Skip to Main Content

Of course, we’re all suffering from “data breach fatigue.” But some breach announcements carry considerably more risk to the victim than others. For example, if I had received a letter saying a credit card of mine had been compromised, the end result would be simple:

Financial fraud by the numbers. In a June 2016 Gallup poll, 72 percent of respondents said they had “very little” or only “some” confidence in banks.

Read this if you work for a healthcare organization that serves uninsured or self-pay patients.

The No Surprises Act was passed in 2020 as part of a COVID relief package, with the goal of reducing surprise bills for patients who received medical or surgical services. One part of the act requires healthcare facilities and providers to give Good Faith Estimates (GFEs) to uninsured and self-pay patients starting on January 1, 2022. Read on for frequently asked questions about this topic, an update for 2023, and resources where you can find more information.

Frequently asked questions about good faith estimates for healthcare

What is a good faith estimate?

A Good Faith Estimate (GFE) is a document provided to a patient that details the expected charges for healthcare services provided. It is not a bill.

Who needs to provide GFEs, and to whom?

At this time, GFEs need to be provided to uninsured and self-pay patients. 

The following healthcare facilities must comply:

  • Federally Qualified Health Centers (FQHCs)
  • FQHC Look-Alikes
  • Tribal/Urban Indian Health Centers
  • Rural Health Clinics (RHCs)
  • Hospitals
  • Hospital outpatient departments
  • Critical access hospitals
  • Title X Family Planning Clinics
  • Health care providers who serve uninsured and self-pay patients

How should information about the GFE process be communicated to uninsured and self-pay individuals?

Information about the availability of GFEs for uninsured or self-pay individuals must be:

  • Written in a clear and understandable manner and prominently displayed:
  • On the facility’s website and easily searchable from a public search engine
  • In the office (such as in the patient waiting room), and
  • Onsite where scheduling or questions about the cost of items or services occur, such as at the registration or check-out areas
  • Explained verbally when scheduling an item or service or when questions about the cost of items or services occur
  • Made available in accessible formats, and in the languages spoken by individuals considering or scheduling items or services

How does the US Department of Health and Human Services (HHS) define uninsured and self-pay individuals?

HHS has a two-fold definition:

  • Individuals who have no health insurance coverage
  • Individuals who do have health insurance coverage, but do not want to have a claim submitted to their insurer

Both of these groups of individuals must receive a GFE.

What content is required in a GFE?

A GFE must include the following:

Patient information

  • The patient’s name and date of birth

Services estimated

  • A description of the primary item or service in clear and understandable language and, if applicable, the date the primary item or service is scheduled
  • A list of items or services reasonably expected to be furnished for the primary item or service

Information about services, providers, and estimated charges

  • Applicable diagnosis codes, expected service codes, and expected charges associated with each listed item or service
  • The name, National Provider Identifier, and Tax Identification Number of each provider or facility represented in the GFE, and the State and office of the facility’s location where the items are services are expected to be provided
  • Lists of items or services that the provider or facility anticipates will require separate scheduling and that are expected to occur before or following the expected period of care for the primary item or service. (A disclaimer should state that separate GFEs will be issued upon scheduling or upon request of the listed items or services.)

Disclaimers

  • A disclaimer that there may be additional items or services that the provider or facility recommends as part of the course of care that must be scheduled or requested separately and are not included in the GFE
  • A disclaimer that the information provided in the GFE is only an estimate and that actual items, services, or charges may differ from the GFE
  • A disclaimer that the individual has a right to initiate the patient-provider dispute resolution process if the actual billed charges are substantially in excess of the expected charges included in the GFE.
  • “Substantially in excess” is defined as at least $400 more than the total amount of expected charges.
  • This disclaimer must include instructions about where an uninsured or self-pay individual can find information about how to initiate the patient-provider dispute resolution process and state that the initiation of the patient-provider dispute resolution process will not adversely affect the quality of health care services that are furnished.
  • HHS strongly encourages providers and facilities to include an email address and telephone number for someone within the provider’s or facility’s office that has the authority to represent the provider or facility in a billing dispute.
  • A disclaimer that a GFE is not a contract and does not require the uninsured or self-pay individual to obtain the items or services identified in the GFE.

