SOC 2/AT 101

SOC 2: 2016 Updates and the Privacy Principle Integration

Overview of Privacy Principle and SOC 2 Updates In order to clarify and eliminate redundancy within the requirements of the trust services criteria for privacy, changes have been made to the SOC 2 privacy principle guidelines. While most of these changes are clarification-based, the addition of privacy to the common …

Read More

HITRUST Assessment Types & HITRUST Integration with SOC 2

Don’t make the climb to compliance more difficult than it has to be. With a comprehensive framework for organizations of any size, system or regulatory requirement, the HITRUST CSF allows for organizations to easily assess their current compliance while providing implementation requirements based on an organization’s risk …

Read More

Provide Peace of Mind to Lenders and Consumers with the A-LIGN Difference

The A-LIGN Difference = Peace of Mind + Trusted Advisor + Competitive Advantage Most lenders/stakeholders now ask title insurance and settlement companies to demonstrate compliance with ALTA’s Best Practices. There exists a lot of uncertainty and confusion in the industry as to how a title insurance and settlement company can …

Read More

A-LIGN’s ALTA Best Practices: Engagement Options Guide

American Land Title Association (ALTA) Best Practices: Engagement Options Most people in the industry are confused as to what to do as it comes to ALTA Best Practices assessments and are even more confused when they read so many articles in the press or hear different opinions from industry experts.

Read More

How SOC Audits Can Help Save on Errors & Omissions Insurance

As many companies look to reduce costs, one cost that continues to rise as the company grows is Errors and Omissions (E/O) insurance premiums. Both company liability and personal liability of the board of directors and owners is a topic that continues to be a focus of litigation. One of the ways a company can demonstrate they have sound controls over their control environment (which includes the tone at the top, board of directors’ participation, management oversight, etc) is to have a SOC audit conducted by a third-party auditing firm such as A-LIGN. 

Read More

Relevant Audit Selection for Cloud Providers

Just as in physical storage, cloud service providers are used to store sensitive data.  This can be anything from credit card information to personal information such as social security numbers.  There are three key cloud services:  Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).  The storage of sensitive data will inevitably lead a cloud service provider to need a specific audit performed by a third-party entity, such as A-LIGN, due to legal, regulatory and/or contractual obligations.  It is important for cloud service providers to understand its obligations first when selecting an audit.  

Read More

SOC Vendor Due Diligence for Title Agencies

The American Land Title Association (ALTA) Best Practices Framework has been developed to assist lenders in satisfying their responsibility to manage third party vendors. ALTA members advocate a safe and efficient transfer of real estate and have high standards when searching land title records and preparing insurance documents. To provide the best possible chance of avoiding land title problems, risk should be eliminated prior to insuring. As such, effective safeguards should be in place.

Read More

Does Your SOC Report Address Subservice Organizations Using the Carve Out or Inclusive Method?

By: Peter Clarke, Managing Consultant at A-LIGN A subservice organization is an entity that is used by the service organization to perform some of the services provided to customers (user entities).  An example of a common service provided by a subservice organization would be a company that offers their data center to a cloud provider (the service organization).  The service organization relies on processes and controls implemented at the subservice organization to meet the Control Objectives or Trust Services Principles of the SOC report. When a subservice organization is utilized by the service organization, there are two methods for reporting on the processes and controls at the subservice organization.  First, the processes and controls can be included as a part of the report.  This is the Inclusive method.  Second, the processes and controls can be excluded from the report.  This is the Carve Out method.  Each method requires that the service organization take steps to determine whether controls are in place and operating effectively to meet the needs of the end user (customer).

Read More

How to Differentiate Your Title Agency for Success in a Dynamic Market

By: Blaise Wabo, Senior Consultant at A-LIGN In 2012 the Consumer Financial Protection Bureau (CFPB) released a bulletin related to service providers’ oversight, in which they expect supervised banks and nonbanks (lenders) to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial …

Read More