Press Release: Colovore Receives SOC 1 Type II Report

AuditOne Inc. Press Release
From Bud Genovese, Managing Director

Independent Audit Verifies Colovore’s Controls

San Jose, CA – September 2017 – AuditOne Inc. announced that Colovore, Silicon Valley’s premier provider of high-density colocation solutions, has received its SOC 1 Type II audit. This report verifies that Colovore has sufficient controls in place to deliver high quality services to its clients.

AuditOne Inc., a licensed CPA and PCAOB registered firm, performed the audit and appropriate testing of Colovore’s controls that may affect its clients’ operations. In accordance with Statements on Standards for Attestation Engagements, the SOC 1 Type II audit report includes Colovore’s description of controls as well as the detailed testing of its controls over a twelve-month period.

“Colovore is pleased to be able to provide our clients with the highest level of confidence that we will do an exceptional job for them providing high-density colocation services that include essential controls,” said Ben Coughlin, CFO of Colovore.
“Colovore’s clients rely on them to provide colocation architectures that deliver power scalability and reliability in a controlled environment,” said Robert Kluba, Co-Director of Technology Practices with AuditOne. “As a result, Colovore has implemented best practice controls to address information security and operations risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the colocation solutions provided by Colovore.”

SOC 1 Type II reports on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the controls of their suppliers, including those that provide technology services.

About Colovore

Colovore is Silicon Valley’s premier provider of high-density colocation solutions that are a perfect fit for companies operating modern, high performance hardware. No other colo provider can match Colovore’s density, operating efficiency and ease of scalability. Colovore will help your TCO plummet and scalability rocket. You will be able to scale effortlessly with Colovore’s dense racks, while our pricing model will simplify your growth. https://www.colovore.com/

About AuditOne Inc.

AuditOne Inc. is a licensed, PCAOB registered CPA firm with the singular mission of providing SOC audit services. Our exclusive SOC audit focus provides you the advantage of quality, cost-effective services. AuditOne’s expert staff in information security and compliance assurance cost effectively assist clients meet the rigorous standards for SOC compliance. Our technical staff can help your firm meet SOC requirements with SOC controls risk assessments, network penetration testing, as well as cost effective SOC 1, SOC 2 or SOC 3 reviews. Our specialty is your edge. https://www.auditoneinc.com.

Press Release: InfoIMAGE Receives SOC 2 & SOC 3 Reports

AuditOne Inc. Press Release
From Bud Genovese, Managing Director

San Jose, CA – September 2017 – AuditOne Inc. announced that InfoIMAGE, a leading provider of integrated solutions for statement delivery, has received their SOC 2 and SOC 3 attestation reports. The completion of these engagements shows InfoIMAGES’s commitment to deliver quality services to its clients by validating they have suitable controls in place.
SOC 2 & 3 engagements are based on the AICPA’s Trust Services Principles. SOC 2 & 3 service auditor reports focus on a Service Organization’s controls. AuditOne’s service auditor report verifies the appropriateness of the design and operating effectiveness of InfoIMAGE’s controls to meet the criteria for these principles.
“As the demands for controls rise, we continually evaluate the security needs and are committed to enhancing controls to reduce risks,” said Kim Mawla, Chief Technology Officer, of InfoIMAGE.
“The SOC 2 & 3 audits are based on the Trust Services Principles. InfoIMAGE has selected the security, availability, confidentiality, and processing integrity principles for the basis of their audit,” said Robert Kluba, Technology Practices Co-Director with AuditOne. “AuditOne delivers trust based services to clients, and by conveying the results, their clients can confidently rely on InfoIMAGE’s controls.”