HHS encourages sliding fee discount providers and facilities to include information about the provider’s or facility’s sliding fee schedule and any other financial protections that it offers. Sliding fee discount providers and facilities have flexibility to determine how best to demonstrate the expected charges associated with each listed item or service, and to determine what additional information to include, if any.

What are the required methods for providing a GFE?

A GFE must be provided in written form either on paper or electronically, based on the individual’s requested method of delivery and within the required time frames. GFEs that are provided electronically must be provided in a manner that the individual can both save and print. A GFE must be written using clear and understandable language that can be understood by the average uninsured or self-pay individual.

If the individual requests a GFE in a method other than on paper or electronically (such as by telephone or verbally in person), the provider or facility may verbally inform the individual of the information contained in the GFE. However, the provider or facility must also issue the GFE in written form.

What is the timeline for providing a GFE?

When providing a GFE to an uninsured or self-pay patient, the following time frames must be followed.

When the service is scheduled: When the GFE must be provided:
If scheduled at least 3 business days prior to the date that the item or service will be furnished Not later than 1 business day after the date of scheduling
If scheduled at least 10 business days prior to the date that the item or service will be furnished Not later than 3 business days after the date of scheduling

Please note, when a GFE is requested by an uninsured or self-pay patient, a GFE must be provided not later than 3 business days after the date of the request.

How long should a provider or facility retain a copy of GFEs?

A GFE is considered part of the patient’s medical record and must be maintained in the same manner. At the request of an uninsured or self-pay individual, the provider or facility must provide a copy of any previously issued GFE within the last six years.

Update for 2023

  • As of the start of 2023, all of the preceding requirements remain in place.
  • As of January 1, 2023, HHS has paused enforcement on the next phase of GFE implementation

The next phase of GFE implementation, which began on January 1, 2023, requires that GFEs for uninsured and self-pay patients include expected charges from co-providers or co-facilities that are part of an episode of care for a patient coordinated by a provider or facility. However, on December 2, 2022, HHS paused its enforcement of this requirement based on comments it received during the rulemaking process indicating that compliance with this provision was likely not possible by January 1, 2023.

HHS is extending enforcement discretion, pending future rulemaking, for situations where GFEs for uninsured or self-pay individuals do not include expected charges from co-providers or co-facilities. We will provide an update when HHS issues any communication about changes to GFE-related enforcement.

Helpful resources for FQHC, RHCs, and other healthcare facilities

If you have questions about the information provided in this article or are interested in an external review of your healthcare facility’s compliance with current GFE requirements, please contact Robyn Hoffmann or Mary Dowes.

Article
Healthcare Good Faith Estimates (GFEs): Updates for 2023

Read this if you are a provider who works with MaineCare and files an annual cost report.

Each year the Department of Health and Human Services (DHHS) Division of Audit releases updated MaineCare cost report templates in Excel format. In the most recent revision of the templates, DHHS has made some significant changes that providers should be aware of when preparing to file their cost reports. We’ve highlighted them here. 

