forget to evaluate contracts and service packages to ensure that expectations have been properly documented.

3. Regulatory Implications

In order to prepare for your SSAE 16 audit, you must determine what your regulatory responsibilities are based on your locale and the customers you service. For example, if you’re serving the healthcare market, you’ll be responsible to comply with relevant sections of the HIPAA/HITECH Act. If you’re serving the financial marketing, then GLBA is relevant. If you’re serving publicly traded companies, SOX is relevant. If you’re serving the Federal government, you must comply with FISMA. Taking into consideration each regulatory framework that applies to you will help determine what’s important to consider when preparing for your SSAE 16 audit.

4. Service Delivery Controls

Possibly one of the biggest risks that businesses may overlook (since it’s not a security breach) are operational risks. As auditors, we look for things that deal with operational efficiency, catching errors, and quality assurance. These are all important factors that will help make up a set of service delivery controls. What controls do you have set up along the service delivery process? A helpful way to manage service delivery controls is by creating a data flow diagram of the life-cycle of your service delivery model. Take us step-by-step through the entire process.

5. Written Policies & Procedures

This isn’t the first time you’ve heard us say this, and it won’t be the last. The most important thing to remember when developing policies and procedures to prepare for any audit is “if it’s not written down, it didn’t happen.” Having a formally written and fully documented set of policies and procedures is paramount for an SSAE 16 audit because these are what we audit against. If your policy says you do X, Y, Z, we will perform a test against that policy to verify that you do, in fact do X, Y, Z. Having a formal set of written policies and procedures also helps guide employees on company expectations and consequences and provide guidance on the proper execution of service delivery. Policies and procedures should be fully endorsed by senior management, and updated by the authorized individual at least annually.

6. Training

When trying to prepare for your SSAE 16 audit, policies and procedures and training often can go hand in hand. It’s essential that employees receive job-specific training to ensure full compliance with all company policies and procedures. Did all employees attend? Did all employees comprehend? Is there some kind of acknowledgement form that was signed saying they have been presented with and understand what’s expected of them as an employee? Since, for example, HR, IT, and Production are all responsible for different aspects of the business, training should be as job specific as possible. Another type of training that is critical in this current threat-landscape is security awareness training. Employees should be trained annually to keep them vigilant in understanding the types of threats that are out there.

7. Vendor Management

Vendors represent a risk to every organization. Your vendor requirements for each vendor may vary based on the risk that vendor poses to your organization. For example, a VPN-connected vendor introduces different risks than a cleaning service. As far as managing your vendors, on-boarding and off-boarding procedures are just as critical for vendors as they are for employees. What are you going to require for the on-boarding process? A Signed non-disclosure? Ask to verify that they perform a background check on employees? Verify that they are in compliance with any relevant information security and regulatory compliance requirements? Effective policies, training, and monitoring can greatly reduce your vendor risk. Be sure to include the right-to-audit clause in your contract.

8. Physical Controls

Your physical controls talk about restricting access to your physical environment. These controls cover things like controlling how someone comes in and out of your facility, tracking visitors, and keeping a log. Access controls can generate logs to verify access granted and denied. Video footage can be helpful after an incident to determine the impact. Visitor procedures are important for documenting historical events. Are there additional checkpoints or limited access once inside? Sensitive areas should be controlled to restrict access on a strictly business-justified basis. Assessing your physical controls is important when you prepare for an SSAE 16 audit.

9. Security Controls

When we talk about controls that affect “security”, we are talking about CIA: Confidentiality, Integrity, and Availability. If an important document containing sensitive information is stolen, then the confidentiality of that document has been compromised. If you’re storing an important hardcopy document that has gotten wet and is now unreadable, then the integrity of that document has been compromised. If something has gone missing, like an important filing cabinet full of sensitive documents, but hasn’t been taken by an unauthorized person, then the availability of those documents inside the filing cabinet has been compromised. Placing Administrative, Technical, and Physical controls in place can help you address each of those areas of security.

10. Availability Controls

Availability controls include things such as Business Continuity and Disaster Recovery Plans. These are critical for maintaining availability to your customers. Other availability controls to consider when preparing for an SSAE 16 audit are data backups, network monitoring, and cross-training employees.

Companies are looking to do business with vendors who understand these issues. Being proactive about undergoing your SSAE 16 audit can mean the difference in winning your next big deal and earning the trust and respect of the clients you serve.

KirkpatrickPrice strives to be your partner. Engaging in an SSAE 16 Audit doesn’t have to be a scary thing and we are here to offer help every step of the way with recommendations and resources to help strengthen your environment. If you’re ready to get some help, contact us today.

Download and share this Infographic here.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Text Recap: Information Security Tips for 2015

The New Year is here, and if Information Security trends from last year are at all telling, 2015 will be a very important year to pay close attention to the security of your sensitive data. Here are 5 Information Security Tips to keep in mind to protect yourself and your organization in 2015.

  1. Cybersecurity – Organized crime in the 21st century has a new name – Cybercrime. We are all too familiar with the headlines declaring the most recent retail hack. However, in 2015, the possibility of a breach is not only threatening to our credit card numbers, but also healthcare information, intellectual property, personally identifiable information, and more. Now that companies are beginning to “understand” the increasing severity of these attacks, they need to fully prepare to withstand any attack by investing in security.
  1. Privacy and Regulation – Laws and regulations that mandate safeguards and the use of Personally Identifiable Information (PII) are nothing new. What’s changing? Reactionary fines have been replaced with proactive supervisory The government isn’t waiting for a breach to inspect your compliance. However, thinking about implementing appropriate safeguards only for the sake of compliance with these laws to avoid heavy fines and penalties can be dangerous. Privacy should be looked at from a risk-based perspective. Following these laws and regulations can help prevent against loss of business and reputational harm.
  1. Vendor Management – Strategic outsourcing of consumer focused business processes comes with significant risk. According to federal legislation, the risk itself cannot be outsourced, it must be managed. Increasing governmental scrutiny has only magnified that risk. Threats from third-party providers demand that you control the supply chain. Do you have evidence to support that your vendors are compliant?
  1. Wearable Technology – Wearable technology is everywhere. While simplifying the ability to “connect”, these new pieces of technology also introduce new risk to your organization. Be proactive about securing wearables just like any other mobile device, and make sure your BYOD policy is up-to-date and enforced. Minimize the threat of a data leak.
  1. Your Weakest Link – Your People – Everyone’s heard “you’re only as strong as your weakest link”. In the world of Information Security, this adage should be on the forefront of every business owner’s mind. Protect your people. Educate your people. Setting the tone from the top is essential when promoting healthy security awareness in the workplace. When those who “sign the checks” focus on security, everyone else will too.