Debt Collection and Audits for Collection Agencies

Debt Collection and Audits for Collection Agencies

Debt collection agencies with sensitive data need to be familiar with how PCI, FISMA, SSAE 16/SOC 1 and SOC 2 apply to them.

If you’re performing collections, you’re no stranger to regulatory compliance and the proactive supervision of government agencies such as the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and the Office for Civil Rights (OCR). It’s critical to consider how you’re protecting consumer data, what information security audits are available and which will best fit your organization based on the type of debt you’re collecting.

Engaging an independent third-party to perform one of these many audits is not necessarily a requirement for collecting debt. However, it is highly recommended to ensure that the controls you have in place to protect sensitive data are appropriate and operating effectively.

Which audit is right for me? What are the most commonly requested audits?  How can I prepare?

Whether you’re collecting medical, credit card, student loan, or commercial debt, familiarize yourself with these information security audits to understand which one is right for you.


The Payment Card Industry Data Security Standard (PCI DSS) was jointly developed by the payment card brands to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. PCI DSS v3.2 is the current version, and applies to any merchant who stores, processes, or transmits cardholder data, and any service provider who stores, processes, or transmits data on behalf of a merchant. As a debt collection agency, you can be either a merchant or a service provider. You’re considered a merchant if you’re accepting credit cards as payment, and a service provider if you’re loading account numbers into your system to collect on. PCI DSS is a robust information security standard with approximately 394 controls, 12 Requirements, organized under six Control Objectives.

If you’re collecting on credit card debt, or accepting or processing payment cards, you must comply with PCI. You may become “PCI Compliant” by completing a Self-Assessment Questionnaire (SAQ). There are nine basic versions (with variations), and can either be signed by a Qualified Security Assessor (QSA) or can be a self-attestation. You may also become “PCI Certified”, and upon completion will receive an official Report on Compliance (RoC) from a QSA.


The Federal Information Security Management Act (FISMA) is a U.S. federal law, enacted in 2002, to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems to protect the three pillars of information security; Confidentiality, Integrity, and Availability. FISMA is the law; NIST Special Publication 800-53 is the comprehensive standard that contains the individual security controls required to comply with FISMA. Certification is achieved when an Authorization to Operate (ATO) is signed by a federal agency’s senior management official.

If you’re collecting on student loan debt, working with the federal government, a federal contractor, or a sub-service provider of a federal contractor, you are required to meet the National Institute of Standards and Technology (NIST) 800-53 standards.

There’s not a cookie cutter approach to determining which information security audit is right for you. The important things to consider are best practice recommendations, who these audit frameworks apply to, and the type of debt you’re collecting. Whether you choose to undergo an information security audit or not, the best place to start is making sense of the alphabet soup.


An SSAE 16 (SOC 1), or Statement on Standards for Attestation Engagements No. 16, is the most commonly used framework for U.S. service providers. SSAE 16 reports were primarily designed to report on the controls of a service organization that are relevant to their client’s financial reporting. SSAE 16 engagements are performed solely by CPA’s and intended to aid service organizations in eliminating potential errors to protecting client data and attest to the effectiveness of the controls. There are two types of SSAE 16 (SOC 1) reports, a Type I and a Type II. Similar in the presentation of each control objective, a Type I attests to the controls as of a specific date in time, whereas a Type II attests to the controls through a specified period of time, offering a description of the tests performed for each control and the results of the tests.

If you’re working directly with a bank, have a client specifically requesting an SSAE 16, or are simply looking for a good place to start, I recommend pursuing an SSAE 16 audit. This could apply if you’re collecting on credit card, medical, student loan, or commercial debt. The SSAE 16, as many audit types do, utilizes a risk-based approach allowing you to identify your areas of risk and determine whether you’re appropriately addressing each risk. The SSAE 16 audit process helps you to design and implement internal control, thusly demonstrating commitment to integrity and ethical values through policy and procedure.


I recommend selecting a SOC 2 audit if your client demands it, prospective clients are requesting, or if you’re specifically collecting on healthcare accounts. A SOC 2 audit, unlike a SOC 1, is prepared in accordance with AT 101, Attest Engagements. Similar to a SOC 1, SOC 2 engagements are performed by a licensed CPA. A SOC 2 reports on non-financial controls, focusing on what are known as the Trust Services Principles; Security, Availability, Processing Integrity, Confidentiality, and Privacy. Is the system protected against unauthorized access (logical and physical)? Is the system available for operation and use as agreed? Is the system processing complete, accurate, timely, and authorized? Is the information designated as confidential protected as agreed? Is personal information that is collected, used, retained, disclosed, and destroyed in conformity with the entity’s privacy notice commitments? This is what is addressed during a SOC 2 audit engagement.

A recommended practice for those working closely with the healthcare industry is undergoing a SOC 2 HITRUST audit. Pairing a SOC 2 with a HITRUST CSF (common security framework) component can help take the guesswork out of HIPAA compliance assessments. The HITRUST framework is a healthcare industry-created compliance protocol designed to address compliance and risk expectations of HIPAA’s Security Rule, variations in business practices, and third-party assurance expectations. Since the SOC 2 is designed to address the aforementioned Trust Services Principles, which are all concepts intrinsic within HIPAA’s Security Rule requirements and the HITRUST framework, it is an incredibly effective report that will provide internal and external value to your organization.

For more information on the importance of audits and their benefits and how to get started on this, contact me today

Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices. The original blog post may be found here.