IT Advisory Services

Are system security vulnerabilities adequately addressed within your organization? Is your organization aware of the risks associated with these security threats and vulnerabilities? 

The risk depends on the types of information your organization has. If you have sensitive information about customers, consumers, clients or patients; intellectual property or designs that would be commercially damaging if lost; or if your organization operates critical systems for which unplanned downtime is unacceptable based on customer SLAs or based on cost, then the impact of a security incident can be quite high. Security threats and vulnerabilities therefore pose a higher risk to such organizations and they should perform regular assessments to ensure they are not unnecessarily exposed.

Weaver’s security professionals can perform a variety of procedures to assist your organization to improve its information security profile, including, but not limited to the following:

• Network architecture review
• Internal and external vulnerability assessment scanning
• Information security policy and procedure evaluation (using ISO 27001)
• Social engineering
• Network penetration testing

Deliverables for our security engagements include tailored reports written by our security professionals which describe the results of our assessment. As an accounting firm, we strive to ensure that our deliverables can be understood and used by IT professionals as well as senior management and the board. Although we use automated scanning tools to perform many of our procedures, we believe that our analysis and interpretation of the output from those tools is the value-added component that differentiates our service. We do not provide “canned” output, except as supporting documentation. Our recommendations are based on practical solutions which we discuss with your personnel prior to the completion of fieldwork.

Our IT audits focus on the technology risks that pose the greatest threat to your organization's critical objectives, and delivers comprehensive, actionable recommendations for areas of improvement. IT audits can be performed as standalone engagements or in conjunction with other services including financial statement audit, Sarbanes-Oxley compliance, internal audits, or Service Organization Controls (SOC) engagements. IT audits may be required to fulfill regulatory obligations, contractual requirements, or may be conducted simply as a best practice to address the concerns of management or the board. The scope of an IT audit can be either broad in nature (i.e. IT general controls assessment) or an IT audit can be narrower in scope (e.g. focused on a specific application or function).

Common IT audit engagements include the following:

• IT Risk Assessments
• IT Governance & Effectiveness audits
• Information Security reviews
• System and Organization Control (SOC) examinations
• General Computer Controls assessments
• Data Privacy audits (e.g. HIPAA, PCI, GLBA compliance)
• Pre and Post-Implementation Application reviews
• Business Continuity and Disaster Recovery Plan assessments
• Application Security and Segregation of Duties evaluation

Weaver’s IT audit team is comprised of ex-Big 4 IT auditors and home grown talent. This combination of backgrounds allows us to field a team that has the experience to be very effective in complicated IT environments, yet practical enough to serve small and mid-size organizations too. We always provide recommendations to address the findings of our IT audits, and we strive to ensure that our recommendations are practical, agreeable and actionable before concluding our work.

The International Organization for Standardization (ISO) 27001 standard is the most widely accepted across the world for developing an information security management system. ISO 27001 certification can be beneficial to businesses working with international customers because it signifies that your organization uses standards common with other organizations across the globe. Certification follows a specific process, which includes an audit. 

Whether pursuing the actual ISO 27001 certification or simply implementing security management procedures according to best practices, Weaver’s information security professionals can help.

Our seasoned IT advisory team can help your organization identify potential gaps in the current environment through scoping and planning exercises, development of a risk assessment against the ISO process areas, and an evaluation of current security practices. 

The ISO 27001 standard contains 11 domains that must be addressed. The ISO domains align with other IT and security management frameworks your organization may use including COBIT, ITIL, CSA’s CCM, and the AICPA’s Trust Principles and Criteria (SOC 2).

