Archive for the ‘BrightLine’ Category

« Older Entries

HR and Payroll Service Providers Benefit from Attestation and Compliance Reports

Posted by avani.desai
January 31st, 2013

Source – Workforce Management Channel

Today’s business environment is compliance heavy, under continuous scrutiny and intertwined with customer and legislative requirements. However, companies must still ensure compliance with the myriad of standards, requirements, laws, and regulations, such as SSAE 16 Examination (SOC 1), SOC 2/3 Examination, ISO Certification, FedRAMP Assessment, and hundreds more, across all areas of governance and programs.

As human resource and payroll service providers, or provider of any workforce management solutions, you must reassure customers about the security and integrity of their data stored within your environment. Being able to deliver a level of comfort to customers around financial, corporate, and personal information is the foundation of information security compliance and can be a significant differentiator from competitors.

That said, the compliance method highlighted here is the SSAE 16 examination, also referred to as a Service Organization Control (SOC 1) report. The SOC 1 report is an internationally accepted third party attestation report that is specifically designed for service organizations. A SOC 1 report provides service organizations and customers with a benchmark to compare internal controls and processes to industry standards. SOC 1 examinations are performed when the provider’s services are relevant to their customers’ internal controls over financial reporting. For human resource and payroll service providers, the report would include both information technology controls and transactional controls, for example, to help ensure that records are complete and accurate in recording account balances.

There are two types of SOC 1 reports. The service organization is responsible for specifying whether or not a “Type 1” or “Type 2” will be performed. A “Type 1” SOC 1 examination is performed when management requires a report on the fairness of presentation of the service organization’s internal controls over financial reporting and the suitability of the design of controls as of a specified date. A “Type 2” SOC 1 examination is performed when management requires a report on the fairness of presentation of the service organization’s internal controls over financial reporting and the suitability of the design and operating effectiveness of controls over a period of time, typically six months.

Service providers going through the examination process for the first time may opt to perform a readiness assessment, which simulates a SOC 1 examination. The readiness assessment identifies the controls that are believed to be in place and operating effectively for each applicable objective, and identifies relevant controls that are either not in place, or that are believed to be in place but are judged to be ineffective.

Your company may decide down the path of a SOC 1 report  based on a request or a contract, however don’t let that cloud your views on the several key benefits of obtaining the report:

  • Build trust and confidence with current and potential customers
  • Attain independent, third party assessment of controls
  • Provide a single examination to fulfill multiple customer requests
  • Obtain confirmation that controls in place are as management expects
  • Increase of market share

We have seen the requests for human resource and payroll service providers to obtain a SOC 1 report increase with the heightened awareness of outsourcing risks,  internal controls, data security incidents, regulatory compliance, and contractual obligations. Corporate governance boards and even shareholders want to see third party assurance over companies’ outsourced operations because of the inherent risk of outsourcing business functionality. The most efficient way to give comfort to customers is providing a third party assurance report. As such, many organizations have found it to be worthwhile to complete a SOC 1 examination before customers require it.

 

SocialTwist Tell-a-Friend

Tags: , , , , , ,
Posted in BrightLine, SOC 1, SOC 2, SOC Reports | No Comments »

BrightLine is Now Accredited by NASBA as a Registered Sponsor of CPE

Posted by avani.desai
November 8th, 2012

BrightLine is pleased to announce its accreditation by the National Association of State Boards of Accountancy (NASBA) as a registered sponsor of Continuing Professional Education (CPE).  Attendees of BrightLine’s educational series on compliance topics will now gain CPE credit for leading certifications and  accreditation.

“We are extremely excited to be chosen as CPE program sponsors. This is a testament to the quality of training and knowledge that we are able to provide due to our depth and breadth of attestation and compliance services,” says Avani Desai, Chief Marketing Officer of BrightLine.  “In the future, we expect to extend our reach to more people and deliver high quality training to enhance skills and capability in the areas of attestation, compliance, and auditing.”

NASBA serves as a forum for the nation’s state boards of accountancy, which administers the Uniform CPA Examination, licenses more than 600,000 Certified Public Accountants and regulates the practice of public accountancy in the United States.  This accreditation is a reflection of BrightLine’s continuous efforts to provide its clients and the public with high quality accredited training content as part of its education of attestation and compliance services.   Although this program is governed by NASBA, the CPE credits are accepted by non-CPA certification bodies, such as, Information Systems Audit and Control Association (ISACA), Institute of Internal Auditors (IIA), Project Management Institute (PMI), and several more.

BrightLine was officially added to the National Registry of CPE Sponsors on October 30, 2012.

