General Audit Services

Audit approach and methodology are not only critical components of  auditing, but directly relate to project efficiency and success. A  poorly aligned or chaotic audit approach can have serious repercussions,  potentially impacting organizational security and compliance with  regulatory requirements. Our strictly defined and consultative approach to auditing ensures complete testing of controls, understanding of threats and risk, and manageable and logical steps to remediation and  compliance. We base our audit methodology on standards defined by regulatory requirements, industry best security practice standards, and risk-based audit frameworks, including:

• FFIEC IT Handbook (Tier II procedures)
• FDIC & NCUA Information Security Standards
• HIPAA Privacy and Security Rule Requirements, including HITECH Standards
• NIST Federal IT Security Assessment Framework (800-30)
• COBIT Audit Standards
• ISO 27001/27002 - Security Techniques -- Specification and Code of Practice for Information Security Management

We systematically enrich our approach and methodologies through continuous research; field experience; article and whitepaper publication; and organization membership, ensuring the incorporation of emerging technologies; risk management and defense techniques; and  understanding and awareness of evolving physical and logical threats.

Our approach to information technology auditing ensures that risks to your organization are properly identified as well as your level of compliance with state and federal regulations.

Assurance and Success

The IT General Controls Audit addresses three critical objectives: comprehensive testing and analysis of technical, administrative, and  physical controls; an accurate assessment of compliance and risk; and practical and effective remediation plans. Furthermore, we provide professional guidance to assist you in understanding information security risk and regulatory requirements, enabling alignment of your compliance and risk management programs. We ensure project success  through our established project management process, intuitive deliverables, and consultative audit practices.

Baseline Scope

The IT General Controls Audit tests both the design and effectiveness of information security controls. The baseline general controls audit tests the following categories for compliance with  regulatory requirements and alignment with generally accepted information security practices:

• Board Governance
• IT Management Oversight
• Information Security Program Standards 
• Network, System, & Application Security 
• Mobile Device Security
• Virtual Infrastructure Security
• User Authentication and Access and Rights Management
• IT Operations 
• Physical Security 
• Incident Response 
• Change Management 
• Vendor Management 
• Business Critical Application Security
• Business Continuity & Disaster Recovery 
• Risk Management and Assessment Programs
• Red Flags Program
• Regulatory Compliance (FFIEC, FDIC, NCUA, FTC, and GLBA) 

The FDIC/NCUA Compliance Assessment is designed based on requirements set forth by the FDIC and NCUA, specifically the Guidelines for Establishing Information Security Standards and the IT Examination Officer's Questionnaire.

Assurance and Success

The Compliance Assessment is used to evaluate the current IT control environment for compliance to each requirement specified by the FDIC and NCUA, provide organizations guidance in understanding the risks associated with information security, and provide practical and effective solutions to any issues identified during testing. For any control deemed "out-of-compliance", a thorough set of recommendations will be issued to assist your organization in meeting compliance  requirements.

Baseline Scope

The baseline FDIC/NCUA Compliance Assessment includes a thorough review of the following control categories:

• Information Security Program, Procedures, and Standards
• Red Flags Program
• Customer/Member Information Security Risk Assessment Program
• Regulatory Compliance Standards (GLBA, FDIC, NCUA)
• Network, System, and Application Security
• Change Management
• Business Continuity & Disaster Recovery Planning
• Vendor Management Program
• Incident Response Program
• Physical Security

The HIPAA Compliance Audit evaluates compliance with the HIPAA Privacy and Security Rules and the American Recovery and Reinvestment Act of 2009 (ARRA) HITECH Meaningful Use and Privacy and Security (ARRA Subtitle D) standards.

Assurance and Success

The HIPAA Compliance Audit addresses four critical objectives: comprehensive testing and analysis of technical, administrative, and physical controls (as determined by the HIPAA Security Rule  implementation specifications); alignment with HITECH Meaningful Use standards; an accurate assessment of compliance and risk; and practical and effective remediation plans. Furthermore, we provide professional guidance to assist you in understanding information security risk and regulatory requirements, enabling alignment of your compliance and risk management programs. We ensure project success through our established project management process, intuitive deliverables, and consultative audit practices.

Baseline Scope

The following control categories are evaluated for compliance with HIPAA Security Rule and HITECH Meaningful Use standards:

• Risk Management and HITECH Meaningful Use Program Assessment
• Business Associate Oversight and Vendor Management
• Business Continuity & Disaster Recovery
• Data Security
• Information Security Program Standards
• Network, System, and Application Security
• Personnel Security
• Physical Security
• Workforce Security
• System and Application Use Standards
• User Authentication and Access and Rights Management
• Change Management
• Emergency Access Procedures
• Employee Sanction Policy