Doing Business with Microsoft? Privacy Protection is Key

Date September 9, 2019
Authors Matthew Schiavone, CPA, CISSP, CISA

Microsoft executives take security and privacy initiatives seriously. Not just their own, but those of their vendors, as well.

Microsoft is committed to Vendor Risk Management (VRM). Suppliers and business partners are often required to undergo varying levels of attestation to their information security initiatives, including SOC 2 or Microsoft’s Supplier Security and Privacy Assurance (SSPA).

Microsoft has established data protection requirements (DPRs) for suppliers who process Microsoft personal or confidential data. More often than not, suppliers must undergo annual attestation as to their ability to meet the requirements defined in Microsoft’s DPR.

“Process” in Microsoft’s DPR refers to any operation or set of operations performed on any Microsoft personal data or confidential data—and whether or not operations are by automated means. Processes include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or dissemination, and alignment or combination, restriction, and erasure or destruction.

SSPA is a Microsoft program that involves not only making sure that suppliers understand these requirements but ensuring their compliance. The program combines Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to make certain that suppliers follow privacy and security principles when processing Microsoft personal data or Microsoft confidential data. It covers all global suppliers processing Microsoft personal or confidential data.

Suppliers considered high risk are required to provide independent verification of DPR compliance. Such companies are asked to select an independent auditor affiliated with the American Institute of CPAs (AICPA) or the International Association of Privacy Professionals to assess DPR compliance; that auditor is responsible for providing an unqualified letter of attestation to the Microsoft SSPA.

At HBK, our affiliation with the AICPA is merely one aspect of our capabilities. Our auditors have years of experience performing attestation engagements, including extensive SOC 2 work. We have intimate knowledge of security and privacy best practices and hold these critical credentials: Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Most importantly, we are experienced in navigating businesses through Microsoft’s SSPA and compliance with the company’s Data Protection Requirements.

We can help you if Microsoft is on your business horizon and you want to maximize the value of these efforts–or if you’re preparing for a security audit. Call us at 724.934.5300 or email me at MSchiavone@hbkcpa.comand let’s get started.

Speak to one of our professionals about your organizational needs

"*" indicates required fields needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Auditing the Auditor: Questions to Ask Before and After an Audit

Date June 22, 2017
Authors Sean Kocan

Managers of small and mid-size businesses and nonprofits often hire external auditors to ensure the integrity of the financial statements they provide to investors, creditors and other outside parties. As management, you are ultimately responsible for your financial reporting, so it is critical to be certain of the quality of the audit process you rely on by evaluating the qualifications and performance of the audit team, the quality and candor of the auditor’s communications, and the auditor’s independence and objectivity.

Not all auditing services are created equal. It might be tempting to engage a low-cost provider, but the adage, “you get what you pay for” applies. An inaccurate or incomplete job could leave you exposed. A quality firm will assure you an accurate, timely, comprehensive report – and can deliver valued-added benefits low-cost providers cannot or do not provide, including communicating opportunities for operational improvement, offering frank and informed responses during face-to-face meetings, and delivering access to sophisticated guidance and specialized services.

Use the following questions to determine the quality of an existing or prospective external auditing firm.


  • Did the audit team discuss the audit plan and the organization-specific areas of financial reporting risk it would address? Does the audit plan consider your reporting timeline and are you and the auditor in agreement on the applicable significant risk areas?
  • Does the audit team understand your organization’s business, industry and how various economic environments and trends impact your business?
  • Does the firm have the industry expertise and geographical reach to serve your organization? How deep is the firm’s industry talent pool outside of the assigned team?
  • Did the firm demonstrate its independence and describe the safeguards in place to protect its independence?
  • Does the firm have a process for overseeing audit quality, to ensure that standards are met and methodologies are followed? How extensive is the review of the audit file prior to report issuance?
  • What are the results of the firm’s most recent peer review examination? What were the findings and how did they respond? Was the firm’s peer reviewer reputable?
  • What do the audit firm’s references say about the audit team? Exemplified behaviors in the past with similar clients best illustrate the performance you can expect.

Engagement Evaluation:

  • Did the audit meet the perfor­mance criteria as reflected in the engagement letter and audit plan? If the audit plan was not met, did the audit team discuss the reasons with you timely?
  • Did the audit provide details on the quality of your organization’s financial reporting, including whether your estimates and judgments are reasonable?
  • Was the auditor able to compare your accounting policies with industry best practices? Did he or she inform you of any current and upcoming changes to accounting principles and auditing standards?
  • Did the lead auditor maintain open dialogue with management and were communications always comprehensive and understandable?
  • Were sufficient and appropriate resources dedicated to the audit? Did your team consist of experienced auditors and was the partner visible during all stages of the process? Were specialized resources required and employed?
  • Was the cost reasonable for the size, complexity and risks of your organization?
  • Did the auditor ask for feedback on the audit and how did he or she respond to your feedback?
  • If there was a change in your audit team from the prior year, did the lead audit partner explain the transition and were the reasons for the change acceptable? How frequently are you experiencing new faces on your audit team?

The audit process is more art than science. The experience, judgment and even personalities of your auditors determine the quality of the audit you will receive. HBK has created an environment of audit quality through our staffing decisions, audit methodology, technology investments and quality control systems. And we support our clients and prospective clients in the conduct of thorough assessments of our work and our firm so they are comfortable they are getting the value we promise. We encourage all organizations to do the same to ensure the independent auditors they engage are qualified, candid and objective, and their reports will be accurate and comprehensive delivering the value and quality you deserve.

Speak to one of our professionals about your organizational needs

"*" indicates required fields needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.