background image
By signing the BAA, you must com-
ply with the entire HIPAA security
rule, to the same level as the covered
healthcare provider. For CPA firms,
HIPAA compliance requirements can
be overwhelming, including annual risk
assessments, monitoring, and poli-
cies. It's best to seek outside guidance
if you don't feel confident in your
current approach.
Firms Performing Audits
Last year, the American Institute of
Certified Public Accountants Auditing
Standards Board (ASB) released the
new Statements on Standards for
Attestation Engagements (SSAE) No.
18, Attestation Standards: Clarification
and Recodification. Effective May 1 of
this year, Service Organization Control
(SOC) 1 reports now follows SSAE No.
18 (changed from SSAE No. 16).
While SSAE 18 doesn't change many
of the facts that financial auditors
must consider, such as end-user con-
siderations, scoping, and audit peri-
ods, SOC 1 audits now have a stronger
focus on risk assessment and the con-
trols in place to mitigate those risks.
What does this mean? Service orga-
nizations and the service auditor must
take more responsibility than under
SSAE 16.
Did you know a SOC 1 report under
SSAE 16/18 is considered an audi-
tor-to-auditor communication? Audit
standards require us to have an under-
standing of the financial reporting and
IT general controls environment. Ser-
vice organizations used by the client
are part of that environment.
Action Steps for Securing Your
Firm's Data
Security best practices are now stan-
dard operating procedure. It's important
to research, read, and understand your
compliance responsibilities, starting
with the acts previously mentioned.
paid advertisement
CTCPA Cybersecurity
Thursday, November 9, 2017
CTCPA Education Center, Rocky Hill
Learn more and register at
Our new conference, sponsored by the
Technology Interest Group, brings you
everything you need to know to keep
your IT systems and information safe.
We'll provide invaluable advice and
guidance tailored specifically to ac-
counting professionals in areas includ-
ing law, data security, IT/SOC audits,
securing the right insurance, enforce-
ment, and managing public/client rela-
tions and communications if a breach
is detected.
Breakout sessions will include:
Business Continuity Plan Workshop
Not sure where to start or can't find
the time? In this unique, hands-on
workshop, you will create and leave
with a custom plan for your company.
Service Organization Controls (SOC)
Audit Clarification Workshop
While typically only larger, national firms
are doing SOC audits, small to medi-
um-sized CPA firms must understand
how SOC impacts regular financial
statement audits and what is required
of the financial statement auditor when
the client uses a service organization.
Technology Breakfast Roundtables
Personalized advice from experts
Locations around the state
Find locations and dates at
The CTCPA hosts free monthly break-
fast forums designed to answer mem-
bers' questions on technology. (These
casual meetings are hosted at diners
and luncheonettes around the state;
members order and pay for their
own breakfasts.)
Attending a Breakfast Roundtable is
your fast track to answers. Pre-regis-
tration isn't necessary just stop in!
Cybersecurity Conference
Connecticut CPA
July/August 2017