Compliance

Preparing your Collection Agency for the CFPB Examination

By: Neil Gonsalves, Director at A-LIGN OVERVIEW On October 24, 2012 the Consumer Financial Protection Bureau (CFPB) published a rule that would allow the CFPB to federally supervise the larger consumer debt collectors/collection agencies. One of the main objectives of the CFPB Examination is to ultimately help ensure that consumers that are affected by the debt collection process are treated fairly. The CFPB’s supervision authority over these debt collectors/collection agencies took effect on January 2, 2013. Under the rule, any firm that has more than $10 million in annual receipts from consumer debt collection activities are subject to the CFPB’s supervisory authority. The CFPB may adopt a risk based approach focusing on debt collectors/collection agencies that pose a heightened risk to consumers based on information available from regulators, complaints, litigation, and media among other sources.

Read More

Ask A-LIGN: What is the difference between a SOC logo and a SOC seal?

By: Scott Price, Managing Partner of A-LIGN  Answer: Misuse of Service Organization Control (SOC) terminology is a common mishap in the marketplace. When it comes to the use of the SOC logo or seal, many tend to assume the terms mean the same thing (six of one, half a dozen of the other), but in reality they are classified as entirely different entities. Let me explain…

Read More

Ask A-LIGN: Is SSAE 16 a Certification?

Answer: No, SSAE 16 is not a certification. Here’s why: It is incorrect to say that you are SSAE 16 certified, because there is not a certification awarded to you after the engagement. The appropriate wording would be to state, “we have received an unqualified (Type 1 or Type 2) SSAE 16 report as a result of a service auditor performing an audit in accordance with SSAE 16 on the services within the scope of our review.” Once we have issued a final report to our clients, we will then issue the AICPA SOC Logo Guidelines form. The guidelines will explain exactly who can use the logo, how to use it appropriately, and when you must end the use or display of the logo.

Read More

Ask A-LIGN: Why is the SAS 70 audit still asked for? I thought it no longer existed?

Answer: Correct. The SAS 70 audit has been out of existence since June 15, 2011. Many organizations are still being asked for SAS 70, frankly, due to the fact of its nearly 20-year existence and lack of education surrounding the change of the standard. Here’s Why: Since SAS 70 has been around nearly 20 years, its terminology seems stuck in the written agreements of many organizations that have long-term contractual obligations. Transitioning SAS 70 out of audit terminology is going to take an effort from the profession, as well as, publicity of the profession to make sure that these organizations understand SSAE 16, its replacement of SAS 70, and what it brings to the table to align it more with an assertion based report rather than a direct reporting on the controls.

Read More

Ask A-LIGN: Is my Organization Required to Obtain a Type 2 SSAE 16 Examination Annually?

Answer: This is a question we are asked frequently by our clients and prospective clients, and the answer is: It Depends. Here’s why: The SSAE 16 guidance states that the period of review, or time frame that the report covers, should be at least six (6) months in the case of a Type 2 SSAE 16 examination.  While this standard sets a minimum period of review, it can be set to cover any period of time over 6 months – i.e., six months, nine months or one year.

Read More

Bundling your Compliance Needs

At A-LIGN we continue to develop our service offerings to better meet our clients needs.  If you are required to comply with multiple compliance standards we are able to offer bundled engagements that take advantage of the overlap between the various regulatory and compliance standards.  We provide our clients with the ability to deal with one audit firm for all of their compliance needs. This process can reduce the overall impact of the audit to your organization while reducing the engagement fees.

Read More

PCI DSS Requirement 6.2 Risk Ranking Vulnerabilities – Is your organization ready?

The Payment Card Industry Data Security Standards (“PCI DSS”) version 2.0 dated October 2010 became effective on January 1, 2011. There were many subtle and not so subtle changes from the previous version of the standard. The majority of the change became effective January 1, 2011, when requirement 6.2 was only considered a “best practice” by the PCI DSS. As of June 30, 2012, requirement 6.2 will become a requirement. With June 30 just a few days away, if your report on compliance is not in the final stages of report issuance, you need to be prepared to comply with requirement 6.2.

Read More

PCI DSS Requirement 6.2 Risk Ranking Vulnerabilities – Is your organization ready?

The Payment Card Industry Data Security Standards (“PCI DSS”) version 2.0 dated October 2010 became effective on January 1, 2011.  There were many subtle and not so subtle changes from the previous version of the standard.  The majority of the change became effective January 1, 2011, when requirement 6.2 was only considered a “best practice” by the PCI DSS. As of June 30, 2012, requirement 6.2 will become a requirement.  With June 30 just a few days away, if your report on compliance is not in the final stages of report issuance, you need to be prepared to comply with requirement 6.2.

Read More

Integrated Audit of Financial Statements – Relevance of an SSAE 16 Report

  Over the many years, while I have been working with companies as their Independent Service Auditor to help issue their SAS 70s / SSAE 16 reports, I have also been on the other side of the fence wherein I was part of the team responsible for the Audit of the Financial Statements of a company that used the SAS 70 / SSAE 16 report.  I thought it may be useful to individuals reading this blog to get an understanding of how the SSAE 16 report links to an audit of financial statements more specifically under Sarbanes Oxley.  Since SAS 70 as a standard is no longer in existence, I will refer to only SSAE through the rest of this blog.

Read More

Too many SSAE 16 audit detours?

  Does your Auditor offer: fixed fees? NO out-of-pocket expenses? a declining fee structure? over 250 SOC Audits of experience? the draft report within 10 days of completion? responds to your calls and emails on the same day?   If your current CPA firm is not meeting these standards,…

Read More