Isaac has over 12 years of internal control and audit experience, 7 of those years were with the “Big Four” accounting firm, Ernst & Young. He was responsible for a number of SOC 1 (formerly SAS 70 and SSAE 16) audits and SOC 2 audits, internal control reviews, IT general control reviews, and Sarbanes-Oxley Section 404 attestation engagements for large SEC accelerated filers. Isaac is a certified public accountant (CPA) in the state of Utah, a certified information system security professional (CISSP) and a certified information systems auditor (CISA). He holds a Master of Science degree in Information Systems Management from Brigham Young University and a Master of Science degree in Accounting from the University of Virginia.
For many people, the words “internal audit” conjure a sense of fear and anticipation of high cost. Even under the best circumstances, having someone review your activities can be intimidating, but internal audit provides an unbiased, independent review of data and business processes.
The International Organization for Standardization (ISO) is an independent, non-governmental organization made up of members from the national standards bodies of over 160 countries that set international standards related to products and services.
This article addresses the what, when, why, and who’s related to letters of representation for audits, specifically SOC audits. What is a Letter of Representation? A letter of representation (a.k.a., representation letter, rep. letter, LOR) in audit services is a form letter from the American Institute of Certified Public Accountants typically prepared by the external […]
When we are approached by a prospective client to perform a SOC 1 (f. SSAE 16) audit, we will ask what control objectives do they want to include in the scope of the examination. In some cases, their have responded with their own question–What is a control objective? This blog will address that question as […]
There is one question on everyone’s mind when they learn that they need to get a SOC report for one of their clients—How much does a SOC audit cost? Chances are, if you are reading this, that you have the same question. There are three components that make up the total cost to get a […]
Service providers often face a common question when determining how best to report on their control environment to clients who use their services—should we use the carve-out audit or the inclusive audit method for subservice providers? As a service auditor, I’ve been asked this question multiple times by different service organizations. The short answer is—it […]
In order to perform a HITRUST assessment, you must be able to score your organization’s control environment compliance with the HITRUST CSF Maturity Model. The maturity model is used for scoring both Self-Assessments and Validated Assessments (more info). Understanding how to use the HITRUST Maturity Model to accurately rate your controls’ compliance is critical as […]
Chances are, if you are reading this, that you are considering obtaining a HITRUST Certification. This post will walk you through the HITRUST certification process. You will learn the major steps needed to prepare, be assessed, and obtain the certification. We will also highlight some of the pitfalls to avoid along the way. If you […]
Organizations flourish when they establish control environments that foster the efficient execution of operations to deliver value to its stakeholders and achieve its strategic objectives while aligning with industry best practices, laws, and regulations to manage risks facing them. This blog will help you understand 1) what a control environment is, 2) the important role […]
The ten generally accepted privacy principles that are essential to the proper protection and management of personal information are:
