4 Tips on How to Select a Quality Outsourced Vendor

By: Lori Crooks, Managing Consultant at A-LIGN As the popularity of outsourcing parts of information technology functions continue to grow, one common concern still remains: How do you know that you are partnering with a quality vendor? Below are a few tips that we have learned from our experience, in…

Read More

CSA Integrates Cloud Controls Matrix with SOC 2 Reports for Cloud Providers

By: Peter Clarke, Senior Consultant at A-LIGN The AICPA recently released an Illustrative Type 2 SOC 2 Report to assist auditors in reporting on the suitability of design and operating effectiveness on cloud security providers. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) builds upon the AICPA’s Trust Services…

Read More

5 Steps to Succeed in Your Next Compliance Audit

By: Jay Anthony, President of Audit Liaison, PA Your organization has determined that there is a need for a compliance audit. But you have so many questions or don’t know where to start? A-LIGN has asked us to put together a short guide to help you decide the correct course…

Read More

7 New COSO Updates that Impact Your SSAE 16 Report

By: Scott Price, Managing Partner of A-LIGN The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its “Internal Control – Integrated Framework” in May, 2013. The changes are a progressive move to align its framework with today’s business operating environment, much like the change from SAS 70 to SOC 1/SSAE 16. As technology and business practices evolve, organizations need updated guidance on how and what to address in their internal controls.

Read More

Trust Services Principles Update and Impact on SOC 2

By: Sara McLane, Senior Auditor at A-LIGN In February of 2014, the AICPA released the new Trust Services Principles and Criteria (TSP) for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The updated TSP will have a positive effect on our clients and other organizations obtaining a SOC 2 report by increasing the clarity for readers and users of the report. The updated TSP also reduces the appearance of redundancy. The TSP is now broken into two key components. The first major component is the common criteria. These criterions are applicable to Security, Availability, Processing Integrity, and Confidentiality. The Privacy criterions are set forth by the Generally Accepted Privacy Principles (GAPP) and are currently under revision to be released separately. The common criteria are now comprised of seven categories whereas the prior version of the TSP had four categories: policies, communications, procedures, and monitoring.

Read More

Accredited vs Unaccredited ISO 27001 Certification – Does it Matter?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services ISO 27001, published by the International Organization for Standardization, is a comprehensive information security standard that defines processes and controls that should be in place for the information security management system (“ISMS”) to protect the sensitive data and technology in your environment. Once these processes and controls are implemented and the ISMS is up and running you are ready to have those processes and controls audited by an outside security company. The certification audit is performed by a certification body (“CB”), like A-LIGN, to assess the conformity of your ISMS with the documented standard. 

Read More

Updating the SOC 1 System Description

By: Sue Wells, Senior Consultant at A-LIGN In preparation for a SOC 1 audit, a service organization’s management is required to provide a system description per the SSAE 16 auditing standards. Until recently, little guidance had been provided to assist service organization management in preparing the system description. In January 2014, the AICPA’s Information Management and Technology Assurance section issued the following whitepaper, “CPAs Guide to Developing the System Description for a SOC 1 Engagement.” To assist organizations with a suitable development of a system description for SOC 1 reports, we have created an outline to easily break down the AICPA’s new guide.

Read More

A 3-Step Guide for Dealing with Consumer Complaints in the Collections Industry

By: Neil Gonsalves, Director One of the ongoing issues for the ARM and collections industry is the ever-present complaint process. Our clients ask themselves: Are we handling our complaints appropriately? Are the complaints legitimate? How do we resolve complaints? What are we really responsible for? Little overwhelming? Here at A-LIGN, we want our clients to comply with the guidelines established by the Consumer Financial Protection Bureau (CFPB) and have created a simple step-by-step guide to help initiate a process to control complaints effectively.

Read More

What Everyone Should Take Away from the Recent Retail Breaches

By: Gene Geiger, Partner of A-LIGN Recent Retail Breaches – What Should You Do When news of the Target breach was announced, in the middle of the holiday shopping season, it made headlines and re-kindled the debate on payment card data security and more specifically, the effectiveness of the PCI Data Security Standard (“PCI DSS”), which was established to protect payment card data. This debate has only intensified as news of breaches at other major retailers has surfaced. So what went wrong? How were millions of records exposed? You don’t have to go very far to find the finger pointing and criticism of everyone involved, including Target, the PCI Security Standards Council (“PCI SSC”) and the core infrastructure used in the payment card industry. These discussions will continue and additional guidance may be produced, but at the end of the day, the clients I speak with want to know one thing “What should we do?” Outlined below are some thoughts I would like to share on how to increase the security in your environment.

Read More