About InfoIMAGE

Founded in 1984, InfoIMAGE, an award-winning industry leader that specializes in business statement presentation, provides one-stop service, from data to delivery. InfoIMAGE can be your “in-house” print, design and mail-house so you can free up valuable staff and resources to focus on your core business. By investing and integrating the latest technology innovations in data management and storage, online banking and high-speed laser printers and inserters, InfoIMAGE has integrated the process of business statement presentation into easy, user-friendly process that will save time and resources.
For nearly three decades, InfoIMAGE has specialized in high quality integrated print and electronic delivery of: Account Holder Statements, eStatement Presentation, PayeBill® – online bill presentation and payment services, eSignature- package management, Checks Images and Substitute Checks, Daily Notices and Letters, Taxable Income and Interest Forms, Reconversions, Data-targeted Direct Mail Campaigns, Data-targeted, Personalized One-to-One Marketing, Statement Inserts, Buck Slips and Coupons, and Print and Electronic Newsletters and Updates. http://www.infoimageinc.com.

About AuditOne Inc.

AuditOne Inc. is a licensed, PCAOB registered CPA firm with sole focus of providing SOC audit services. AuditOne’s expert staff in information security cost effectively assist clients meet standards for SOC compliance. Our technical staff can help your firm meet SOC requirements with SOC risk assessments, network penetration tests, as well as cost effective SOC 1, SOC 2 or SOC 3 reviews. https://www.auditoneinc.com.

 

Press Release: Jopari Receives SOC 2 Type II Attestation Report

AuditOne Inc. Press Release
From Bud Genovese, Managing Director

Independent Audit Verifies Jopari’s Controls and Processes

San Jose, CA – July 2017 – AuditOne Inc. announced that Jopari Solutions, Inc., a leading provider of integrated eBill compliance and payment solutions to workers’ compensation, auto and health insurance industry providers and payers, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that Jopari has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary controls and processes in place.

SOC 2 engagements are based on AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on controls as they relate to security, availability, confidentiality, and processing integrity of a system. AuditOne’s report verifies the suitability of the design and operating effectiveness of Jopari’s controls to meet the criteria for these principles.

“Performance, scale and reliability is at the foundation of all Jopari products and services. As the demands for processing controls and safeguards rise, we continually evaluate our controls to meet security needs and threats head on,” said Sherry Wilson, EVP & Chief Compliance Officer, of Jopari.
“The SOC 2 audit is based on Trust Services Principles. Jopari has selected the security, availability, confidentiality, and processing integrity principles for the basis of their audit,” said Robert Kluba, Technology Practices Co-Director with AuditOne. “AuditOne delivers trust based services to clients, and by communicating the results of this audit, their clients can be assured of reliance on Jopari’s controls.”

About Jopari

Since 2003 Jopari has spearheaded insurance industry efforts to eliminate paper and frictional costs from medical claim transactions. Jopari’s team offers unrivaled expertise in customer-centric, compliance ready digital solutions for: medical claim submission, delivery and workflow; payment and remittance processing; Attachment exchange; and status communications. All supported by intelligent portal based tracking, search, archive and audit capabilities.
Jopari’s best-of-breed electronification platform builds ROI quickly by cost-effectively modernizing end-to-end medical claim processing. Lower loss adjustment expense for Payers. Improved revenue cycle performance for Providers. Higher service levels for all. Jopari’s expanding connectivity network now links over 1,000 insurance Payers with 900,000 Providers nationally, supplying extraordinary day-one trading partner penetration to new customers while enabling competitive opportunities to our entire connected community.
Jopari is a leading customer-focused health information technology company supplying advanced medical EDI solutions to payers and providers in healthcare, workers’ compensation, auto medical and other medical services insurance markets. Jopari’s services allow the complete elimination of paper-based transactions and care-related information exchange from the business side of medical services. http://www.jopari.com

About AuditOne Inc.

AuditOne Inc. is a licensed, PCAOB registered CPA firm with a sole focus of providing SOC audit services. AuditOne’s expert staff in information security cost effectively assist clients meet standards for SOC compliance. Our staff can help your firm meet SOC requirements with SOC risk assessments, network penetration tests, HIPAA assessments, as well as cost effective SOC 1, SOC 2 or SOC 3 reviews. https://www.auditoneinc.com.

