Client Solutions Delivered
- A multi-national company (28 countries) accelerated filer needed to implement SOX controls. Standardizing controls across the IT sites saved the company $1M in assessment costs. COBIT framework was used to design the controls.
- A food manufacturing company had well-established controls for SOX and needed IT audit resources to review and test controls.
- A third-party administrator of insurance services used internal audit resources to test SAS70 (Type II) controls.
- An aviation manufacturer needed help refining its very large SOX control structure. Controls were optimized, documented, tested and recorded in the client’s Paisley system.
- Numerous Community Bank IT audit assessments using FFIEC framework
- Planned, coordinated and completed an extensive Sarbanes-Oxley review of IT controls for service organizations with locations in North America and Europe.
Payment Card Industry (PCI)
- Retail/wholesale textbook distributor requested PCI guidance and thought leadership
- State government Level 1 Service Provider sought guidance and assessment services for PCI
- Casino Level 3 merchant required PCI consulting and guidance
- Health care product Level 3 merchant needed a PCI assessment of a web-based application hosted by third-party managed services company
- National bank holding company requested PCI consulting and gap assessment. The bank was an issuer, service provider and merchant with a flat network and comingled data. The engagement was split into two parts: 1) Assist with set up of a segmented network for one application 2) the remainder of the environment was assessed and rationalized into the different PCI roles and processes that touched PCI data. Additional projects were created to eliminate credit card data wherever possible and to segment issuer data.
- PCI Readiness Assessment for web-based sales environment
- Policies and procedures development to meet PCI compliance requirements for several different companies
- Monitoring of internal controls for management
- IT operations procedures (global organization)
- ISO 9001 concepts (800+ trained)
- Records retention procedures (800+ trained)
- PCI training for banks and businesses
- Global pharmaceutical testing organization required data center and process audits at global IT service provider sites
- Provided oversight of data center disaster recovery testing process for global IT service provider (14 sites in 4 countries)
HIPAA / HITECH
- HIPAA/HITECH gap assessments for community hospitals and health care facilities
Software Development Life Cycle
- Raised quality of in-house developed software and met FDA’s 21CFR Part 11 compliance expectations by setting software quality assurance testing standards at multi-national corporation with 6+ development centers
- Managed user acceptance testing and validation reporting over 10 releases of a proprietary software system for Contract Research Organization
- Project Management for non-accelerated filer (SOX), multi-year relationship including scope, risk assessment, documentation and testing of IT controls
- Ethanol producer required SOX assessment prior to their end-of-year. Timelines were extremely tight, but the assessment was completed on-time. We were also able to work with their outside assessor regarding remediation activities.
- Requirements and validation management over 10 releases of a proprietary software system
- Largest bread and cake distributor in the US had 400+ different collective bargaining agreements that needed to be organized and analyzed. We researched and presented options and helped negotiate the relationship with the vendor and the implementation.
- Wholesaler/retailer needed to fill an IT Security Officer role and requested help with researching requirements and responding to incidents. The first step was to create an incident response plan, so processes and roles are defined in the event of a breach.
- Global IT Services provider requested help implementing their records retention schedule at a local site. Record types were identified and official repositories created, as well as disposal of electronic and paper records. Processes were established to maintain compliance with the schedule.
- Third-party administrator of insurance services required implementation of ISO 9001 Quality Management System for the services they provided. An on-line version of the manual was created. Effective and frequent communication as well as training and practice sessions helped to prepare everyone in the organization for the official assessment. The organization passed their assessment on the first try.