• Security policy - management direction
• Organization of information security - governance of information security
• Asset management - inventory and classification of information assets
• Human resources security - security aspects for employees joining, moving and leaving an organization
• Physical and environmental security - protection of the computer facilities
• Communications and operations management - management of technical security controls in systems and networks
• Access control - restriction of access rights to networks, systems, applications, functions and data
• Information systems acquisition, development and maintenance - building security into applications
• Information security incident management - anticipating and responding appropriately to information security breaches
• Business continuity management - protecting, maintaining and recovering business-critical processes and systems
• Compliance - ensuring conformance with information security policies, standards, laws and regulations

Weaver’s professionals will help your organization integrate the ISO 27001 requirements into everyday processes, improving the rate of adoption and reducing the rate of error. The resulting deliverable for this effort is a roadmap that will detail potential weaknesses against the ISO requirements and provide recommendations to strengthen the security of your organization. We can also customize an implementation timeline based on your company’s available resources or objectives.

Many wonder about the hype around cloud computing … what is it exactly, who needs it and how do you take advantage of it? Cloud computing potentially offers substantial advantages, including lower IT costs and greater business flexibility. Fully benefiting from cloud computing, though, requires understanding how the service is provided, what an organization’s needs are, the potential vulnerabilities associated with such a migration, and how various compliance and assurance needs must be met. 

Weaver’s IT advisory professionals play a wide variety of roles relating to cloud computing including third party assurance for cloud providers, SLA and KPI analysis for cloud users, cloud service provider selection services, and more. Our IT advisory professionals can help you understand the business advantages and risks associated with migrating IT functions to a cloud environment. With the right planning and preparation, organizations are more likely to attain the benefits of cloud computing without the unforeseen difficulties.

“Big data” is an increasingly popular consulting buzz word associated with using data analytics to generate “big opportunities” for businesses. Beyond the buzz words, organizations cannot afford to ignore the value of their information, regardless of industry or size. The Weaver Analytics team focuses exclusively on performing data analytics-based services to assist clients with analyzing large volumes of data. Our procedures can help establish effective tools to monitor key performance indicators, recognize potential fraud, assist in error detection, present potential efficiency opportunities, and provide useful and objective insights into the operations of businesses that can be found in routinely collected data.

No client is too big or too small. In a digital world, organizations of all sizes generate and have access to tremendous amounts of data. Our team of specialized analytics professionals stand ready to provide advisory services specifically tailored to your company’s needs. Our customized procedures can be performed by our professionals in your IT environment, or we can extract data from your systems and perform analytics procedures on our secure servers.

Is your company compliant with the PCI Data Security Standard (PCI-DSS)? As a certified PCI QSA firm, Weaver’s IT Advisory team now offers a service that provides payment card industry (PCI) data security assessments and assistance in complying with these stringent standards. 

Among the requirements of the new PCI-DSS standard: 

• Building and maintaining a secure network using firewalls to protect cardholder data, and ensuring that vendor-supplied defaults for system passwords and other security parameters are not used. 
• Protecting cardholder data and encrypting its transmission across open, public networks. 
• Maintaining a vulnerability management program with secure systems and applications, plus regular updates to anti-virus software and programs.
• Implementing strong access control measures by restricting access to cardholder data (both electronic and physical) on a "need to know" basis. 
• Regularly monitoring and testing networks and tracking all access to cardholder data.

Our IT Advisory professionals bring a different level of service to our clients because of our roots as an audit firm. We approach payment card security from a different angle, offering our clients a more holistic, in-depth service offering.

Meet our PCI QSA Certified Providers:

Brian Thomas, CISA, CISSP and partner; and Brittany George, CISA and senior manager, both in Weaver’s IT Advisory services department, have met the necessary requirements to earn the Qualified Security Assessor (QSA) certification from the PCI Security Standards Council. This achievement positions us as one of the few select accounting firms to offer this level of certification as a QSA firm. 

QSA companies are organizations that have been qualified by the Council to have their employees assess compliance with the PCI Data Security Standard (PCI DSS). Qualified security assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS. Qualified security assessors can be verified through the PCI Security Standards website.

If your organization provides outsourced services to other businesses, chances are you’ll be requested to demonstrate that you maintain a sound environment of internal control over the transactional data you manage or systems you host on their behalf. The American Institute of Certified Public Accountants (AICPA) has created multiple reporting options to enable you to demonstrate transparency to your customers and prospects.

Learn more here.