Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Video
Video
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Schellman Training
Schellman Training
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

The Schellman Blog

Stay up to date with the latest compliance news from the Schellman blog.

Subscribe to Weekly Updates

FAQs

Blog Feature

SOC & Attestations | FAQs | SSAE 16 / ISAE 3402

By: Schellman
December 14th, 2015

The International Auditing and Assurance Standards Board’s (IAASB) International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, became effective in 2011. The standard allows accounting firms to issue attestation reports on user entities’ internal control over financial reporting for service organizations that have international operations..

Blog Feature

FAQs | HITRUST | Privacy Assessments

By: GARY NELSON
December 7th, 2015

What is the difference between a HITRUST validated report and a HITRUST certification? The HITRUST Validated report and HITRUST Certification both begin with an organization engaging a CSF Assessor firm to audit against the in-scope CSF controls for the system. Contained within the in-scope CSF controls, which are derived from the details entered in the risk based questionnaire section (Factors tab) of the myCSF tool, HITRUST has designated 64 specific controls that are required for HITRUST Certification which are covered under 19 different assessment domains . In order to obtain the HITRUST certification any control that scores less than a 3+ requires a corrective action plan.

Blog Feature

FAQs

By: Schellman
November 30th, 2015

My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good security process in place and review the code for security issues, why do we still need segregation of duties?

Blog Feature

FAQs

By: Schellman
November 23rd, 2015

Do audits allow for operations administrators to have write access to both the source code libraries and the ability to implement changes, or is the risk primarily the reverse with developers having access to implement? I’ve heard both are bad.

Blog Feature

FAQs

By: RYAN MACKIE
February 2nd, 2015

When referring to SSAE16 or SOC 1, what is the difference and how do you use these acronyms appropriately? Simply put, the SSAE No. 16 standard is the attestation standard used to create a SOC 1 branded report. There are several SSAEs (Statements on Standards for Attestation Engagements) for various types of reports, number 16 happens to be the one that applies and is used to perform an attestation on a service organization controls likely to impact their customers’ internal controls over financial reporting. The terms are often times used interchangeably because of their relationship; but they are different.

Blog Feature

SOC & Attestations | FAQs

By: SCOTT ZELKO
November 10th, 2014

NOTE: Schellman recently updated this content to be more in-depth and address how an organization may choose its report type. You can find that information here. There are two types of SOC 1 reports. The service organization is responsible for specifying whether or not a “Type 1” or “Type 2” will be performed.

Blog Feature

FAQs

By: STEPHEN HALBROOK
June 9th, 2014

When performing walkthroughs and interviews during our audits, organizations often ask what the difference is between BCP, DRP, and BCDR.