 

SocialTwist Tell-a-Friend

Posted in BrightLine, Training | No Comments »

“Become a Champion in Your Space” – Re-cap of the SaaShr Conference

Posted by avani.desai
September 25th, 2012

The SaaShr’s 5th Annual Partner Community Workshop was held in Philadelphia, PA on September 19-21, 2012.  BrightLine Principal, Scott Zelko and I (Chief Marketing Officer, Avani Desai) attended as the Diamond Sponsor of the event.  The conference was attended by over 150 SaaShr customers and business partners.   SaaShr, a Kronos Company, is a provider of Software as a Service (SaaS)-based workforce management applications with a major focus in Human Resources (HR), Payroll, and Time and Labor Management.  The conference had several content-packed sessions which focused on implementation, support, sales, and marketing strategies, and new this year, emerging topic areas, such as social media use and regulatory / contractual compliance.

Wednesday marked the official start of the conference.  The conversation was lively as the attendees discussed with us various types of compliance reporting that they either perform or are being asked to perform; specifically SSAE 16 examinations.  The attendees were very interested in what could lie ahead in their industry, which they described as an environment that is compliance heavy, under continuous scrutiny and intertwined with customer, business partner, and legislative requirements.  We discussed some of the benefits of compliance reporting – meeting customer audit and compliance requirements, forging business partnerships, building trust with current customers, third party assurance, and competitive advantage. The attendees agreed and a CEO of an HR Service Bureau commented “An unqualified SSAE 16 report allowed our company, a small player in the market, to compete in the field with some very larger competitors.”

One of the highlights of the conference was when I had a chance to speak to the attendees during the Sponsor Circle.  I discussed that companies today increasingly rely on the services of outsourced providers to perform certain tasks or functions related to their business.  This is evident in the growth that the attendees have seen in their own companies – an average of over 10% annually.  However, the inherent risk a user organization assumes in outsourcing business functionality is the dependence on the service organization’s capability to deliver services.  I mentioned one efficient way for user organizations to get comfort and help mitigate these risks, is require service organizations to obtain third-party assurance concerning their internal control environment.  Accordingly, service organizations should get ahead of the curve and be proactive by preparing for the assurance reports before they are asked.  This resonated well with the attendees, as they thought about supplementary ways to compete in the market.

As the conference wrapped up, my favorite quote was made by an attendee who stopped by the BrightLine booth and asked questions about our services.  I mentioned SSAE 16, and he immediately said, “I need to get one of those Sassy 16’s done –the report knows it adds value, it is inevitable in today’s environment, it can help me grow, and also mitigate risk, so it has the right to throw a little bit of attitude around.”  Point well taken.

 

SocialTwist Tell-a-Friend

Tags: , , , , , ,
Posted in BrightLine, Compliance and Certification, SOC 1, SOC 2, SOC Reports, SSAE 16 / ISAE 3402 | No Comments »

High Profile Security Events Teach Important Lessons

Posted by avani.desai
September 20th, 2012

Source – The Tampa Bay Technology Forum

With the millions of Apple IDs stolen earlier this month and the recent Go Daddy DNS outage, many organizations have started to reassess their own security and resiliency plans. Even if you were not one of the millions of people or companies directly affected from these incidents, there is no better time to reflect on the lessons learned and start implementing leading practices. The following are a few lessons we believe everyone should consider when it comes to outsourcing and data privacy.

Lesson 1 – During an Incident, Be Weary of the Hyper-Reporting

The Twittersphere and news media are hardly reliable sources for technology topics on good days, let alone when something bad happens. With Apple, it was reported that the missing data was stolen from an FBI laptop, only to find out later that they were actually taken from a Florida-based publishing firm. In the case of Go Daddy, early reports led us to believe that hacktivists caused the DNS failure; however, Go Daddy firmly refutes that any external influences caused the failure. So during an incident, always apply a healthy dose of skepticism to reporting.

Lesson 2 – Sweat the Small Stuff

It sounds obvious, but few companies have a bona fide incident management plan. That’s unfortunate because having a plan in place can substantially mitigate the potential impact of an incident. We witnessed a great example of why this is important last week when millions of websites relying on Go Daddy’s free DNS services failed. With widespread adoption of the Internet approaching the 20 year mark, a substantial portion of our IT community did not consider DNS failure a risk worth planning for prior to the Go Daddy failure. We can assume that points of failure previously thought to be remote possibilities will get much more attention going forward.

Lesson 3 – Know Your Partners

A message we tend to often hear is that a company may outsource a service, but it cannot relinquish the accountability for the potential risks to itself, employees, customers, and other stakeholders. This then leads us to the realization that company information may only be as secure or redundant as your vendors or business partners state so. An effective due diligence program is needed to monitor your third-party relationships. Companies can start with reviewing assurance reports (e.g SSAE 16 / SOC 1 or SOC 2 reports, ISO certification, etc.) and / or by conducting the appropriate first hand inquiries and inspections. These reviews will help provide comfort over the service organization’s internal controls.

