IT Audit & Assurance Services

Your business or organization depends on information technology (“IT”)
IT enables virtually every significant businesses function from routine communications and transactions, to sophisticated business models that provide competitive advantage.

The IT Risk Paradox
The more IT is leveraged, the greater the risk it represents. Businesses need to make sure relevant risks are identified and cost-effective control solutions are built into their systems and operating procedures. Common IT related risks are associated with financial integrity, regulatory non-compliance security and privacy breeches, availability, and processing integrity.

The Need for Trust and Assurance has Never Been Greater
Businesses and organizations are recognizing they need a comprehensive approach to manage IT risk that is commensurate with their size, sophistication, and industry needs. Those businesses and organizations that depend on third parties for IT-related services or data need to know that their third party service provider has exercised due care regarding the security and privacy, processing integrity, and availability of their services.

HA&W’s IT Audit and Assurance Services
HA&W provides a wide offering of IT risk management services that meet our clients’ specific needs in terms of their industry, regulatory requirements, and budgetary needs. Our skills extend across a wide range of industries, business applications, computing platforms and applicable regulations, and we are uniquely qualified in many aspects of IT audit and security and control. Our professionals all have 5-10+ years practical industry experience along with several years experience auditing technology for financial, compliance, and operational purposes. Our mission is to provide our clients with the most cost-effective and pragmatic IT audits and advisory services. Our areas of focus and expertise include the following:

• IT Strategy and Organizational Alignment. Our professionals often support our clients’ executive management teams to help ensure IT strategy, IT organization, and IT infrastructure are aligned to business overall strategy and needs. We have addressed both application selection and infrastructure design and deployment in many technology intensive industries. We have helped several clients establish IT management practices and personnel needed to take their business to the next level.
• Enterprise IT Risk Management and Regulatory Compliance. We have guided our clients through deployment of comprehensive IT risk management solutions that encompass operations, finance and compliance risks (e.g., SOX, banking, HIPAA, etc.) and also to ensure these risks and associated controls are streamlined, rationalized, deployed, and monitored to provide piece of mind to audit committees and other executive management.
• Process and Business Performance Improvement. Our professionals have helped many of our clients through the risky and complicated process of upgrading or replacing their business applications and supporting infrastructure to improve business performance and reduce costs.
• IT Due Diligence of Software Applications (and Supporting Infrastructure) to meet Business Needs and Objectives. We have helped many companies evaluate options and make informed decisions when selecting business applications; such as ERP, or more focused solutions such as Financial Management, Advanced Planning (supply/demand), or Retail POS and Retail Management Systems.
• Project Management Control. Our professionals can help ensure the new IT solutions, or changes to IT infrastructure, are deployed on-time and on-budget, with minimal disruption and maximum achievement of business objectives.
• Logical Access Control. Our professionals are deeply skilled in understanding, assessing, and managing logical access controls for virtually any type of operating system, database, business applications, and network devices. We can efficiently assess Segregation of Duty (“SOD”) and other control weaknesses, and guide your company through the deployment of policies and procedures to ensure logical access controls meet your business security needs and objectives.
• Network and Security Vulnerability Assessments. Our security management professionals have deep experience applying leading international standards (including the National Security Agency's INFOSEC Assessment Methodology ‘NSA IAM’) and leveraging network vulnerability scanning tools to identify security management weaknesses related to management practices and to network design and management. In addition to evaluating network, system, and web-based security threats and vulnerabilities, we provide additional testing to determine whether your high-value accounts and information can be readily compromised by simulating external attacks and system penetrations.
• IT Audit/IT Internal Audit. Our IT audit professionals have deep experience in both external and internal audit functions, assessing and auditing against the complete range of audit requirements including financial, regulatory, and operational audit requirements. Our professionals have experience and certifications that address any level of the IT infrastructure, at the level of the application or business system, the operating system, and the database.
• SAS No. 70: Service Organization Reporting.

  What is cost-effective SAS 70 reporting?

  As you consider alternative SAS 70 auditors, keep in mind there is a very wide variation in quality of SAS 70 reports produced.. While the AICPA professional audit standards and guidance underlying the report are clear, there is a considerable misunderstanding and misapplication of these standards. Some firms that focus on churning out a high volume of SAS 70 reports, do not subject themselves to AICPA Peer Review Standards and/or they have peer review conducted by firms that themselves do not produce SAS 70 reports. Our firm is actively involved with the AICPA in the refinement of SAS 70 related standards, and in the promotion and awareness of accurate and effective SAS 70 reporting approaches.

  Our approach ensure reports we produce meet AICPA audit standards while being cost-effective for our clients. Our clients that choose to work us, want to make sure they have established a control environment that not only meets AICPA standards, but that it makes good business to the users of their service and to their internal operations. Our clients also want to ensure their SAS 70 report is a very positive reflection of their business.

  Our deep experience and leadership with accounting technology, business processes, and information security helps us guide our clients to pragmatic SAS 70 reporting solutions. We staff our engagements with highly qualified, experienced personnel, using proven methods for completing the report, so as to deliver the report as efficiently as possible.

  Are you sure your company needs to provide a SAS 70 report?

  We have often found that companies that think they need to provide a SAS 70 report, do not meet the standards defined by the AICPA for when a SAS 70 report is applicable. Oftentimes, we can help our clients find a more practical, effective alternative to SAS 70 when this is the case.

Please contact us if you would like to receive more information about our SAS 70 services and alternatives to SAS 70 reporting.

• AICPA Trust Services Certification. Through Trust Services based assessment and reporting, we leverage an internationally recognized framework to ensure our service organization clients are meeting their customers’ needs for security, availability, processing integrity, and confidentiality. A Trust Services assurance report can be used by a company in its marketing and investor outreach materials or other marketing documents, on its web site, or within outsourcing agreements and specific contracts with potential or existing clients.
• Privacy Management. HA&W’s privacy management services are built on the international best practices embedded in the Generally Accepted Privacy Principles (“GAPP”). GAPP provide criteria and related material for protecting the privacy of personal information. GAPP incorporates concepts from the significant domestic and international privacy laws, regulations, and guidelines. HA&W provides a full range of privacy management services, including privacy strategic and business planning, privacy gap and risk analysis, benchmarking, privacy policy design and implementation, performance measurement, and independent verification of privacy controls, which includes attestation engagements.