Compliance Preparation and IT Audit
Planning, Liaison, Remediation, Testing, Certification
SSAE 16, PCI, HIPAA, GLBA, SOX, DRP, BCP, Penetration Testing, Internal IT Audit - Tampa, Miami, and Nationwide
Attention IT Service Vendor:
If you are being asked by potential clients (or current clients) if you are routinely certified by an independent auditor, you should consider getting certified to be a great marketing tool to keep the competitive edge in your industry. If your clients are not required by regulatory agencies and are not a publicly traded company, subject to Sarbanes-Oxley reviews, this lower cost alternative to SSAE 16 is a great option for you. Use our survey to confirm you are eligible.
Getting your Audit-READY IT certification will provide your organization assurance, exposure you to new clients and referring organizations, and save you potential embarrassment because you have corrected issues before your client's auditors arrive.
Certification consists of a four step process:
PreAudit Review allows for the creation of the Audit Scope, IT Risk Assessment, Determination of Current Controls, Creation of Business Process Narratives, Preliminary Walkthrough audit of current controls, and recommendation for improvement prior to full audit activities. PreAudit Review is the lengthiest part of the certification process, typically taking from 2 to 6 weeks, depending on the size and complexity of the IT environment. See certification sub-categories for each audit type to help determine the scope of your audit.
Issues Remediation begins with the listing of issues derived from the PreAudit Review. Although, typical auditors' expectations are also listed, hands-on implementation of changes to the IT environment is the responsibility of the IT staff and business management, and not the responsibility of Controls Advisor. However, we can help you find service providers to facilitate your technical changes, if necessary, and we can oversee the implementation process from the audit perspective. We can also help you create missing documentation which is required in most audits such as:
Audit of IT Vendor Services begins after the organization has remediated issues and solidified the IT controls environment. Audits typically take from 1 to 3 weeks, depending on the size of the organization and complexity of the IT environment. Although an audit report can be issued, if there are a significant number of issues found, we cannot provide certification without a followup review (see followup item 6 below). NOTE: A 'HIGH' level of assurance must be gained, having no significant issues, to receive certification. See exception below.**
Follow-up Activities required for certification include:
* Marked follow-up items are not included in the price of the original audit/certification process
** If an organization fails to reach a ‘HIGH’ level of assurance during the audit, Controls Advisor can conduct a follow-up review within the organization's same/current audit period (prior to the same year-end as the first audit).* The follow-up will re-test only deficiencies found during the original audit. If the follow-up reveals all deficiencies were remedied, or mitigating controls were put in place and are effective, a READY certification can be granted, pending the auditor's recommendation. Nevertheless, an annual audit, taking place between 12 and 14 months of the original audit is required to maintain certification.*