For any organization that stores, interprets and manages sensitive data, complying with cybersecurity requirements is of utmost importance. The most comprehensive way to test the strength and effectiveness of these systems is through a compliance assessment. Beginning this process, however, is no easy feat. There are several steps an organization should take to ensure their audit preparation procedures to meet industry standards.
Types of Compliance Audits
The first part of audit preparation involves identifying which type of audit the organization requires.
A SOC 1 report provides reasonable assurance regarding the controls that are relevant to the user entities’ internal controls over financial reporting (ICFR). An organization’s control objective are divided between information technology and business processes. SOC 1 reports are restricted to user auditors, user entities and service organization management. Common examples of qualifying organizations include:
- Payroll Processors
- Third-Party Administrators
- Collection Agencies
- Medical Claims Processors
- Loan Servicing Companies
- Data Center Companies
- Software-as-a-Service (SaaS) Platforms
Unlike a SOC 1 report, a SOC 2 report extends beyond organizations responsible for ICFR. A SOC 2 assessment applies to service organizations that handle data and provides an attestation that the controls in place to protect that data are secure. The core of the SOC 2 report is based upon the American Institute of Certified Public Accountants (AICPA)’s Trust Services Principles (TSC). These TSC on relevant controls in five categories:
- Processing integrity
ISO 27001 is an international standard for the implementation, management, and maintenance of information security within an organization. An ISO 27001 certification demonstrates an organization’s conformity of an information security management system (ISMS) with the requirements of the ISO 27001 standard. Once an ISMS is implemented, the initial certification can be conducted and includes two audits, Stage 1 and Stage 2. During Stage 1, the certification body performs a review of the scope, objectives and management system documentation. Stage 2 involves the testing of clauses and annex controls to ensure that a management system is functional and conforming to the standard. After a successful initial certification, the ISO 27001 certificate is valid for three years. Organizations are then required to undergo two years of surveillance audits to ensure ongoing conformity with the clauses and annex controls. After the expiration of the ISO 27001 certificate, the recertification process begins again.
A validates an organization’s level of compliance with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS applies to all service providers and merchants that store, process and/or transmits cardholder data.” Formed by the five major payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and VISA International), the PCI DSS details twelve overarching technical and operational requirements for organizations to comply with. After successfully obtaining a Reporting on Compliance (ROC) and Attestation of Compliance (AOC) from a Qualified Security Assessor (QSA), an organization can successfully demonstrate their commitment to payment card data security. Additionally, smaller organizations may decide to utilize the Self-Assessment Questionnaire (SAQ) for their applicable environment.
Penetration Tests simulate attacks on an organization’s security system to identify underlying problems with an organization’s security posture and shows if a malicious actor can access information within a defined amount of time. Things like network hosts, mobile devices and operating systems will all be put through a vulnerability scan during the initial steps. The next phase involves exploitation, taking advantage of vulnerabilities identified on the systems which lead to the ability to perform activities such as escalating privileges to gain control of the network or to steal sensitive data. Penetration Tests are divided into two categories:
- White Hat Tests: These tests are performed with full knowledge of the organization’s IT department. Information is shared with the tester, such as network diagrams, IP addresses and system configurations.
- Black Hat Tests: Black Hat Tests are intended to mimic a hacker’s attempt to gain unauthorized access to the organization’s systems. The IT/Security Department is not aware of the test and the tester is not provided detailed information about the systems. This method is used to test the detection/monitoring capabilities of an organization and tests both the underlying technology and the people and processes in place in order to head off real-world attacks.
The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a comprehensive and scalable framework designed for healthcare organizations and their business associates to manage their regulatory compliance and risk management. To ensure a comprehensive security control baseline, the HITRUST Alliance integrated several recognized standards and regulatory requirements such as PCI DSS, ISO, NIST, HIPAA/HITECH, and COBIT. The scope sets the stage for the HITRUST process so a company must first assess the type and size of its organization, systems in use and regulatory factors. After the scope has been established, the organization will need to obtain access to the MyCSF tool, which outlines the applicable control baselines for testing. During Validated and Interim assessments, organizations are scored based on the control baselines and are required to demonstrate compliance with the appropriate policy, procedures, implementation, measured and managed levels.
Top 8 Tips for Audit Preparation
Although compliance audits vary in how they’re performed and what they measure, there are a few common steps organizations can take during audit preparation to be ready for any and all action items they may require.
- Stay up-to-date on standards.
New compliance standards may affect an organization’s audit. Staying up-to-date on changes made to compliance requirements can ensure that an organization’s data management and tracking is within the necessary parameters. Assessing personnel awareness and compliance with new guidelines is also key.
- Review recent changes in organizational activity.
Did the organization start a new program or receive a new grant? Are there any new reporting requirements? Were any activities discontinued or were there any troubleshooting issues? Were there major changes to the internal control system? These activities — among others — may trigger reporting considerations that the auditor should be made aware of.
