Becky McCarty

Data security refers to the controls implemented by a company to protect its data from unauthorized access, corruption, and theft. A good control environment around data security isn’t built on trust alone; it’s built on a combination of controls that are operating effectively, allowing corroboration and adequate oversight. Behind the polished “Security” page of many [...]

Auditors performing SOC examinations routinely test security controls over mobile devices and change management controls over mobile applications. It is not unusual in our experience for an auditor to identify that regular patching is not occurring and not up to date, antivirus / antimalware software is not installed, weak password policies are in use, and [...]

A service organization may have a number of vendors and subservice organizations engaged to assist it in meeting its objectives or achieving the service commitments to its user entities, along with the system requirements necessary to do so. This article will explain the difference between a vendor and a subservice organization and provide some tips [...]

PCI compliance refers to an entity implementing the data security standards promulgated by the Payment Card Industry (PCI). The PCI Data Security Standard (DSS) applies to organizations involved with payment card processing, including merchants, processors, acquirers, issuers, and service providers that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). If your [...]

Internal and external audits, while sharing some common elements, serve distinct purposes in an organization. In this blog, we will explain the key characteristics of each type of audit and examine how they overlap, as well as where they differ, to provide a greater understanding for our readers. What is An Internal Audit? An internal [...]

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework and the AICPA Trust Services Criteria are two control frameworks that are used to assess and improve the effectiveness of internal controls. While the COSO Principles are more general in nature, the AICPA Trust Services Criteria are more specific to outsourced service [...]

In today’s digital world and with many individuals working remotely and executing transactions over the internet, you may wonder how secure your connection is and if your information and that of your employer remain private. Unscrupulous individuals want your sensitive private data such as your personally identifiable information (PII) and your electronic protected health information [...]

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 internal control framework includes five COSO components and 17 COSO principles and is part of the common criteria included in a SOC 2 assessment. The five COSO components include the following: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. For [...]

Imagine that your system is under attack and your customers are unable to access your system because of this disruption in service. What do you do next and how do you respond? This is where incident management comes into play. An effective incident management process and incident response plan helps to return your system to [...]

What is IT Change Management? IT change management is a standardized end-to-end process that enables changes, including application, infrastructure, and configuration changes, to be deployed to a production IT environment in a controlled and consistently repeatable manner. IT change management provides the mechanism or workflow that makes sure only authorized changes are made to production. [...]