Colocation & Managed Services

Integrated Audit of Financial Statements – Relevance of an SSAE 16 Report

  Over the many years, while I have been working with companies as their Independent Service Auditor to help issue their SAS 70s / SSAE 16 reports, I have also been on the other side of the fence wherein I was part of the team responsible for the Audit of the Financial Statements of a company that used the SAS 70 / SSAE 16 report.  I thought it may be useful to individuals reading this blog to get an understanding of how the SSAE 16 report links to an audit of financial statements more specifically under Sarbanes Oxley.  Since SAS 70 as a standard is no longer in existence, I will refer to only SSAE through the rest of this blog.

Read More

Too many SSAE 16 audit detours?

  Does your Auditor offer: fixed fees? NO out-of-pocket expenses? a declining fee structure? over 250 SOC Audits of experience? the draft report within 10 days of completion? responds to your calls and emails on the same day?   If your current CPA firm is not meeting these standards,…

Read More

Why do my clients ask me for a SOC 1/SSAE 16 Report?

Let’s spend a few minutes getting back to basics. Why do your clients ask for a SOC 1/SSAE 16 report to be provided?  Your clients ask because their auditors probably asked for it.  So why do your auditors ask for this report?  The roots for SSAE 16 can be traced back to SAS 70 and even further to SAS 55.  The understanding of internal controls is a fundamental component of performing a financial audit.  I spent time early in my career in the financial audit department which helps me explain to companies why a SOC 1/SSAE 16 report would be applicable or not to the company.  In performing a financial audit, the auditor makes inquires of the company regarding their internal controls. Having an understanding of the internal control over financial reporting is a required component for the auditor to perform.  If a service has been outsourced to another company, the auditor is required to understand the internal controls. This is so that they can understand the internal controls and assess control risk accordingly.

Read More

A-LIGN Security and Compliance Services To Present Webinar, “Reducing Audit Impact by A-LIGNing PCI DSS, SOC 1 & 2 Requirements”

Gene Geiger, Director at A-LIGN Security and Compliance Services will present a webinar to share practical recommendations for improving overall audit efficiency which will lead to reduced audit impact, audit costs and audit fatigue. The presentation will take place on April 18, 2012 from 1-2 pm EST. All individuals/organizations are…

Read More

Evaluating Managed Service Providers’ PCI DSS Compliance

You need a managed service provider to outsource information technology services for your organization, but since you are in the payment card industry, they will need to be PCI DSS compliant. So you Google the service you need, compile a list of possible vendors, review their website and see that critical PCI DSS logo, so you are good-to-go, right? Maybe. The PCI Data Security Standard (“DSS”) is a set of information security standards published by the PCI Security Standards Council (“SSC”) for companies that store, process or transmit cardholder data. The PCI DSS includes twelve requirements that companies are required to implement in order to be PCI DSS compliant. When considering PCI DSS compliant service providers it is critical to understand which of their service offerings have been validated as PCI DSS compliant and which requirements were included in the assessment. If I had a nickel for every time a client said “they are PCI DSS so we are OK” I could buy a gallon of gas.

Read More

Impact of the HITECH Act on HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") introduced Privacy and Security regulations to protect protected health information (“PHI”). HIPAA was primarily directed at healthcare providers, health care clearinghouses or health plans (such as an insurance company), which are referred to as covered entities (“CE”). As part of the American Recovery and Reinvestment Act of 2009 the Health Information Technology for Economic and Clinical Health Act (“HITECH”) expanded the reach and penalties related to HIPAA compliance. Two of the key areas where HITECH impacts companies’ HIPAA compliance relate to the requirements of Business Associate (“BA”) and the requirement for federal breach reporting requirements for HIPAA CE’s and BA’s.

Read More

Impact of the HITECH Act on HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") introduced Privacy and Security regulations to protect protected health information (“PHI”). HIPAA was primarily directed at healthcare providers, health care clearinghouses or health plans (such as an insurance company), which are referred to as covered entities (“CE”). As part of the American Recovery and Reinvestment Act of 2009 the Health Information Technology for Economic and Clinical Health Act (“HITECH”) expanded the reach and penalties related to HIPAA compliance. Two of the key areas where HITECH impacts companies’ HIPAA compliance relate to the requirements of Business Associate (“BA”) and the requirement for federal breach reporting requirements for HIPAA CE’s and BA’s.

Read More

ISAE 3402 – A Global Standard for a Global Marketplace

As companies emerge in an ever growing global economy newly adopted accounting principles and standards allow potential clients insight into the prospective organization.  The new globally accepted framework, International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization creates transparency and more clarity when reporting on controls at service organizations.  SAS 70, the standard used globally by many practitioners, was superseded because it had been showing its limitations for a number of years, due in large part that it was a U.S. based standard and was not always meeting the ever-growing and complex reporting requirements for international service organizations.

Read More

The Value of SOC 2

If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting functions, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit.

Read More

Cloud Computing and SOC 2

As more businesses begin to shift their interests to Cloud Computing, there are concerns regarding security-related risks.  First, let’s discuss the “Cloud”. Cloud computing is a new way of delivering computing resources, not a new technology.  Cloud computing providers give end users the ability to access applications via the internet.  As Cloud computing is achieving increased popularity, security concerns have become paramount with the adoption of this new computing model.  The effectiveness and efficiency of traditional protection mechanisms are being reconsidered as the characteristics of this innovative deployment model differ widely from those of traditional architectures.

Read More