- Create a timeline and delegate tasks.
Any audit will require careful, precise work and preparation from both inside and outside the organization. Review the list of work papers and schedules requested by the auditor. Each item should be assigned to a corresponding team member with a due date that allows adequate time for review and correction, if need be. The most difficult and time-consuming tasks should be addressed first and foremost. Financial statements should be available to the auditor on or before the first day of fieldwork.
- Review prior audits (if applicable).
If the organization has partaken in audits previously, looking over previous data may give both the organization and auditors insight into areas that have or require improvement. Taking stock of prior audit adjustments, internal control recommendations or prior struggles can help identify past problem areas.
- Organize data/gather evidence ahead of fieldwork.
Having a well-organized data system is key to interpreting the results of the audit in years to come. Creating subfolders for significant cycles or categories can help keep important and relevant information grouped together for easier access and understanding. Additionally, schedules and work papers containing sensitive or classified information may need to be password-protected or maintained in a restricted network location.
- Review requests and ask questions.
Encouraging team members involved in the auditing process to ask questions is vital to its success. Auditors are generally happy to answer questions regarding the requests they’ve made, the information being assessed and other items of interest. Taking this step can help prevent easily-avoidable communication errors further into the audit, when mistakes may not be as easy to remedy.
- Be available during fieldwork.
Key personnel will need to be on-hand during the audit and audit preparation. Non-critical meetings should be rescheduled or postponed to avoid adding undue stress and responsibilities to staff members’ plates. Auditors may require additional information — including supporting documents and explanations — throughout the fieldwork stage. Arranging brief status meetings or having the auditor provide an open items list can help keep communication open between all involved parties.
- Evaluate results.
Open communication between organization members and auditors should be encouraged throughout the time between fieldwork and the issuance of the audit. If any items remain open at the end of fieldwork, both parties should establish agreed-upon dates for the information to be provided to the relevant participants. If there is any confusion regarding certain aspects of the audit, an organization may find hosting a post-audit closing meeting to be beneficial.
How to Identify the Right Partner to Conduct the Audit
There’s no shortage of auditing organizations in today’s market place. Choosing the right one, however, can make or break a company’s journey towards compliance.
The ideal auditing organization should have the following qualities:
- They should be licensed.
First and foremost, any auditing organization a company considers should be formally qualified for whichever type of audit that is required. Many organizations will have multiple certifications, but it’s best to do thorough research before making a final decision.
- Undergo audits themselves.
Auditing organizations are hardly exempt from compliance regulations of their own. It’s vital that they undergo audits as well, to ensure their own systems and practices are secure. If their latest audit is unsatisfactory or was performed over a year ago, choosing that company may pose a risk to an organization’s own audits and compliance.
- Properly staffed.
The size of an organization is often a large factor when it comes to choosing an auditing company. Generally speaking, auditing companies can be divided into three categories: national, regional and local firms. A study published in the International Journal of Business and Finance Research found the following:
- Audit firm size is positively related to audit quality.
- National audit firms have higher positive relationships between firm size and audit quality than regional and local audit firms.
- There is no difference in the positive relationship between audit firm size and audit quality between regional and local audit firms.
Essentially, choosing an auditing organization that has enough auditors on hand, who are well-trained for whichever audit the company requires is key to a successful and beneficial auditing process.
- Respond within 24 hours.
Due to the high-level importance of passing a compliance audit, auditors should respond to concerns and inquiries within a 24-hour period. If any auditing organization’s response time is slower than that, it can result in easily-avoidable setbacks, confusion and frustration.
- Offer premium auditing software.
Any auditing organization should be relying on the most up-to-date, efficient software possible. Is their software cloud-based? Is it certified? Is it run by a third-party vendor or in-house? Before choosing an auditor, an organization should ask for clarification on what type of software the company is using.
- Offer a comprehensive suite of services.
Not every auditing firm offers a wide range of compliance audit services. By choosing a firm that has a range of compliance audits available, an organization can save time and money by funneling all their auditing needs through the same company.
The A-LIGN Difference
A-LIGN Security and Compliance Services, an information security audit company, is founded on the key principle that an unparalleled client service experience is the greatest differentiator amongst professional service firms. A-LIGN is a HITRUST CSF Assessor firm, Qualified Security Assessor Company, Accredited ISO 27001 and ISO 22301 Certification Body, Accredited FedRAMP 3PAO and licensed CPA firm. We specialize in assisting clients meet industry and government requirements including PCI DSS, FISMA, FFIEC, HIPAA and ISO 27001. In addition, we provide information technology management services to assist clients with security policy development and vendor management reviews. With a unique blend of industry and audit experience, our security professionals have expertise in audit preparation and implementing auditing information technology controls at companies ranging in size from small organizations to Fortune 500 corporations.
Interested in scheduling a compliance audit or undergoing audit preparation for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.