Lesson 4 – Don’t Allow Vendors to be Single Points of Failure

While availability issues are more common, what if the company went out of business? If a company as large as Go Daddy can experience wide-spread problems, you should not think others are unsusceptible. If your service involves data being stored with the third-party, maintaining an independent backup is critical. Backup plans also include having access to other providers which may be able to step in and provide the services you need. Portability is supposed to be one of key selling points of cloud computing. Ultimately organizations should have the tools to either backup data or transition services to another provider in an emergency.

Lesson 5 – Integrate into Culture and Training

It might just seem like an additional item to add to the IT policy document or the growing list of mandatory training. However, you should encourage the significance of protecting non-public and critical data by provide data awareness training to your employees on a regular and consistent basis. As security and privacy audit professionals we default to look to technology or process-oriented solutions. However, what is clear is that the organizations that spend time undergoing training and awareness activities not only respond to incidents better, but they also better prevent them.

SocialTwist Tell-a-Friend

Tags: , , ,
Posted in BrightLine, Cloud Computing, Privacy, SOC Reports | No Comments »

Data Center Knowledge – “Why Data Centers Need SSAE 16″

Posted by Douglas Barbin
September 27th, 2011

Data Center Knowledge, a leading online source of daily news and analysis about the data center industry, today published “Why Data Centers Need SSAE 16”, an article by Chris Schellman, President of BrightLine.

The article is a response to the persistent myth that SSAE 16 is not applicable to data center and colocation providers.  Relying on extensive technical supporting citations, Mr. Schellman presents the definitive argument that SSAE 16 is indeed applicable to traditional data center and colocation services.

“Perpetuators of this myth are usually not CPAs and are always presenting a personal point of view.” said Chris Schellman.  “The problem is that their opinion is wrong and it was time for a CPA experienced with SSAE 16 to end the debate.”

Chris Schellman is a licensed CPA, CISSP and PCI QSA.  His expertise is derived from contributions to nearly 1,000 SSAE 16 / SAS 70 examinations.

 

SocialTwist Tell-a-Friend

Tags: , , ,
Posted in BrightLine, SOC 1, SOC Reports, SSAE 16 / ISAE 3402 | No Comments »

BrightLine Reports Widespread Adoption of New SSAE 16 Reporting Standard

Posted by Douglas Barbin
June 15th, 2011

June 15, 2011 – Tampa, FL – Effective today, the long standing SAS 70 audit standard for reporting on controls at a service organization is superseded by the SSAE 16 attestation standard.  BrightLine CPAs & Associates, Inc. is pleased to announce that adoption of the new reporting standard is significant and that the firm has already been engaged to perform nearly 600 SSAE 16 examinations.

“The transition to SSAE 16 by service organizations has been remarkable.  BrightLine has already completed a significant number of SSAE 16 examinations for clients that adopted the standard earlier than required,” said Chris Schellman, President of BrightLine.  “As we work to complete nearly 200 such examinations during 2011, BrightLine is poised to become one of the world’s leading providers of SSAE 16 examination services.”

Statement on Standards for Attestation Engagements 16 (SSAE 16), formally titled “Reporting on Controls at a Service Organization”, does not significantly overhaul the reporting process but does include some noteworthy changes, which include:

  • An increased focus on the proper application of the standard and use of the report
  • Modifications to the form and content of the previous SAS 70 reporting format, including the concepts of specified criteria and management’s assertion
  • Extension of requirements to subservice organizations that are likely to increase the application of the “carve-out” reporting method

The AICPA recently introduced a Service Organization Controls (SOC) reporting structure consisting of three types of reports, including SSAE 16.  These SOC reports are designed to meet a specific user need and are comprised of the following:

  • SOC 1 Reports:  Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (i.e., SSAE 16)
  • SOC 2 Reports:  Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
  • SOC 3 Reports:  Trust Services Report for Service Organizations

“Many changes are occurring simultaneously, and unfortunately for practitioners and service organizations alike, relevant professional guidance was only recently published,” said Schellman.  “It is essential that service organizations verify the experience and knowledge of their prospective audit firm by asking about their specific SOC reporting experience, with a focus on the expertise and experience of the proposed project team members.”

Service organizations seeking further information on SOC reporting options, PCI DSS validation, or ISO 27001 certification may contact BrightLine for complimentary consultation.

SocialTwist Tell-a-Friend

Tags: , , , , ,
Posted in Assurance / Service Audits, BrightLine, SOC Reports, SSAE 16 / ISAE 3402 | No Comments »

« Older Entries