Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources. What Is Data Classification & Why Is it Important? Knowing what data your organization collects, uses, […]
About Maggie Cheney (Partner | CRISC)
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.
Audit Engagement Letters & Required Audit Terms: Tips for Preparation
Most people have some degree of familiarity with contracts, but the nuances of contractual requirements related to an audit engagement are not always understood. If you are looking to engage an auditor, or if you have an existing engagement letter with an auditor, it is important to understand these nuances and the requirements for audit […]
What is Operational Risk Management? Expert Guidance for Managing Risk
What is operational risk management? And why is operational risk important? Simply defined, operational risk management is a continual process performed to identify and manage the risks inherent to running a business. Risk is fundamental to operating a business, and all businesses have to manage risk of all types, ranging from financial to operational to […]
Understanding the NIST Privacy Framework: Insights from an Auditor
What is NIST, and why is it important? The National Institute of Standards and Technology (NIST) is a government agency whose mission is to “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST was established in 1901 […]
Information Security Governance: Guidance for IT Compliance Frameworks
I’ll be the first to admit that buzzwords like “information security governance,” “cyber security organizational structure,” and “information security organizational structure” can sound like trendy but otherwise meaningless concepts. My goal is to explain what information security governance is in a way that helps you not only understand the goals of information security governance, but […]
Audit Risk 101: An Auditor’s Guide to Understanding Audit Risk
Of all the day-to-day priorities and to-do’s, worrying about audit risk probably has not risen to the top of your list. Should it? Maybe “out of sight, out of mind” is a better approach? It seems like a boring thing to think about, and you probably have more pressing matters on your mind. While this […]
What is the NIST Cybersecurity Framework & How Does SOC 2 Map to It?
NIST 800-53, ISO 27001, PCI, HITRUST, HIPAA, SOC 1, SOC 2, GDPR, CCPA…who needs another compliance framework? It’s an acronym soup, and who can keep them all straight anyway? I’m here to make the case that you may just have room for one more – the NIST Cybersecurity Framework (CSF), particularly if you’re seeking SOC […]
Management Responsibility in an Audit – Who Does What in a SOC Audit?
“What are the responsibilities of management and the auditor in relation to internal control?” is a question we often hear from our clients and potential clients. We’ve talked a lot about what the auditor’s responsibilities are in an audit, but what about company management’s responsibilities in an audit? If you sign up for a SOC […]
Deconstructing SSAE 18/SOC 1/SOC 2 (formerly known as SAS 70 / SSAE 16) Audit Reports
Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. These reports come out once a year, typically in the late Fall. While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. So, what do you do with the report once it has been received other than give it the internal and external auditors?
Understanding the Limitations of Internal Controls – Learning to Mitigate Your Risk
You just received the draft SOC 1 or SOC 2 report from your auditor and as you’re scrolling through the opinion, you notice a reference to “Inherent Limitations.” Inherent Limitations? Is your SOC report suggesting your controls are inadequate? Your auditor is not telling the world you have weak controls; however, every auditor opinion will reference […]