ROOT CAUSE ANALYSIS ENABLES AUDIT TEAM TO PROVIDE MEANINGFUL AUDIT WORK TO SERVICE PROVIDER

SSAE 18 Examination

Challenge

The purpose of an SSAE 18 examination is to provide assurance to Service Provider customers and their independent auditors that the organization’s internal controls are sufficient, and that the services and systems being provided are secure and effective.

In supporting our client through the completion of an SSAE 18 examination focused on internal controls over financial reporting, our team found a significant information system vulnerability associated with database software that affected a critical information system supporting the Service Provider’s internal control environment.

Whenever there is a finding of this magnitude, it indicates that the Service Provider’s and stakeholders’ data, such as personally identifiable information, sensitive information, and financial information, is at risk to unauthorized exposure. Furthermore, it can often be a challenge for our Federal clients to determine the root cause of such issues and identify the approach required to remediate the risk.

Solution

In response to this finding, our solution involved creating a meaningful Notice of Finding and Recommendation (NFR) that enabled the Service Provider to not only address the identified vulnerability, but also prevent similar system weaknesses in the future and improve the Service Provider’s internal control environment. The method used to develop this recommendation involved our audit team performing a comprehensive root cause analysis.

Accordingly, the audit team gathered additional information regarding the issue by holding multiple interviews with the Service Provider’s stakeholders and conducting several brainstorming sessions with the audit team members. The frequent and open communication with stakeholders established by this process enabled us to utilize additional information, such as historical data, to illuminate the root cause of the finding and deliver meaningful recommendations.

Impact

Before delivering the NFR, the audit team held additional meetings with Service Provider leadership in order to clarify the intention of the recommendations. These recommendations were welcomed by the Service Provider and equipped them to both remediate the vulnerability and improve their risk assessment process. The audit team’s approach was received with favorable feedback, including high praises from the Service Provider’s Chief Information Officer (CIO), in which the CIO stated that the resulting recommendations were “very meaningful audit work.” The Service Provider confirmed that although the recommendations would take time to address, they were more meaningful to the Service Provider because they could eventually result in improvements to its internal control environment and risk assessment processes.

By providing recommendations derived from the root cause analysis, we were able to provide a clear series of actions needed to rectify the true issue. Once the Service Provider completed the actions needed, the Service Provider’s security posture was improved, as was its internal control environment, ultimately lowering the risk of data exposure.