Page 1079 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1079

to be used by auditors performing assessments of service
               organizations with the intent of allowing the organization to conduct

               an external assessment instead of multiple third-party assessments
               and then sharing the resulting report with customers and potential
               customers.

               SSAE 16 engagements produce two different types of reports.

                    Type I reports provide a description of the controls provided by the
                    audited organization as well as the auditor’s opinion based upon
                    that description. Type I audits cover a single point in time and do
                    not involve actual testing of the controls by the auditor.


                    Type II reports cover a minimum six-month time period and also
                    include an opinion from the auditor on the effectiveness of those
                    controls based upon actual testing performed by the auditor.

               Type II reports are considered much more reliable than Type I reports
               because they include independent testing of controls. Type I reports
               simply take the service organization at their word that the controls are

               implemented as described.

               Information security professionals are often asked to participate in
               internal, external, and third-party audits. They commonly must
               provide information about security controls to auditors through
               interviews and written documentation. Auditors may also request the
               participation of security staff members in the execution of control
               evaluations. Auditors generally have carte blanche access to all

               information within an organization, and security staff should comply
               with those requests, consulting with management as needed.



                  When Audits Go Wrong


                  The Big Four didn’t come into being until 2002. Up until that
                  point, the Big Five also included the highly respected firm Arthur

                  Andersen. Andersen, however, collapsed suddenly after they were
                  implicated in the collapse of Enron Corporation. Enron, an energy
                  company, suddenly filed for bankruptcy in 2001 after allegations of
                  systemic accounting fraud came to the attention of regulators and
                  the media.
   1074   1075   1076   1077   1078   1079   1080   1081   1082   1083   1084