About Maggie Cheney (Partner | CRISC)

Maggie Cheney (Partner | CRISC)

Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director.  She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder. 

ALL ARTICLES BY Maggie Cheney (Partner | CRISC):
Operational risk management

What is Operational Risk Management? Expert Guidance for Managing Risk

What is operational risk management? And why is operational risk important? Simply defined, operational risk management is a continual process performed to identify and manage the risks inherent to running a business. Risk is fundamental to operating a business, and all businesses have to manage risk of all types, ranging from financial to operational to […]

Understanding the NIST privacy framework

Understanding the NIST Privacy Framework: Insights from an Auditor

What is NIST, and why is it important? The National Institute of Standards and Technology (NIST) is a government agency whose mission is to “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST was established in 1901 […]

Information security governance framework

Information Security Governance: Guidance for IT Compliance Frameworks

I’ll be the first to admit that buzzwords like “information security governance,” “cyber security organizational structure,” and “information security organizational structure” can sound like trendy but otherwise meaningless concepts. My goal is to explain what information security governance is in a way that helps you not only understand the goals of information security governance, but […]

Deconstructing SSAE 18/SOC 1/SOC 2 (formerly SAS 70)

Deconstructing SSAE 18/SOC 1/SOC 2 (formerly known as SAS 70 / SSAE 16) Audit Reports

Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. These reports come out once a year, typically in the late Fall. While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. So, what do you do with the report once it has been received other than give it the internal and external auditors?

Understanding the limitations of internal control

Understanding the Limitations of Internal Controls – Learning to Mitigate Your Risk

You just received the draft SOC 1 or SOC 2 report from your auditor and as you’re scrolling through the opinion, you notice a reference to “Inherent Limitations.”  Inherent Limitations? Is your SOC report suggesting your controls are inadequate? Your auditor is not telling the world you have weak controls; however, every auditor opinion will reference […]

SOC audit failure

SOC Audit Failure: Common Audit Mistakes to Avoid

In performing SOC audits for Linford & CO, the clear majority of organizations do a great job providing reasonable assurance they are meeting all their controls. But I wanted to hit on a list of seven common mistakes that seem to pop up to hopefully help your organization identify them before they become