 

Advisory – AuditOne Inc Advisory SOC 1 Changes with the new SSAE 18 Standard

AuditOne Inc. Advisory
From Bud Genovese, Managing Director

Robert Kluba, Technology Practice Co-Director, AuditOne, has written an article below on the key additional requirements to complete a SOC 1 due to AICPA changes that replaced SSAE 16 with SSAE 18, effective May 1, 2017.  Please feel free to forward this advisory to any appropriate people in your firm and we hope you enjoy this important update, thank you.  –Bud

SOC 1 Summary of Changes from the SSAE 16 Standard to the SSAE 18 Standard

Services providers that store or process information for third parties should be able to provide an annual SOC (Service Organization Controls) report to customers when requested.  A SOC 1 report focuses on the controls over financial reporting. If the information handled by the service provider relates to financial statements, then a SOC 1 review and report should be completed. The SOC 1, SSAE 16 format was created originally under the SSAE 16 standard which replaced the SAS 70 standard.  Effective May 1, 2017, a SOC 1 report is now completed under the SSAE 18 AICPA attestation standard.  The standard requires that the SOC 1 report only note “SOC 1” and should not reference or use “SSAE 18” as part of the report or title. This advisory
presents the major changes that apply to SOC 1.

SOC 2 and SOC 3 reports are completed according to the AICPA Trust Service Principles. SOC 2 and SOC 3 reports are focused on the controls related to compliance and operation of the service provider. A SOC 2 or SOC 3 report provides documented assurances that operational safeguards are in place that relate to one, or all, of the following trust service principles: security, availability, processing integrity, confidentiality, or privacy. The following changes do not affect the SOC 2 and SOC 3 reports, as the SSAE 18 does not apply to them.

SSAE 18 Changes That Apply to SOC 1

Subservice Organizations:

SSAE 18 is requiring that service organizations implement processes that monitor the controls at subservice organizations. This new requirement requires service organizations to state the vendor management controls they have in place for subservice providers (for example, colocation facility).

Complementary Subservice Organization Controls:

The SSAE 18 introduces the concept of “Complementary Subservice Organization” controls which will be included in the service provider’s system description. This concept establishes and defines the controls for which customers must now assume in the design of the system description. This addition to the system description is similar to the Complementary User Entity Controls section.

Signed Written Assertion Requirement:

The written assertion is the statement found within the SOC report where the service organization asserts that the system description provided is true and complete. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional. Like many firms, AuditOne, Inc. has already been requiring this section to be signed by service providers as a way to strengthen the credibility of the report.

Service Auditor Risk Understanding:

The SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, in order to better identify the risks of material misstatement in an examination engagement. This enhancement should lead to an improved understanding between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

AuditOne Inc. Delivers Effective and Efficient SOC Audits

AuditOne Inc.’s skilled audit, technical and security experts deliver the highest quality, cost-effective, responsive SOC services in the industry. Please contact myself or Bud Genovese to review how we can make the SOC audit an effective and efficient experience for your firm. I will be more than happy to help you understand why AuditOne Inc.’s user-friendly process and focus, makes it the market-leading smart choice.


Robert Kluba is the Technology Practice Co-Director of AuditOne LLC, the Nation’s leading firm with the sole focus on financial institution internal audit and consulting services. AuditOne LLC affiliates with AuditOne Inc., a PCAOB registered CPA firm that specializes in SOC audits for service providers. Under Managing Director Bud Genovese, AuditOne Inc. has positioned itself to deliver affordable SOC reviews utilizing hands-on technical staff. The AuditOne group of technical experts also can assist in SOC related risk assessments and penetration testing requirements. Contact Robert Kluba (robert.kluba@auditonellc.com) or Bud Genovese (bud.genovese@auditonellc.com) or call them at 408-980-8099 for more information.

 

Advisory – SOC 2 Reports Help Your Business Grow

From Bud Genovese, Managing Director, AuditOne Inc.

