Measuring success

"Measuring success"

Who We Are

   metriQuality prepares companies for IT audits,  collecting required documentation, and implementing controls for information security and compliance with corporate policies and regulatory requirements.

How We Help

   By monitoring what your people and processes do,
we help to ensure compliance with corporate policies and regulatory requirements.

   By measuring resource utilization:

  Are your people working effectively?
  Are your projects and/or vendors delivering the results you expect?

What We Do

Policy Management   Write and review company policies and procedures

Compliance Controls   Monitor, assess, and improve compliance controls

Performance Management   Optimize business operations through performance audits

Security Awareness Training   Train and mentor staff for compliance and information security issues

Vendor Risk Management   Manage outsourced IT projects and third-party service providers

Vulnerability Assessments   Conduct security  assessments and  minimize risk exposure

Corporate Standards   Align corporate standards with generally accepted standards

Incident Response   Plan, coordinate, and respond to security incidents


SSAE 16 Audits

   The American Institute of CPAs (AICPA) is the only professional organization sanctioned to independently attest and certify that a service provider has effective controls in place to securely collect, process, and destroy information technology assets (including data) on behalf of a service provider's customers.

   Formerly known as SAS 70, an SSAE 16 certification is highly-sought by IT service providers -- especially cloud vendors, to assure their customers that reasonable controls have been designed (Type I), and/or tested for their effectiveness (Type II).

Why is this important to you?

Because "pleasing the auditor" is not always in the best interests of your organization or your in fulfilling customers' requirements.

   metriQuality helps organizations "hit the mark" set by external auditors with the least effort, and maximize the business value of an SSAE 16 certification.

   Helpful tips include:

  • Actively negotiate and manage the audit plan in advance.

  • Insist on standards for evaluating policies and controls, and acceptable proofs.

  • Resist the temptation to "please or impress the auditor" by remediating issues before reviewing the auditor's findings.

   One of the major complaints service providers have of SSAE 16 certification audits are: a lack of specificity regarding the standards they are being evaluated against, and what proof is acceptable to individual auditors. There are three reasons for this:

  • Standards are for auditors, guidelines are for auditees.

  • The clause, "in the opinion of the auditor" permeates the standards for performing audits.

  • UI Screenshots of applications, configurations, and reports are the overwhelming "proof of choice" for auditors, which are often inefficient to produce, incomplete, and subject to change.

   Worse yet, an SSAE 16 certification with an accompanying SOC2 report, may not satisfy the requirements of a particular customer concerned with controls mandated by other compliance initiatives such as PCI, FedRAMP, etc.

   Blanket clauses are now routinely inserted into vendor contracts, reserveing the right to audit a company's controls whenever desired. Having an SSAE 16 certification is intended to avoid the disruption associated with multiple customers auditing your organization.