Preparing your Collection Agency for the CFPB Examination

By: Neil Gonsalves, Director at A-LIGN OVERVIEW On October 24, 2012 the Consumer Financial Protection Bureau (CFPB) published a rule that would allow the CFPB to federally supervise the larger consumer debt collectors/collection agencies. One of the main objectives of the CFPB Examination is to ultimately help ensure that consumers that are affected by the debt collection process are treated fairly. The CFPB’s supervision authority over these debt collectors/collection agencies took effect on January 2, 2013. Under the rule, any firm that has more than $10 million in annual receipts from consumer debt collection activities are subject to the CFPB’s supervisory authority. The CFPB may adopt a risk based approach focusing on debt collectors/collection agencies that pose a heightened risk to consumers based on information available from regulators, complaints, litigation, and media among other sources.

Read More

Ask A-LIGN: What is the difference between a SOC logo and a SOC seal?

By: Scott Price, Managing Partner of A-LIGN  Answer: Misuse of Service Organization Control (SOC) terminology is a common mishap in the marketplace. When it comes to the use of the SOC logo or seal, many tend to assume the terms mean the same thing (six of one, half a dozen of the other), but in reality they are classified as entirely different entities. Let me explain…

Read More

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project.  I would like to outline the purpose of the two projects and when you would select each.

Read More

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services  A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project. I would like to outline the purpose of the two projects and when you would select each.

Read More

Ask A-LIGN: Is SSAE 16 a Certification?

Answer: No, SSAE 16 is not a certification. Here’s why: It is incorrect to say that you are SSAE 16 certified, because there is not a certification awarded to you after the engagement. The appropriate wording would be to state, “we have received an unqualified (Type 1 or Type 2) SSAE 16 report as a result of a service auditor performing an audit in accordance with SSAE 16 on the services within the scope of our review.” Once we have issued a final report to our clients, we will then issue the AICPA SOC Logo Guidelines form. The guidelines will explain exactly who can use the logo, how to use it appropriately, and when you must end the use or display of the logo.

Read More

A-LIGN 2013 Community Commitment

A-LIGN is proud to employ some of the most talented professionals in the industry who also dedicate their skills and talents to our community. Giving back to the community is a quality we value highly for all employees and in an effort to make volunteering more accessible, A-LIGN will now offer ‘community service days’ for all employees interested in participating. A-LIGN is allowing one business day out of the month for employees to volunteer at any charity of their choosing.

Read More

Ask A-LIGN: Why is the SAS 70 audit still asked for? I thought it no longer existed?

Answer: Correct. The SAS 70 audit has been out of existence since June 15, 2011. Many organizations are still being asked for SAS 70, frankly, due to the fact of its nearly 20-year existence and lack of education surrounding the change of the standard. Here’s Why: Since SAS 70 has been around nearly 20 years, its terminology seems stuck in the written agreements of many organizations that have long-term contractual obligations. Transitioning SAS 70 out of audit terminology is going to take an effort from the profession, as well as, publicity of the profession to make sure that these organizations understand SSAE 16, its replacement of SAS 70, and what it brings to the table to align it more with an assertion based report rather than a direct reporting on the controls.

Read More

Happy Holidays from A-LIGN

At the close of another year, we gratefully pause to wish you a warm and happy holiday season.   …

Read More

Ask A-LIGN: Is my Organization Required to Obtain a Type 2 SSAE 16 Examination Annually?

Answer: This is a question we are asked frequently by our clients and prospective clients, and the answer is: It Depends. Here’s why: The SSAE 16 guidance states that the period of review, or time frame that the report covers, should be at least six (6) months in the case of a Type 2 SSAE 16 examination.  While this standard sets a minimum period of review, it can be set to cover any period of time over 6 months – i.e., six months, nine months or one year.

Read More