Phil is a Manager in the CLA Specialized Advisory Services – Risk Management group. Phil has over ten years of experience providing IT/Security assurance, consulting, and advisory services. Throughout his career he has been the lead project manager for SOC1 and SOC2 engagements. He has helped clients work through the standard changes from SAS70 to SSAE16 and now SSAE18. He has led both SOC1 and SOC2 engagements for various sized organizations, and has an in depth understanding of the SOC reporting requirements. In addition to his work in the SOC world, Phil performs consulting and advisory services including information security reviews and risk assessments, which involves evaluating current security programs against industry standards and maturity models, providing mitigating and monitoring follow up action recommendations, and implementing risk management processes throughout organizations.
Technical Expertise
- Lead project manager for SOC 1 and SOC2 engagements. SOC2 engagements have included all five Trust Service Principles as well as SOC2+ engagements with additional criteria including the HIPAA Security Rule, New York State DFS Cybersecurity Regulation, and self-defined criteria. Industries for these SOC1 and SOC2 engagements have included healthcare technology, medical claims processors, data analytics, financial institutions, mortgage servicing, financial technology startups, state governments, and government agencies.
- SOC readiness assessment engagements including helping first year SOC1 and SOC2 clients through to draft internal control wording and system descriptions. Experience working with a variety of clients from mature organizations to startups in order to align current controls with SOC2 criteria and report on gaps, as well as developing and identifying key controls in business processes to be included in SOC1 reports.
- Experience with IT audit engagements, which include risk based planning techniques, evaluating business process and IT general controls, and reporting to executive management. He has completed IT audit projects related to Enterprise Resource Planning (ERP) system conversions and system upgrades, business continuity and disaster recovery planning, vulnerability assessments, virtualization, logical access and security, system and application change management, physical access and environmental controls, backup and recovery processes, and policy/compliance reviews.
Professional Involvement
Phil has presented at regional and national conferences for organizations such as the Institute of Internal Auditors, Association of Government Accountants, ISACA’s Rocky Mountain Information Security Conference, and various others. Topics have included SOC Reporting, Cybersecurity, Risk Assessments, and Vendor Management. Additionally, He is a member of the Maryland Association of Certified Public Accountants, American Institute of Certified Public Accountants, and Information Systems Audit and Control Association.