State Lottery

Understanding the Impact of Testing Exceptions in Type 2 SOC 1 and SOC 2 Reports

By: Ivan Reyes, Senior Consultant at A-LIGN Standards for Attestation Engagements No. 16 (“SSAE 16”) is an attestation standard whereby a service organization’s auditor issues an opinion on a service organization’s internal controls over financial reporting (ICFR). This is delivered in the form of a Service Organization Controls 1 (“SOC…

Read More

3 Step Guide on How To Avoid Data Breaches Through Soft Targets

By: Chris Berberich, Senior Consultant and Penetration Tester at A-LIGN In the real world of budgets and limited personnel, prioritizing security resources is a must. For the majority of companies who depend on IT resources, prioritizing information security resources is based on the significance of an asset to their overall…

Read More

CSA Integrates Cloud Controls Matrix with SOC 2 Reports for Cloud Providers

By: Peter Clarke, Senior Consultant at A-LIGN The AICPA recently released an Illustrative Type 2 SOC 2 Report to assist auditors in reporting on the suitability of design and operating effectiveness on cloud security providers. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) builds upon the AICPA’s Trust Services…

Read More

7 New COSO Updates that Impact Your SSAE 16 Report

By: Scott Price, Managing Partner of A-LIGN The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its “Internal Control – Integrated Framework” in May, 2013. The changes are a progressive move to align its framework with today’s business operating environment, much like the change from SAS 70 to SOC 1/SSAE 16. As technology and business practices evolve, organizations need updated guidance on how and what to address in their internal controls.

Read More

Accredited vs Unaccredited ISO 27001 Certification – Does it Matter?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services ISO 27001, published by the International Organization for Standardization, is a comprehensive information security standard that defines processes and controls that should be in place for the information security management system (“ISMS”) to protect the sensitive data and technology in your environment. Once these processes and controls are implemented and the ISMS is up and running you are ready to have those processes and controls audited by an outside security company. The certification audit is performed by a certification body (“CB”), like A-LIGN, to assess the conformity of your ISMS with the documented standard. 

Read More

Updating the SOC 1 System Description

By: Sue Wells, Senior Consultant at A-LIGN In preparation for a SOC 1 audit, a service organization’s management is required to provide a system description per the SSAE 16 auditing standards. Until recently, little guidance had been provided to assist service organization management in preparing the system description. In January 2014, the AICPA’s Information Management and Technology Assurance section issued the following whitepaper, “CPAs Guide to Developing the System Description for a SOC 1 Engagement.” To assist organizations with a suitable development of a system description for SOC 1 reports, we have created an outline to easily break down the AICPA’s new guide.

Read More

What Everyone Should Take Away from the Recent Retail Breaches

By: Gene Geiger, Partner of A-LIGN Recent Retail Breaches – What Should You Do When news of the Target breach was announced, in the middle of the holiday shopping season, it made headlines and re-kindled the debate on payment card data security and more specifically, the effectiveness of the PCI Data Security Standard (“PCI DSS”), which was established to protect payment card data. This debate has only intensified as news of breaches at other major retailers has surfaced. So what went wrong? How were millions of records exposed? You don’t have to go very far to find the finger pointing and criticism of everyone involved, including Target, the PCI Security Standards Council (“PCI SSC”) and the core infrastructure used in the payment card industry. These discussions will continue and additional guidance may be produced, but at the end of the day, the clients I speak with want to know one thing “What should we do?” Outlined below are some thoughts I would like to share on how to increase the security in your environment.

Read More

How Subservice Organizations Impact SSAE 16 Reports

By: Scott Price, Managing Partner of A-LIGN Determine whether your SSAE 16 Report is saving your client money or costing them! With year-end financial audits fast approaching, your clients will soon be requesting your SSAE 16 report. Why? This is because your SSAE 16 reports will allow your client’s financial auditors to determine if they need to perform additional testing or if they can utilize the report for their year-end financial audit. If the latter option happens to be this case, your SSAE 16 report will save your clients both time and money. Now, aren’t you efficient?

Read More

Ask A-LIGN: When receiving our first SSAE 16 audit, if the auditors find minor mistakes, will we have the opportunity to correct them?

By: Scott Price, Managing Partner of A-LIGN Answer: I hear this question often and, my answer is, “it depends.” I realize this is not the response most of you were hoping for, but I will elaborate. If your audit is a Type 1 SSAE 16, you can elect to have the review date of the report dated for when the service organization has remediated all deficiencies found in the controls. This is one of the main reasons why service organizations like to start with a Type 1 audit. However, in the same breath, the user community sees the limitations of a Type 1 since it only gives assurance at a specific point in time. It is a snapshot.

Read More