SOC & Attestations | FAQs | SSAE 16 / ISAE 3402
By:
Schellman
December 14th, 2015
The International Auditing and Assurance Standards Board’s (IAASB) International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, became effective in 2011. The standard allows accounting firms to issue attestation reports on user entities’ internal control over financial reporting for service organizations that have international operations..
FAQs | HITRUST | Privacy Assessments
By:
GARY NELSON
December 7th, 2015
What is the difference between a HITRUST validated report and a HITRUST certification? The HITRUST Validated report and HITRUST Certification both begin with an organization engaging a CSF Assessor firm to audit against the in-scope CSF controls for the system. Contained within the in-scope CSF controls, which are derived from the details entered in the risk based questionnaire section (Factors tab) of the myCSF tool, HITRUST has designated 64 specific controls that are required for HITRUST Certification which are covered under 19 different assessment domains . In order to obtain the HITRUST certification any control that scores less than a 3+ requires a corrective action plan.
By:
Schellman
November 30th, 2015
My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good security process in place and review the code for security issues, why do we still need segregation of duties?
By:
Schellman
November 23rd, 2015
Do audits allow for operations administrators to have write access to both the source code libraries and the ability to implement changes, or is the risk primarily the reverse with developers having access to implement? I’ve heard both are bad.
By:
RYAN MACKIE
February 2nd, 2015
When referring to SSAE16 or SOC 1, what is the difference and how do you use these acronyms appropriately? Simply put, the SSAE No. 16 standard is the attestation standard used to create a SOC 1 branded report. There are several SSAEs (Statements on Standards for Attestation Engagements) for various types of reports, number 16 happens to be the one that applies and is used to perform an attestation on a service organization controls likely to impact their customers’ internal controls over financial reporting. The terms are often times used interchangeably because of their relationship; but they are different.
By:
SCOTT ZELKO
November 10th, 2014
NOTE: Schellman recently updated this content to be more in-depth and address how an organization may choose its report type. You can find that information here. There are two types of SOC 1 reports. The service organization is responsible for specifying whether or not a “Type 1” or “Type 2” will be performed.
By:
STEPHEN HALBROOK
June 9th, 2014
When performing walkthroughs and interviews during our audits, organizations often ask what the difference is between BCP, DRP, and BCDR.