SOC 2 Reports Help Your Business Grow

If you are a service provider that handles corporate or consumer information, then a SOC 2 review and report is necessary. For example if your firm provides secure storage of information or cloud based services, then you should be providing an annual SOC 2 report to your client base. The SOC 2 review and report would provide documented assurances that the operational safeguards protect your client as the service relates to either: processing security, availability, processing integrity, confidentiality, or privacy. One or more of these five principles would be covered in a SOC 2 as it applies to the processing service you provide.

The completion of the SOC 2 review could be used in company press releases that declare to the business world that you have independent evidence of the controls in place at your firm. The press release can announce that your firm provides assurance that you have the system and control procedures in place to safeguard clients’ sensitive information and processing integrity to sustain operations. It would be yet another reason why your firm is recognized as a quality service provider and an industry leader.

The SOC 2 review process would confirm your firm’s adherence to the AICPA’s Trust Principles related to security controls. The AICPA created the SOC guidelines to provide an authoritative benchmark for service organizations to demonstrate implementation of proper control procedures and practices. Type II reports include detailed testing of the operational effectiveness of the described systems’ security controls.

SOC 2

The SOC 2 Report focuses on internal controls related to the five AICPA Trust Principles: 1) security, 2) availability, 3) processing integrity, 4) confidentiality, and 5) privacy. A firm may select one or more of these principles to be reviewed. As with the financial statement oriented SOC 1/ SSAE 16, an organization can receive a SOC 2 review that is either a Type I or a Type II.

AuditOne Inc. Delivers Effective and Efficient SOC Audits

AuditOne Inc.’s skilled audit, technical and security experts deliver the highest quality, cost-effective, responsive SOC/ SSAE16 services in the industry. Please contact Bud Genovese to review how we can make the SOC/ SSAE 16 audit an effective and efficient experience for your firm. I will be more than happy to help you understand why AuditOne Inc.’s user-friendly process and focus, makes it the market-leading smart choice.

Advisory – Sorting out “SOC”s – Which Report Your Service Providers Should Make Available

From Robert Kluba, Technology Practice Director, AuditOne Inc.

Your services providers that store or process information should provide you each year with a SOC (Service Organization Controls) report.  If the information they handle relates to your financial statements, then a SOC 1-SSAE 16 must be provided. The SOC 1 – SSAE 16 replaces the SAS 70 and is the only SOC report that opines on the processing as it relates to your financial reporting.

If the service provider is not used for financial statement related processing, but handles corporate information in other regards, then a SOC 2 or SOC 3 report is necessary. For example if the service firm provides secure storage of data or cloud based services, then the firm should provide an annual SOC 2 or SOC 3 report. The SOC 2 or SOC 3 report would provide you documented assurances that the operational safeguards protect your firm as the service relates to either: processing security, availability, processing integrity, confidentiality, or privacy. One or more of these five principles would be covered in a SOC 2 or SOC 3 as it applies to the processing service your vender provides.

SOC 1 – SSAE 16

Four years ago the American Institute of Certified Public Accountants (“AICPA”) created the Service Organization Control Report framework, and replaced SAS 70 with the SOC 1 – SSAE 16. Under the new framework, service organizations that handle financial data or affect the financial reporting of your firm would now receive a SOC 1 – SSAE 16 audit and report.  This review can be a “Type I or Type II” review. Type I reports on the suitability of the controls, while Type II also tests the effectiveness of the controls.

SOC 2

The SOC 2 Report focuses on internal controls related to the five AICPA Trust Principles: 1) security, 2) availability, 3) processing integrity, 4) confidentiality, and 5) privacy. A firm may select one or more of these principles to be reviewed. As with SOC 1 – SSAE 16, an organization can receive a SOC 2 review that is either a Type I or a Type II.

SOC 3

SOC 3 is a summary report that documents assurances on the internal controls related to the selected AICPA Trust Principles (security, availability, processing integrity, confidentiality, or privacy) but without detailed description of tests and results contained in a SOC 2. In addition, the SOC 3 report can be publically displayed on your web site, or provided to potential clients without an NDA (as required with the SOC 1 or SOC 2 reports).