  • Supplemental Payments (Schedule GG)—DHHS has updated the format of Schedule GG to a new simplified form where providers no longer need to report expenses in each individual cost center, but rather will only need to identify the total expense in each component (i.e., direct, fixed, routine, and PCS for Residential Care Facilities (RCF) Appendix C). DHHS has designated specific cost centers for each offset in each component. In addition, there are now multiple Schedule GGs, including a separate schedule for each level of service within each template. Each level of service must complete one schedule for the payments received in the first round (September and October 2021) and a second to reflect the payments received in the second round (August 2022). Each Schedule GG includes a line to report supplemental payments earned in a prior period and a reconciliation of any amounts unearned.
    • For providers who have already filed their 2022 cost reports and wish to adjust their Schedule GG, they can refile just Schedule GG on the simplified form. An entire updated cost report is not necessary or suggested as the Division of Audit will incorporate the updated Schedule GG at the time of audit. This also applies to any providers wishing to amend and refile their 2021 Schedule GG. 
  • RCF High MaineCare Utilization (HMU)—Effective 7/1/2022, HMU is a new component of the RCF rate pursuant to 2022 P.L. Ch. 635. The new HMU payment required DHHS to update the cost report forms to include a settlement of these payments. As such, DHHS has added a new schedule, Schedule HH, to all RCF Appendix C, including multi-level cost reports that report HMU earned. In addition, a table was added to the bottom of Schedule L-R&B to calculate the payments received. The payments received flows to Schedule HH, where a settlement is calculated that flows to the RCF room and board settlement page. 
  • Minimum Occupancy Penalty—Per the Office of MaineCare Services News Release from November 15, 2022, the Office of MaineCare Services is temporarily waiving the minimum occupancy penalty for nursing facilities (NF), found in Chapter III, Section 67, principle 18.9, through the end of the federal Public Health Emergency (PHE). Additionally, DHHS is temporarily waiving the minimum occupancy penalty for RCF, Private Non-Medical Institution (PNMI) Appendix C facilities, found in DHHS Rule Chapter 115, principle 34.3, through the end of the federal PHE. In order to accommodate this within the cost report, the penalty calculation has been removed from Schedule G (NF), Schedule X (multi-level), and Schedule A (RCF free-standing). 
  • Revenue—DHHS also added a new schedule, Schedule D (B-1 on the ICF template), which is a summary of revenue by payor.

There were also some minor changes made last summer including:

  • Schedule F & R (NF), Schedule E (RCF/PNMI), and Schedule B (Intermediate Care Facilities (ICF))—Added a new cost center to the fixed costs section for “COVID Staff Universal & Surveillance Testing.” 
  • Schedule B (NF)—Added a Direct Care add-on column for the AAAA add-on (125% of minimum wage) based on updated rate letters. 
  • Schedule E (NF)—Removed the median question due to LD 684. There is now no need to be under the medians to qualify for ultra-high MaineCare utilization (over 80% utilization). 
  • Schedule J (NF and ICF), Schedule L-PNMI (RCF/PNMI), and Schedule B (Appendix F)—Updated wording from TRI (temporary rate increase) to ECA (extraordinary circumstances allowance) funding.

Cost reports must be submitted in Excel format and DHHS is no longer accepting locked or protected cost report files or files that have hidden tabs. Cost reports and supporting documentation should be filed using MOVEit. If you have not established an account with DHHS yet for MOVEit, please reach out to Lucas Allen, Manager of Data Analytics

Please note the following specifications for online submission to MOVEit:

  • Each filename will need to contain: facility/agency name, four-digit year, what the document relates to, and what the document is (i.e., cost report).
  • Files cannot be a zipped file.
  • Files cannot be password protected or restricted in any way.
  • No folders are to be uploaded.
  • It is recommended that supporting documentation be combined into one PDF document with appropriate bookmarks for each supporting document, but this is not a requirement. If the supporting documentation is not in one PDF file, label all files with the facility/agency name, four-digit year, and what the document is.
  • Files need to be in one of the following formats: Microsoft product or Adobe PDF to ensure it is machine readable.

As a reminder, when submitting your cost report and supporting documentation:

  • Complete all schedules in the cost report. If a specific schedule does not apply to your facility, mark “N/A” on the schedule.  
  • Do not alter the schedules in the cost report.  
  • Submit a completed cost report checklist, and place a checkmark for each section that applies to your facility or “N/A” for any section that does not apply.  
  • Submit all supporting documentation identified on the checklist in an acceptable format (Microsoft product or Adobe PDF).

If you have any questions on these changes or would like to talk about your specific needs, please contact our senior living team. We are here to help.

Article
MaineCare cost report templates: What providers should know about the current year changes

Read this if you are at a financial institution and concerned about fraud.

