Happy Thanksgiving!

At A-LIGN we never want to overlook an opportunity to appreciate all of our clients, partners, and friends.  Thanksgiving is the perfect time of year to tell you how grateful we are for your business and for the many relationships we continue to build.  We hope that you have a…

Read More

A-LIGN: Raising Money for Junior Achievement (JA)

A-LIGN will be participating in this year’s 2012 JA Stars & Strikes Bowl-A-Thon on November 10, 2012.  By supporting the Bowl-A-Thon A-LIGN is helping to fund Junior Achievement’s programs, which aide to empower students from K-12th grade in the Tampa Bay area. Programs include, work-readiness, entrepreneurship and financial literacy skills. A-LIGN is proud to employ some of the most talented professionals in the industry who also dedicate their skills and talents to our community. Scott Price, A-LIGN's Managing Director, has been on the board of Junior Achievement for the past 10 years.

Read More

Bundling your Compliance Needs

At A-LIGN we continue to develop our service offerings to better meet our clients needs.  If you are required to comply with multiple compliance standards we are able to offer bundled engagements that take advantage of the overlap between the various regulatory and compliance standards.  We provide our clients with the ability to deal with one audit firm for all of their compliance needs. This process can reduce the overall impact of the audit to your organization while reducing the engagement fees.

Read More

Which Cloud Holds My Data?

One of the discussions brought up at this year’s AICPA Service Organization Controls (SOC) School was the issue of cloud computing and the effects it has on industries that are subjected to a SOC 1 or SOC 2 audit.  When it comes to cloud computing, subservice organizations may be involved in providing the operations that a service organization might perform.  This relationship is where the service organization and user entity could find themselves at risk. As experienced service auditors, we are able to look at the risks involved with the subservice organizations footprint and determine the best course of action for our service organization, i.e. our clients.

Read More

PCI DSS Requirement 6.2 Risk Ranking Vulnerabilities – Is your organization ready?

The Payment Card Industry Data Security Standards (“PCI DSS”) version 2.0 dated October 2010 became effective on January 1, 2011. There were many subtle and not so subtle changes from the previous version of the standard. The majority of the change became effective January 1, 2011, when requirement 6.2 was only considered a “best practice” by the PCI DSS. As of June 30, 2012, requirement 6.2 will become a requirement. With June 30 just a few days away, if your report on compliance is not in the final stages of report issuance, you need to be prepared to comply with requirement 6.2.

Read More

PCI DSS Requirement 6.2 Risk Ranking Vulnerabilities – Is your organization ready?

The Payment Card Industry Data Security Standards (“PCI DSS”) version 2.0 dated October 2010 became effective on January 1, 2011.  There were many subtle and not so subtle changes from the previous version of the standard.  The majority of the change became effective January 1, 2011, when requirement 6.2 was only considered a “best practice” by the PCI DSS. As of June 30, 2012, requirement 6.2 will become a requirement.  With June 30 just a few days away, if your report on compliance is not in the final stages of report issuance, you need to be prepared to comply with requirement 6.2.

Read More

Integrated Audit of Financial Statements – Relevance of an SSAE 16 Report

  Over the many years, while I have been working with companies as their Independent Service Auditor to help issue their SAS 70s / SSAE 16 reports, I have also been on the other side of the fence wherein I was part of the team responsible for the Audit of the Financial Statements of a company that used the SAS 70 / SSAE 16 report.  I thought it may be useful to individuals reading this blog to get an understanding of how the SSAE 16 report links to an audit of financial statements more specifically under Sarbanes Oxley.  Since SAS 70 as a standard is no longer in existence, I will refer to only SSAE through the rest of this blog.

Read More

Common Database Vulnerabilities and Misconfigurations

I recently attended the MIS Training Institute’s Infosec Conference held in Orlando, Florida and sat in on a presentation by Josh Shaul, Chief Technology Officer with Application Security Inc.  The topic of the presentation was the top 10 most common database vulnerabilities and misconfigurations. I felt that the information was not only relevant to providing assurance of database systems security when auditing, but also provided a glimpse of some of the most common and sophisticated attack methods used to invade enterprise databases, and I wanted to pass along a few of the more important points.

Read More

Too many SSAE 16 audit detours?

  Does your Auditor offer: fixed fees? NO out-of-pocket expenses? a declining fee structure? over 250 SOC Audits of experience? the draft report within 10 days of completion? responds to your calls and emails on the same day?   If your current CPA firm is not meeting these standards,…

Read More

Why do my clients ask me for a SOC 1/SSAE 16 Report?

Let’s spend a few minutes getting back to basics. Why do your clients ask for a SOC 1/SSAE 16 report to be provided?  Your clients ask because their auditors probably asked for it.  So why do your auditors ask for this report?  The roots for SSAE 16 can be traced back to SAS 70 and even further to SAS 55.  The understanding of internal controls is a fundamental component of performing a financial audit.  I spent time early in my career in the financial audit department which helps me explain to companies why a SOC 1/SSAE 16 report would be applicable or not to the company.  In performing a financial audit, the auditor makes inquires of the company regarding their internal controls. Having an understanding of the internal control over financial reporting is a required component for the auditor to perform.  If a service has been outsourced to another company, the auditor is required to understand the internal controls. This is so that they can understand the internal controls and assess control risk accordingly.

Read More