A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit.
The minimum baseline for all audits is NIST 800-53 Revision 4. This is the framework used for providing “gap analysis” on all systems, from point of entry to the keyboard. This includes:
- The network infrastructure and related appliances
- Servers and related components
- Desktop and related components
- Policies and procedures
Audits and Gap Analysis can be performed on-site, remotely, or a combination of both. The typical process will take three to five days to complete depending on the audit level required. The process will include:
- Meet with the stakeholders to determine what level of auditing is required and set the expectations.
- Review policies and procedures
- Perform security and compliance audits
- Analyze the audit results and prepare the necessary reports and recommendations
- Meet with the stakeholders and review the audit results and recommendations
- Prepare a after-action report identifying all issue with recommendations to mitigate any negative findings
- Work with the client to prepare and implement a mitigation strategy
- Reexamine the areas that required mitigation to ensure compliance
- Prepare final report
Independent audit and assessment provides management with the assurance that IT controls are designed appropriately, and operating effectively.
IT Audit Co-sourcing/Outsourcing:
Depending on your needs, we can perform single audits encompassing all areas of technology, or a comprehensive series of audits scheduled throughout the year. We can also provide experienced professionals to supplement your existing IAD resources and help transfer knowledge and build skills internally within your team.
Fed RAMP 3PAO:
We provide independent control assessment. We support organizations in their plans to become an approved CSP. This audit performs readiness assessments and gap analysis.
SSAE16/SOC 2 Audit:
We ensure our customers that all their controls are in place and operating as intended. We provide meaningful and cost-effective recommendations when deficiencies are noted.
External Audit Support:
We provide IT Audit expertise in conjunction with external financial statement audits. Integrate with delivery teams to deliver technical subject matter expertise around technology risks and controls.
We act as facilitator, interpreter, and liaison between our clients, their auditors and their regulating authorities. We simplify the process of compliance and at the same time, create greater efficiencies and minimize disruptions. We conduct audit readiness reviews, and lessen the load on IT personnel during the actual audit. We identify and mitigate risks before the auditors and regulators arrive.
Compliance Readiness & Program Management:
We address current and applicable regulatory requirements of our customers. We help them to develop processes and procedures that address future mandates more effectively, while minimizing redundancies between various compliance systems. We install processes and systems to monitor and report on compliance initiatives and current status.
Control Framework Implementation:
We help our clients to navigate the complex array of industry frameworks such as ITIL, COBIT, and ISO to identify the most appropriate standard(s) for their organizations. We help them to develop a plan to assess the current state of systems and policies, compare them to a desired future state, and provide a comprehensive gap analysis.
NIST 800-171 Advisory:
We help you to ensure that you are adequately protecting Controlled Unclassified Information (CUI). We help contractors to ensure that they have appropriate controls in place for transmitting or storing this type of data in others information systems.
We perform audits and compliance assessments against standards and regulations such as ISO 27001, NIST/FISMA, SOX, HIPAA/HITECH, and FFIEC. We advise on security program enhancements and control implementation when gaps are identified.