The International Auditing and Assurance Standards Board’s (IAASB) International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, became effective in 2011. The standard allows accounting firms to issue attestation reports on user entities’ internal control over financial reporting for service organizations that have international operations..

What is the difference between a HITRUST validated report and a HITRUST certification? The HITRUST Validated report and HITRUST Certification both begin with an organization engaging a CSF Assessor firm to audit against the in-scope CSF controls for the system. Contained within the in-scope CSF controls, which are derived from the details entered in the risk based questionnaire section (Factors tab) of the myCSF tool, HITRUST has designated 64 specific controls that are required for HITRUST Certification which are covered under 19 different assessment domains . In order to obtain the HITRUST certification any control that scores less than a 3+ requires a corrective action plan.

My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good security process in place and review the code for security issues, why do we still need segregation of duties?

Do audits allow for operations administrators to have write access to both the source code libraries and the ability to implement changes, or is the risk primarily the reverse with developers having access to implement? I’ve heard both are bad.

When referring to SSAE16 or SOC 1, what is the difference and how do you use these acronyms appropriately? Simply put, the SSAE No. 16 standard is the attestation standard used to create a SOC 1 branded report. There are several SSAEs (Statements on Standards for Attestation Engagements) for various types of reports, number 16 happens to be the one that applies and is used to perform an attestation on a service organization controls likely to impact their customers’ internal controls over financial reporting. The terms are often times used interchangeably because of their relationship; but they are different.

NOTE:  Schellman recently updated this content to be more in-depth and address how an organization may choose its report type. You can find that information here.  There are two types of SOC 1 reports. The service organization is responsible for specifying whether or not a “Type 1” or “Type 2” will be performed.

When performing walkthroughs and interviews during our audits, organizations often ask what the difference is between BCP, DRP, and BCDR.