7 New COSO Updates that Impact Your SSAE 16 Report

By: Scott Price, Managing Partner of A-LIGN The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its “Internal Control – Integrated Framework” in May, 2013. The changes are a progressive move to align its framework with today’s business operating environment, much like the change from SAS 70 to SOC 1/SSAE 16. As technology and business practices evolve, organizations need updated guidance on how and what to address in their internal controls.

Read More

Trust Services Principles Update and Impact on SOC 2

By: Sara McLane, Senior Auditor at A-LIGN In February of 2014, the AICPA released the new Trust Services Principles and Criteria (TSP) for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The updated TSP will have a positive effect on our clients and other organizations obtaining a SOC 2 report by increasing the clarity for readers and users of the report. The updated TSP also reduces the appearance of redundancy. The TSP is now broken into two key components. The first major component is the common criteria. These criterions are applicable to Security, Availability, Processing Integrity, and Confidentiality. The Privacy criterions are set forth by the Generally Accepted Privacy Principles (GAPP) and are currently under revision to be released separately. The common criteria are now comprised of seven categories whereas the prior version of the TSP had four categories: policies, communications, procedures, and monitoring.

Read More

Accredited vs Unaccredited ISO 27001 Certification – Does it Matter?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services ISO 27001, published by the International Organization for Standardization, is a comprehensive information security standard that defines processes and controls that should be in place for the information security management system (“ISMS”) to protect the sensitive data and technology in your environment. Once these processes and controls are implemented and the ISMS is up and running you are ready to have those processes and controls audited by an outside security company. The certification audit is performed by a certification body (“CB”), like A-LIGN, to assess the conformity of your ISMS with the documented standard. 

Read More

Updating the SOC 1 System Description

By: Sue Wells, Senior Consultant at A-LIGN In preparation for a SOC 1 audit, a service organization’s management is required to provide a system description per the SSAE 16 auditing standards. Until recently, little guidance had been provided to assist service organization management in preparing the system description. In January 2014, the AICPA’s Information Management and Technology Assurance section issued the following whitepaper, “CPAs Guide to Developing the System Description for a SOC 1 Engagement.” To assist organizations with a suitable development of a system description for SOC 1 reports, we have created an outline to easily break down the AICPA’s new guide.

Read More

A 3-Step Guide for Dealing with Consumer Complaints in the Collections Industry

By: Neil Gonsalves, Director One of the ongoing issues for the ARM and collections industry is the ever-present complaint process. Our clients ask themselves: Are we handling our complaints appropriately? Are the complaints legitimate? How do we resolve complaints? What are we really responsible for? Little overwhelming? Here at A-LIGN, we want our clients to comply with the guidelines established by the Consumer Financial Protection Bureau (CFPB) and have created a simple step-by-step guide to help initiate a process to control complaints effectively.

Read More

What Everyone Should Take Away from the Recent Retail Breaches

By: Gene Geiger, Partner of A-LIGN Recent Retail Breaches – What Should You Do When news of the Target breach was announced, in the middle of the holiday shopping season, it made headlines and re-kindled the debate on payment card data security and more specifically, the effectiveness of the PCI Data Security Standard (“PCI DSS”), which was established to protect payment card data. This debate has only intensified as news of breaches at other major retailers has surfaced. So what went wrong? How were millions of records exposed? You don’t have to go very far to find the finger pointing and criticism of everyone involved, including Target, the PCI Security Standards Council (“PCI SSC”) and the core infrastructure used in the payment card industry. These discussions will continue and additional guidance may be produced, but at the end of the day, the clients I speak with want to know one thing “What should we do?” Outlined below are some thoughts I would like to share on how to increase the security in your environment.

Read More

A-LIGN Becomes Data Privacy Day Champion

This year A-LIGN is participating as a Data Privacy Day (DPD) Champion. As a DPD Champion, A-LIGN recognizes and supports the principle that organizations, businesses, and government all share the responsibility of proper data management by ensuring the privacy and safeguarding of their data. Data Privacy Day is observed annually on January 28 as an international awareness effort to encourage internet users to consider the privacy implications of their online actions, motivating all companies to make the protection of privacy and data a greater priority.

Read More

A-LIGN Implements Center of Excellence Program to Improve Audit Experience

By: Scott Price, Managing Partner of A-LIGN With the start of the new year, we introduce a new program: A-LIGN’s Center of Excellence (CoE), which was developed to build upon our strong client relationships and high quality service delivery. In our efforts to continually improve upon our current assessments and reporting procedures, we are implementing the CoE program as a new tool to foster our growth and continued involvement within our clients’ industries along with remaining current on new and upcoming compliance needs. The program will enable us to proactively develop educational materials for our clients, explaining or outlining any updates or authoritative developments to current regulations, which may affect their business. A-LIGN is already an active participant within professional and trade associations, but the focus of the CoE program will allow A-LIGN personnel to participate in leadership roles both within professional and trade associations.

Read More

5 Benefits of Annual Compliance Reports

By: Scott Price, Managing Partner of A-LIGN As a leading provider of assurance, security, and compliance services, A-LIGN is often asked why clients should or should not have an annual examination performed. Below is a list of the (5) five benefits we have found that provide the most value for our clients when considering the annual scheduling of their compliance assessment(s).

Read More