Financial fraud by the numbers

Back in 2021, BerryDunn’s David Stone wrote about occupational fraud at financial institutions. This article mainly cited information from a 2020 Report to the Nations: Banking and Financial Services Edition (2020 Report) published by the Association of Certified Fraud Examiners (ACFE). Fast forward to 2023, and the ACFE’s 2022 Report to the Nations (2022 Report) displays that occupational fraud continues to be a concern.

Financial institutions account for 22.3% of all occupational fraud worldwide, up from 19% in the 2020 Report. These fraud causes have a median loss of $100,000 per case—which was the same as the 2020 Report. Cases had decreased from the 2020 Report from 368 to 351; however, financial institutions remain the most susceptible industry to occupational fraud.

What does a fraudster look like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And how can you strengthen an already robust anti-fraud program? These questions, raised in David’s 2021 article, remain relevant today. 

Profile of a fraudster

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because most employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2022 Report reveals a few commonalities between fraudsters. The amounts from the 2020 Report are shown in parentheses for comparison purposes:

  • 6% of fraudsters had a prior criminal background (3%)
  • Men committed 73% of fraud and women committed 27% (71%, 29%)
  • 37% of fraudsters were an employee, 39% worked as a manager, and 23% operated at the executive/owner level (56%, 27%, 14%)
  • The median loss for fraudsters who had been with their organizations for more than five years was $193,500 compared to $75,000 for fraudsters who had been with their organizations for five years or less ($150,000, $86,000)

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags in its 2022 Report:

  • Living beyond means—39% (42%)
  • Financial difficulties—25% (33%)
  • Unusually close association with vendor/customer—20% (15%)
  • Divorce/family problems—11% (14%)

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A two-pronged approach

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

Leadership tone

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a top-down culture of zero tolerance for fraud, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but frauds committed at the executive level had a median loss of $337,000 per case, compared to a median loss of $50,000 when an employee perpetrated the fraud. This is compared to a median loss of $1,265,000 and $77,000 per case, respectively, in the 2020 Report.

Internal controls

Every financial institution uses internal controls in its daily operations. Override of existing internal controls, lack of internal controls, and lack of management review were cited in the 2022 Report as the most common internal control weaknesses that contribute to occupational fraud.

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened—even financial institutions with strong anti-fraud measures in place.

The experts at BerryDunn have created a checklist of the top 10 controls for financial institutions, available in our whitepaper on preventing fraud. This is a list we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud. 

Read more to prevent fraud

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our free white paper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan. Download the white paper here.

Commit to strengthening fraud prevention and you will instill confidence in your Board of Directors, employees, customers, and the general public. It’s a good investment for any financial institution. If you have questions about your specific situation, please visit our Ask the Advisor page to submit them, or contact a member of the Financial Institutions team. We’re here to help.

Article
Preventing fraud at financial institutions 2023 update: An anti-fraud plan is the best investment you can make

Read this if you are a financial institution.

Whether you think of New Year’s resolutions or goal setting, it’s that time of year where we traditionally take time for reflection (current state, desired state) in order to take action on the change we want to see. Understandably, as many institutions have been so focused on developing and understanding their CECL model and results, evolving the internal control environment may have, well, lagged a little. Which is why, in the spirit of starting the new year on the right foot, now is the perfect time to think about internal CECL controls.

CECL internal controls: Where to start?

Let’s acknowledge this right away: there is no “best” place to start. Some folks like to review what controls they already have in place and then think about how best to evolve or tweak them. Others may prefer to take a clean slate approach—map out the CECL workflows, identify risks, and then determine what controls are needed. One way to bridge these approaches is after you’ve mapped out the process, risks, and controls, then compare that to what you already have and make the necessary adjustments. We’ve seen all of these approaches work, but there are some pros and cons and pitfalls to consider for each. 

Existing controls

If you choose to begin by reviewing and tweaking the controls you already have, one pitfall is that you may not challenge your thinking enough to recognize where new risks have been introduced with your CECL methodology. For example, how does the CECL calculation—and all the new data you are now relying on—impact controls? Is your area responsible for making choices about all those numbers, values, and codes, or are those calculations, choices, and decisions taking place in other areas where controls may need to be developed, or reviewed and enhanced for CECL?

