Lois Colby

Your firm already has an ISO/IEC 27001 certificate and is considering adding the certificate offered by Cloud Security Alliance, Security Trust and Assurance Registry (CSA STAR) for ISO/IEC 27001 because it feels that opportunities to gain new clients are being lost without having the CSA STAR certificate, and to provide an additional layer of comfort [...]

From time to time my clients ask what an unqualified opinion means when discussing the opinion being issued for an attestation engagement such as a SOC 1 or SOC 2 report. It is a funny-sounding term used for attestation engagements (engagements where the auditor is issuing an opinion over the audit performed of the identified [...]

Your company, the Organization Seeking Assessment (OSA), has determined that it has to achieve CMMC Level 2 certification to be in compliance with contractual requirements with the Department of Defense (DoD) as defined in 32 CFR Part 170. An initial and critical step in attaining CMMC Level 2 certification is creating a system security plan [...]

The AICPA Auditing Standards Board issued Statement of Quality Management Standards (SQMS) No. 1 in June 2022 for CPA firms having an accounting or auditing practice, with an effective date of December 15, 2025. SQMS No. 1 supersedes Statement on Quality Control Standards No. 8, A Firm’s System of Quality Management. As a reader of [...]

A common concern being expressed by the general public and the United States government is the state of cybersecurity and the strength of the country’s ability to protect itself against a cybersecurity attack from within and without the United States. In response to this concern, the Department of Defence (DOD) has been working on the [...]

Auditors performing financial statement audits are already aware of the Public Company Accounting Oversight Board (PCAOB) auditing standard AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion effective for audits of fiscal years ending on or after December 15, 2017. Within this standard are the requirements [...]

With the rise of organizations providing artificial intelligence (AI) or machine learning (ML) tools and services, one has to wonder about the risks associated with those services and the security, at the very least, of the data used for and created as a result of the AI and ML services. Data considerations include the makeup [...]

In September 2020, the AICPA issued a new Statement on Standards for Attestation Engagements (SSAE) labeled as SSAE No. 21, Direct Examination Engagements. You might ask, “Why do we care about it now?” We care about it now because it is effective for all practitioners’ reports dated on or after June 15, 2022. A date [...]