Controls Advisor, LLC
Compliance Preparation and IT Audit
Planning, Liaison, Remediation, Testing, Certification
SSAE 16, PCI, HIPAA, GLBA, SOX, DRP, BCP, Penetration Testing, Internal IT Audit - Tampa, Miami, and Nationwide
Controls Advisor
FL
ph: (813) 644-2472
info
- Home
- Services: PCI, SSAE16, Internal IT Audit, Preparation, Post-Audit
- Internal Audit, PCI, SSAE16, preparation, post-audit, compliance certification
- PreAudit Preparation for surprise-free Audits
- Audit Liaison saving clients embarrasment, time, and money
- PostAudit Remediation Projects lead by former auditors
- PCI Compliance & our pre-determination Survey
- About SSAE 16 and alternate Certification
- Service & Price Comparison Grid
- About Us
- Service Partners & Referral Program
- Contact Us
- Audit READY Certification Requirements Survey
Audit READY Certifcation Requirements
Attention IT Service Vendor:
If you are being asked by potential clients (or current clients) if you are routinely certified by an independent auditor, you should consider getting certified to be a great marketing tool to keep the competitive edge in your industry. If your clients are not required by regulatory agencies and are not a publicly traded company, subject to Sarbanes-Oxley reviews, this lower cost alternative to SSAE 16 is a great option for you. Use our survey to confirm you are eligible.
Getting your Audit-READY IT certification will provide your organization assurance, exposure you to new clients and referring organizations, and save you potential embarrassment because you have corrected issues before your client's auditors arrive.
Certification consists of a four step process:
- PreAudit review of current business processes
- Issues Recommendation / Remediation
- Audit of IT Vendor Services
- Followup Activities
PreAudit Review allows for the creation of the Audit Scope, IT Risk Assessment, Determination of Current Controls, Creation of Business Process Narratives, Preliminary Walkthrough audit of current controls, and recommendation for improvement prior to full audit activities. PreAudit Review is the lengthiest part of the certification process, typically taking from 2 to 6 weeks, depending on the size and complexity of the IT environment. See certification sub-categories for each audit type to help determine the scope of your audit.
Issues Remediation begins with the listing of issues derived from the PreAudit Review. Although, typical auditors' expectations are also listed, hands-on implementation of changes to the IT environment is the responsibility of the IT staff and business management, and not the responsibility of Controls Advisor. However, we can help you find service providers to facilitate your technical changes, if necessary, and we can oversee the implementation process from the audit perspective. We can also help you create missing documentation which is required in most audits such as:
- Policies and Procedures
- Business Continuity Plans
- Business Risk Assessments and Impact Analysis
- Change Control Logs
- Operations/Administration Checklists
- and more...
Audit of IT Vendor Services begins after the organization has remediated issues and solidified the IT controls environment. Audits typically take from 1 to 3 weeks, depending on the size of the organization and complexity of the IT environment. Although an audit report can be issued, if there are a significant number of issues found, we cannot provide certification without a followup review (see followup item 6 below). NOTE: A 'HIGH' level of assurance must be gained, having no significant issues, to receive certification. See exception below.**
Follow-up Activities required for certification include:
- Annual surveys related to customer service from 5% of IT Service clients (with a minimum of 2 clients) using ongoing services, not single projects. Surveys and samples must be approved or obtained by Controls Advisor.
- A survey score of 90 or above from of each of the sampled IT Service clients
- Disclosure statement of relationship between IT Service vendor and its sample clients
- Permission to display the contact information of the certified organization in a directory of IT Service vendors on Control’s Advisor’s website. Web page link exchange between Controls Advisor and the certified organization is desired and will ensure top priority in the directory.
- An annual audit, taking place no more than 14 months after the original audit’s month/day, is required to maintain status and recertification*
* Marked follow-up items are not included in the price of the original audit/certification process
** If an organization fails to reach a ‘HIGH’ level of assurance during the audit, Controls Advisor can conduct a follow-up review within the organization's same/current audit period (prior to the same year-end as the first audit).* The follow-up will re-test only deficiencies found during the original audit. If the follow-up reveals all deficiencies were remedied, or mitigating controls were put in place and are effective, a READY certification can be granted, pending the auditor's recommendation. Nevertheless, an annual audit, taking place between 12 and 14 months of the original audit is required to maintain certification.*
Copyright 2009 Controls Advisor. All rights reserved.
Controls Advisor
FL
ph: (813) 644-2472
info