Another good example: if you’ve invested in software, have you recognized the need for new controls over data flow in and out of that system, including the manual calculations you’re doing outside of the system and then keying those results into the system as model inputs? We have found that some people go into this approach thinking it will save them time—like a short-cut—only to realize later they’ve missed the opportunity to identify one or more key risks/controls.

Clean slate mapping

Speaking from experience, this approach can take some time but may be a great way to ensure your thinking is not limited by “what you’ve always” done or had in place. That said, we can appreciate that while staring at a blank page is energizing to some, it can feel overwhelming to others. Moreover, that overwhelmed feeling may be the underlying reason why it is tough to engage in this approach.

Here’s the big tip: put some sort of starting point on paper (maybe even the middle of the paper) understanding that as you think about it, you could be adding to the workflow before, above, under, or past that starting point. It’s okay that you don’t know all the related workflows because you’re identifying that there are related workflows whose risks/controls may be in other areas that need to be further explored. Maybe take this activity, initially, to a conference room with a big dry-erase board (there are online versions of this, too)! 

Now, just like those new year’s resolutions for increased exercise that sometimes are easier to stick to when you have an accountability partner—is there someone in your organization that is particularly adept at creating workflows whose strengths and talents you can tap into to help you create this one? 

Tips for helping ensure CECL internal control success

No matter which approach you end up taking, here are some of our top tips for helping ensure CECL internal control success:

Communicate: Outreach and awareness are foundational to engaging others in this process. It is so understandably easy for people not directly involved in the day-to-day CECL calculation to even realize they have a key role to play when it comes to CECL controls. 

Cooperate: Invite others into the process, especially when it comes to helping you evaluate how changes under CECL relate to work they do day-to-day. Work together to simply understand or clarify how the pieces fit together. 

Collaborate: There are lots of ways to design, test, and monitor internal controls. Lean into the strengths and talents of others to help create efficient and effective controls that can save you and others a lot of time and headache. I recommend this no matter how mature the control practice is—there may be ways to make it better and easier.

Coach, train, and support: I advise against the “control dump and run”—letting someone know they have one or two new controls, and then leaving them to it. Certainly, there is value in having to solve something from the ground up. However, helping others connect the dots between why controls are important, ways to evaluate and structure them, and who in the organization can collaborate with them to make them as easy and effective as possible, goes a long way toward getting the most value out of your control environment.

Seek advice: CECL is new for almost everyone, and controls are not a one-size fits all. Engaging someone experienced in both CECL and controls can help challenge your thinking, open your eyes to pitfalls, prevent over-engineering, provide perspective, and help you transition as you grow. 

No matter your CECL challenge or pain point, our team of experts is here to help you navigate the requirements as efficiently and effectively as possible. For more information, visit the CECL page on our website. If you would like specific answers to questions, please visit our Ask the Advisor page to submit your questions.

For more on CECL, stay tuned for our next article in the series, or enjoy our CECL Radio podcasts. You can also follow Susan Weber on LinkedIn.

Article
Resolve to consider internal CECL controls

Read this if you are a part of the gaming industry.

BerryDunn has been servicing the gaming and lottery industry for over 25 years. Our experience performing SOC examinations in the gaming and sportsbook industry provides you with trusted professionals who understand your environment, regulations, and customer expectations. As more states pass legislation allowing for sports betting, new rules and regulations are included in the legislation. These rules and regulations are typically focused on maintaining the integrity of systems and public confidence in the sportsbooks and other vendors. SOC 2 has quickly become the international standard for reporting on internal controls over security, availability, processing integrity, confidentiality, and privacy. States have included wording in proposed rules and regulations for SOC 2 examinations to be completed annually by key vendors.  

What is SOC 2?

Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service criteria” (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. 

Organizations design their own controls to address specific, pre-defined criteria within one (minimum TSC is Security) or more TSC. The SOC 2 report provides sportsbook providers with important information about how they manage data and systems and is shared with their customers and other relevant stakeholders such as regulatory bodies and auditors. We have explained how each TSC applies to a sportsbook environment below:

Security (often referred to as the common criteria)

The security TSC focuses on the protection and management of information and systems. This includes criteria on policies and procedures, operations, change management, incident management, logical security, and risk mitigation.

