Watch: Risk Advisory Services: Third Party Risk Management

Date January 29, 2021
Article Authors
HBK CPAs & Consultants

HBK Risk Advisory Services Senior Managers Bill Heaven, CPA, CISA, CITP, CSCP and Matt Schiavone, CPA, CISSP, CISA discuss Third-party Risk Management, SOC, SOC2 and reporting.

Download the materials.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Avoiding the Weak Link: SOC for Supply Chain

Date June 2, 2020
Article Authors
HBK CPAs & Consultants

Advances in technology are rearranging the relationships between entities in supply chains. Entities that produce, manufacture or distribute products are more connected than ever with their suppliers, customers and business partners. There are advantages as well as disadvantages to this new way of conducting business.

The efficiencies introduced by technology have increased revenues, reduced costs and presented more opportunities, but technology has also introduced major risks to the entire supply chain. Accordingly, stakeholders – suppliers, customers, business partners – are considering these risks, and as a result, vetting their partners more diligently.

Routinely this is accomplished by requesting attestation reports on the entity’s system and the controls relevant to security, availability, processing integrity, confidentiality and privacy. Third-party, independent assurance is ideal. Such requests will likely soon become requirements.

In an effort to facilitate and provide a common set of criteria, the AICPA has developed guidance for a new examination-level service referred to as an SOC (system and organization controls) for Supply Chain examination.

An SOC for Supply Chain report provides information about the “system” used to produce, manufacture, or distribute products and the relevant “controls” within that system. The report is designed to provide users with information they need to identify, assess and manage the risks that arise from their relationships with the entity. Users include:

  • Business partners, such as customers or suppliers who need the information to manage and assess the risks associated with doing business with the entity
  • Business customers, including immediate customers or similar business entities further down the supply chain who may need to (a) integrate controls with the controls within their own systems, and (b) determine whether those controls are sufficient to mitigate their own business risks
  • Others, such as prospective customers and business partners who need the information to supplement their supplier selection processes or ensure the supplier’s compliance with regulatory requirements

As supply chains evolve and vendors and business partners are increasingly scrutinized, SOC for Supply Chain examinations will provide marketability, convey trust and distinguish organizations. A chain is only as strong as its weakest link.

HBK CPAs & Consultants has vast experience conducting SOC Attestation reports. We are poised to assist your organization in achieving success.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Doing Business with Microsoft? Privacy Protection is Key

Date September 9, 2019
Article Authors
HBK CPAs & Consultants

Microsoft executives take security and privacy initiatives seriously. Not just their own, but those of their vendors, as well.

Microsoft is committed to Vendor Risk Management (VRM). Suppliers and business partners are often required to undergo varying levels of attestation to their information security initiatives, including SOC 2 or Microsoft’s Supplier Security and Privacy Assurance (SSPA).

Microsoft has established data protection requirements (DPRs) for suppliers who process Microsoft personal or confidential data. More often than not, suppliers must undergo annual attestation as to their ability to meet the requirements defined in Microsoft’s DPR.

“Process” in Microsoft’s DPR refers to any operation or set of operations performed on any Microsoft personal data or confidential data—and whether or not operations are by automated means. Processes include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or dissemination, and alignment or combination, restriction, and erasure or destruction.

SSPA is a Microsoft program that involves not only making sure that suppliers understand these requirements but ensuring their compliance. The program combines Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to make certain that suppliers follow privacy and security principles when processing Microsoft personal data or Microsoft confidential data. It covers all global suppliers processing Microsoft personal or confidential data.

Suppliers considered high risk are required to provide independent verification of DPR compliance. Such companies are asked to select an independent auditor affiliated with the American Institute of CPAs (AICPA) or the International Association of Privacy Professionals to assess DPR compliance; that auditor is responsible for providing an unqualified letter of attestation to the Microsoft SSPA.

At HBK, our affiliation with the AICPA is merely one aspect of our capabilities. Our auditors have years of experience performing attestation engagements, including extensive SOC 2 work. We have intimate knowledge of security and privacy best practices and hold these critical credentials: Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Most importantly, we are experienced in navigating businesses through Microsoft’s SSPA and compliance with the company’s Data Protection Requirements.

We can help you if Microsoft is on your business horizon and you want to maximize the value of these efforts–or if you’re preparing for a security audit. Call us at 724.934.5300 or email me at MSchiavone@hbkcpa.comand let’s get started.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Are You Cyber Secure and Who Wants to Know?

Article Authors
HBK CPAs & Consultants

This is an update to the original INSIGHT article Are You Cyber Secure?, which was published in July 2017.

System and Organization Controls 1 or SOC 1 (SOC) report provides assurance over controls at a service organization which are relevant to user entities’ internal control over financial reporting. Obtaining a SOC for Cybersecurity report can prove that a cybersecurity risk management program is designed and functioning effectively. It can also reassure everyone a member of a board of directors to a potential customer that information with which your company has been entrusted is being handled in accordance with cybersecurity best practices.

No matter your business or industry, cybersecurity is a concern. If you operate in cyberspace – and what business doesn’t? – you are vulnerable. To guard against the many risks ranging from exposure of confidential information to loss of business reputation, every organization should have a cybersecurity risk management program. However, conveying the maturity of your risk management program to stakeholders is a challenge that needs overcome.

To meet that need the American Institute of Certified Public Accountants (AICPA), the certification and standards organization governing the practice of accounting, has introduced Systems and Organization Controls (SOC) for Cybersecurity. Building upon the profession’s experience in auditing system and organization controls, SOC for Cybersecurity enables CPAs to examine and report on an organization’s cybersecurity risk management program.

HBK CPAs & Consultants (HBK) has been performing SOC 1 and SOC 2 attestations since they replaced the SAS 70 report in 2010. In the area of SOC for Cybersecuity, we offer management two types of assurance services, advisory and attestation.

In an advisory role, we perform a readiness assessment, which helps businesses assess their cybersecurity program against the industry’s leading frameworks, and more appropriately, against the AICPA Cybersecurity criteria. We assist with identifying gaps in the framework and remediating those gaps to further develop or implement an effective cybersecurity program. For more established programs, we help organizations formally align the existing program with the three criteria as established by the AICPA:

Security – The system is protected, both logically and physically, against unauthorized access.

Availability – The system is available for operation and use

Confidentiality – Information designated as confidential is protected as committed or agreed

In an attestation engagement, we examine your cybersecurity program and provide an opinion on whether it is effective. We map your controls to ensure your program complies with the AICPA-established criteria. We review your description of how those criteria are accommodated, then test and validate the effectiveness of these controls and issue a report.

A cybersecurity risk management examination report includes the following three key components:

Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of its cybersecurity risk management program, The report provides information on how the company identifies its information assets, how it manages the cybersecurity risks that threaten it, and the policies and processes implemented and operated to protect its information assets against those risks.

Management’s assertion. The second component is an assertion provided by management that the description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Practitioner’s report. The third component is a practitioner’s report, which contains an opinion on whether management’s description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Our attestation is justification management can use to demonstrate to everyone from the board of directors to a potential customer that their cybersecurity program is in accordance with best practices. The AICPA logo of SOC Cybersecurity certification is a key differentiator for a business, assuring stakeholders the security of the information they handle.

All organizations should have a cybersecurity program in place. Having it assessed for readiness, that is, ensuring your controls are aligned with the AICPA-defined standard and criteria, will afford assurance that it is designed appropriately. Receiving official attestation demonstrates the design is functioning as it should, and only makes sense in providing a level of confidence to your stakeholders that you are a business that has implemented a robust and comprehensive cybersecurity program, that your organization is cyber secure.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.