How did we manage to pass Amazon Audit !?

AuditManager-phhx5vcg9r6gqh5tabrqmf9kqs53v0xy3faj6ebnu8

Many sellers got declined for Amazon MWS developer registration or assessment because they are violating policies, where they don’t know about the Acceptable Use Policy or Data Protection Policy.

Now we want to transfer all experiences that we have on amazon which helps the sellers or developers to handle the forthcoming influx of amazon changes and the issues they need help resolving.

What is an Amazon developer’s Audit with a third party?

Developers must maintain all appropriate books and records reasonably required to verify compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of this agreement and for 12 months thereafter. Upon Amazon’s written request, Developers must certify in writing to Amazon that they are in compliance with these policies.

Amazon may, or may have an independent certified public accounting firm selected by Amazon, to audit and inspect the books, records, facilities, operations, and security of all systems that are involved with a Developer’s application in the retrieval, storage, or processing of Amazon Information.

Who is the accounting firm selected by Amazon to audit?

Deloitte is one of the world’s largest auditing and consulting firms. They are a leading global provider of audit and assurance, consulting, financial advisory, risk advisor, and tax.

A Deloitte audit focuses on risks—things that matter—and minimizes work on what is less relevant. 

Why is an Amazon Seller account audit important?

Your level of competition on Amazon is always learning and living inside of the Amazon space which enables their growth on Amazon. In order for your business to be successful on Amazon, like any business, your goal is to consistently improve processes and systems within your business. 

Our experience, resulting in revenue growth, allows you to build a strategy and roadmap to success in your business, and a clear understanding of all metrics, to help you quickly plan and predict your highest ROI next move so you can grow your business and skip the learning curve of selling on Amazon.

Our experience in Audit 

Amazon has initiated a developer risk assessment to assess our Technologies and understand the risks posed by the services provided by our remote developer risk assessments:

  • To understand the security control environment at our Technologies, in the context of services being provided to Amazon Selling Partners.
  • Enable Amazon to identify, mitigate and manage risks arising from developer use of MWS / SP-API.
  • Enable Amazon to effectively manage developer relationships.

How did Amazon choose us to be audited?

We believe that an increasing number of stores have got the same developer ID.

Assessment Process

The assessment process has been divided into 4 phases:

  • Assessment Planning
  • Execution
  • Reporting
  • Closeout

Key Assessment Domains

  • Business Process Overview

            Understanding an overview of services and processes

  • System Architecture and Governance

Understanding the network architecture and flow of data through the environment

  • Security governance

Policy management, how risk and compliance regulations are managed

  • Infrastructure security

Understanding where data is stored, asset management, and security controls for assets

  • Data protection

Tools utilized to protect data, encryption protocols for data at rest and in transit. Management and classification of data

  • Network security and vulnerability management

Security controls are utilized to manage, monitor, and protect the network.

Assessing vulnerabilities and patch requirements

  • Application security

Software development lifecycle and management of changes to production

  • Identity and access management

Access provisioning, privileged and remote access

  • Security monitoring and incident response

Log management and incident management plan

  • Data Handling and Management

Various stages of the Amazon data lifecycle

  • Third-Party Integration

Data sharing with third parties

  • Customer Support

Seller support tools and methods

How will you prepare for Amazon auditing?

Transferring our experiences ability to grow your Amazon business. With the amount of static across Amazon news and strategies, we save you time and money by diagnosing early account issues and symptoms to prevent you from wasting your time and money on unproven strategies. 

Some of the companies have been selected for an audit, and we are one of them. Here is a summary of how the process went for them.

We started with Deloitte a 30-minute overview meeting where they explained the process. At the initial meeting, they schedule the audit meeting and this is an Assessment Planning phase.

Something to keep in mind, when submitting your request it is important that your application followed the acceptable use policy and data protection policy.

Information about Amazon MWS access requirements can be found in the Acceptable Use 

Acceptable Use Policy and Data Protection Policy

http://docs.developer.amazonservices.com/en_US/dev_guide/DG_AcceptableUsePolicy.html

http://docs.developer.amazonservices.com/en_US/dev_guide/DG_DataProtectionPolicy.html

Go through your application and make sure it matches the Acceptable Use Policy and Data Protection. Also, make sure you implement these requirements in your app.

The next phase is Execution. The audit meeting lasts 3 to 4 hours. The auditors ask many detailed questions that cover issues found in the Amazon Acceptable Use Policy, and Amazon Data Protection Policy, and that cover area of General IT security. They are also interested to know about your company, what your application does, and how you support your customers.

If you have documents, you can provide those to the auditors in advance of the audit meeting. Some examples of these policy documents are Access Control Policy, Asset Management Policy, Change Management Policy, Data Classification Policy, and Network Security Policy. Some companies have these policies in mind, but they are not formally written down. It would be good to review and create written IT security policies for your company.

After the auditors have received your policies and the answers to their questions, they will process your answers and return to you a list of issues that you did not pass, with a priority attached to each one and that is the Reporting phase. For the high-priority issues, you have 30 days to fix, and for the other areas, you can take longer and this is a closeout phase.

It is a time-consuming process, but it makes sure the Amazon data you download using the MWS/SP-API is protected. In addition, it helps companies take a serious look at their IT security in general. In these days of major cyber-attacks, we all need to do our part to protect the IT infrastructure.

It’s amazing how much easier an audit is if you know and follow the procedures from the start. We hope that helps.