AuditOne Inc. Delivers Effective and Efficient SOC Audits

AuditOne Inc.’s skilled audit, technical and security experts deliver the highest quality, cost-effective, responsive SOC/ SSAE16 services in the industry. Please contact myself or Bud Genovese to review how we can make the SOC/ SSAE 16 audit an effective and efficient experience for your firm. I will be more than happy to help you understand why AuditOne Inc.’s user-friendly process and focus, makes it the market-leading smart choice.

Advisory – Cost-Effectively Transitioning to SSAE 16

by Bud Genovese, Managing Director, AuditOne Inc.

Rationale why SSAE 16 replaces SAS 70, effective June 15, 2011

The new rules, entitled Statement on Standards for Attestation Engagements #16 (SSAE 16) replaces the SAS 70, and become effective for reports for periods ending on or after June 15, 2011. With increased globalization of services, the SSAE 16 was issued by the American Institute of Certified Public Accountants to align with the International Standard on Assurance Engagements – ISAE 3402.

Major Changes of Responsibilities from the SAS 70 to the SSAE 16

AuditOne Inc.’s analysis concludes that the major SSAE 16 changes for service providers essentially reduce to:

  1. The service provider needs to perform or obtain a risk assessment that identifies risks that could threaten the achievement of the control
  2. The service provider must develop a written statement of “the description of the provider’s system” that will be included in Section 2 of the SSAE16
  3. The service provider will also provide an “Assertion by Management” to accompany the description.

Type I or Type II for your SSAE 16 Review?

As with the SAS 70, service providers must choose either a SSAE 16 Type I or SSAE 16 Type II Review. Essentially, the Type I review evaluates and details a service organization’s description of its system for processing user entity transactions or information at a specific point in time and opines on the suitability of the design of controls to achieve the related control objectives stated in the description.

The Type II review evaluates and details a service organization’s description of its system for processing user entity transactions or information at a specific point in time and opines on the suitability of the design and the operating effectiveness of controls to achieve the related control objectives stated in the description.

What New Steps Should I Take to Complete the SSAE 16?

There are three main areas to understand and comply with in the transition from the SAS 70 to the SSAE 16 rules: 1) risk assessment; 2) description of system; and 3) assertion statement. AuditOne Inc. can help you with all three, but your understanding of these new standards is essential.

1)  Risk Assessment

Background: SSAE 16 standards require the service provider to support its management assertions by: identifying the risks that threaten the achievement of the control objectives; and, determining whether the controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives from being achieved.

These risks do not need to be described in the service organization’s description of the system, but must be identified as part of the due diligence to make the assertions now required by the service provider in the report.

Action Step: Service providers should have a process to periodically (at least annually or when major changes take place) identify and assess risks that may threaten the achievement of the control objectives. This risk assessment process can be performed in-house or by a qualified consultant or audit provider.

2)  Management’s Description of System

Background: Management’s description of the services provided, including classes of transactions processed, should include a summary level of detail to permit the user to understand the nature of the services. For service organizations that process transactions for user entities, a description of the classes of transactions processed should provide the information necessary to identify a user entity’s significant accounts to which the transactions are posted. The description of the services provided should provide the information necessary to identify the significant user entity processes that are affected by the services (e.g., payroll expenses, cash disbursements, accounts payable and payroll tax reporting for the payroll function). For service organizations that provide an information systems platform, the description should include the services that the user entities are likely to find significant.

Description should also include, as applicable, the procedures by which services are provided, including transaction initiation, authorization, recording, processing and correction. The description of the system should convey a concise, summary level understanding of the flow of transactions or activities from start to finish, as well as the processes by which information errors are corrected.

Description of the system also must include the identification of other types of activity that affect the processing of transactions and services, such as information technology general controls.

Description of the system should include a description of the process used to prepare reports and provide information that user entity management relies on to run the business.