Applicability to sportsbook environments
Sportsbooks require a secure approach to help ensure that all data in the environment is securely designed, managed, and protected. Whether you are processing, managing, or storing data for your customer for the use of back-office administration, data feed providers, or traders, or players are making transactions in the environment, all data must be secure. 

Controls may include human resource, board, or management oversight, policies and procedures, third-party risk management, user access management, securing your environment (assessing firewall, anti-virus, intrusion protection, vulnerability scanning), operational management and incident handling, and change management. 

Availability

The availability TSC refers to ensuring both information and systems are available for operation and accessible to users. 

Applicability to sportsbook environments
As a sportsbook, you provide your customers with an environment that requires continuous up-time and system and business recovery measures to be in place for both full system recovery, and where required, failovers to backup hot sites. This TSC allows you to demonstrate to your customer the controls in place for your own environment, service providers (data centers), and data feed providers. 

Controls may include high-availability clusters, backup processes, operational monitoring, incident management, capacity management, and data recovery.

Processing integrity

The processing integrity TSC addresses whether the system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. 

Applicability to sportsbook environments
As a sportsbook, the integrity and correctness of data and transaction processing are essential to your system. Whether that processing entails odds, quotations, results, bets placed, or payouts—all data within the sportsbook requires accurate and consistent processing.  

Controls may include database logs of all transactions with unique IDs, game changes, failure messages, results processing, system checks and balances, and reporting functionality. 

Confidentiality

The confidentiality TSC assesses that information designated as confidential is protected to meet the entity’s objectives. (Confidential data focuses more on protecting business sensitive, trade secret data, and proprietary information that is not for public consumption.)

Applicability to sportsbook environments
Confidentiality in a sportsbook environment includes confidentiality for the bettors and confidentiality of the business. Sportsbooks hold the transactional data of players' accounts that are confidential to the individual. Additionally, other data you or your customer have contractually committed to protecting requires confidential safeguards in place more than non-critical or pieces of data. Most often, in sportsbooks we focus on the confidentiality of transactions, movement of data from one location to another, encryption in rest and in transit, and the destruction of data in a secure manner. 

Controls may include policies and processes for the handling, maintenance, storage, backup distribution or transmission of data, and destruction of confidential information.  

Privacy

The privacy TSC addresses how personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives and is designed to protect against unauthorized use or access.

Applicability to sportsbook environments
Privacy focuses on how an organization manages Personal Identifiable Information (PII). Sportsbooks house PII of their players (bettors) including name, address, birth date, social security number, banking information, or other government-issued identification, among other types of data. PII is used to validate a player’s identity and location. In many instances, third parties may be used for player validation and controls may also focus on third-party management and due diligence.

Controls may include policies and procedures, safeguards in place to protect PII, role-based access, disclosures, choices and consent, monitoring, and enforcement.

Do I already have required controls in place? 

In many cases, you likely already have many of the needed internal controls in place because of the nature of the highly regulated gaming industry. SOC 2s may easily leverage the controls you already have in place for other frameworks and requirements, such as NIST, ISO, and PCI. 

Preparing for a SOC 2 examination may take a significant amount of time (six months to a year) and we highly recommend you complete a readiness assessment first. In a readiness assessment, we take inventory of your current controls in place for all aspects discussed above and map the control for each TSC. Where gaps may be present, guidance is provided on ways to implement new controls or to enhance current practices. More information on preparing for a SOC 2 can be found here

Contact us for a SOC 2 readiness assessment 

Our team has conducted over 50 iGaming and Sportsbook SOC audits and has over 10 years of experience in the industry. Using industry experts for SOC 2 examinations allows you to get the most value from the process and helps you refine controls to reflect industry best practices. Please contact Josh Clark if you have questions about SOC 2 or your specific operation. 

Article
Sportsbook SOC 2 compliance: An introduction