Action Step: If you’ve performed a SAS 70 in the past, review prior descriptions of systems and processes to update this text to meet the new SSAE 16 “description of system” requirements as noted in above background. If this is your first such review, use the above background to help meet the new SSAE 16 “description of system” requirements.

3)  Management’s Written Assertion

Background: Another major difference between a SAS 70 report and a report prepared under the new SSAE 16 standard is management’s written assertion. This assertion can be included in the system description report section, but must be on the service organization’s letterhead and signed by a member of management.

The assertion communicates the service organization management’s responsibility for the description of the system, including, as applicable, that the description of the system:

  • presents how the system was designed to process relevant transactions
  • classes of transactions processed
  • procedures, both manual and automated, by which transactions are authorized, processed, corrected (as needed), and transferred to reports presented users of the system,
  • process used to prepare reports for users
  • specified control objectives and controls designed to achieve those objectives,
  • risk assessment process
  • other control activities part of the internal control environment, including monitoring controls relevant to processing and reporting transactions to users
  • does not omit or distort information relevant to scope of the system
  • discloses relevant details of changes to the system during the period covered
  • controls related to the controls objectives stated in the description were suitably designed and operating effectively throughout the period to achieve control objective, and the criteria made to make this assertion is that risks to control objectives have been identified, that controls noted in the description provide reasonable assurance that risks would not prevent the control objectives from being achieved, and that controls were consistently applied as designed, including manual controls.

Action Step: On your service organization’s letterhead, prepare a letter signed by management that includes, as applicable, the points noted in the above background. This assertion letter will be incorporated into the SSAE 16 report as a complementary part of the description of the system.

Advisory – Important Changes to SAS 70 Requirements

From Bud Genovese, Managing Director, AuditOne Inc.

This AuditOne Inc. Advisory Alert is intended to help you become familiar with important changes to the traditional SAS 70 Types I and II reporting process. The new rules, entitled Statement on Standards for Attestation Engagements #16 (SSAE16) replaces the SAS 70 rules, and become effective for reports for periods ending on or after June 15, 2011.  Based on the Statement on Standards for Attestation Engagements issued by the Auditing Standards Board, there are three main changes to understand. You can be confident that AuditOne Inc. has analyzed all the changes and is prepared to lead you step by step to cost-effectively meet all the requirements.  Let’s now take a closer look at what’s new.

  1. Under SSAE16, the service provider must provide a written statement of “the description of the provider’s system” that will be included in Section 2 of the SSAE16 report. This is new and not previously required. This system description is to include: how the system was designed and implemented to process relevant transactions; any material changes to the system during the period covered; statement of the system controls; etc.  AuditOne Inc. can help you prepare every aspect of this statement, ensuring you meet the requirements of new SSAE16 report.
  2. The service provider will provide an “Assertion by Management” of a Service Organization for a Type I or II Report. While this is technically new, it is basically the same content as the “Representation Letter” now done for SAS 70s. The major difference is that this new Assertion by Management letter must now be incorporated into the SSAE16 report. Again, AuditOne Inc. can guide you through the process of meeting this requirement.
  3. The SSAE16 can be accomplished by either the “Carve-Out Method” or the “Inclusive Method.” The Inclusive Method includes a description of the nature of the services and controls provided by subservice organizations. The Carve-Out Method does not examine the controls of the subservice organizations’ systems. AuditOne Inc. recommends the Carve-Out method because it is similar to the familiar SAS 70 process, and it saves you time and money.

We Sweat the Details So You Don’t Have To

AuditOne Inc. is dedicated to working hard to stay current on all the changes, nuances, and requirement techniques of the SSAE16 process. Our skilled audit, technical and security experts deliver the highest quality, cost-effective, responsive SSAE16 and SAS 70 service in the industry. If you have any questions about the new process or would like to schedule a SAS 70 or SSAE 16 review, please contact me.  I’ll be more than happy to help you understand the new procedures, and why AuditOne Inc.’s reliability and cost-effectiveness makes it the market-leading smart choice.