SOC2 Auditing Services

Determine Service Offerings for compliance?

The first step is to define what service offering(s) you want certified. This may seem trivial, but the ramifications of this decision are far reaching. The first big question you should ask is, who will want a SOC2 report from you? Is this report going to a client as part of a contract or SLA agreement, or is it going to a business partner who may need it as part of their audit? It is important to think about where your business is going and who may demand this certification.

Define the Scope

Once you have settled on the service offering(s), the next step is to determine what constitutes the scope of the audit. In other words, what is relevant and in scope for the services you are making compliant. This is a good time to engage your IT/IS team to help identify the systems (networks, servers, switches, etc.) the target services use.

The narrower the focus, the less systems you must make meet the criteria. You and your team must look at these systems as they are defined in the AICPA Trust Principles and Criteria documentation.

Decide Which TRUSTED SERVICE PRINCIPLES (TSPs) are applicable?

Define the Scope, SOC2 Compliance services implementors and auditors

After the scope is defined, the next step is to decide which TSPs are applicable to your organization?s systems. A common mistake is to assume you must comply with all five. In fact, the AICPA gives you the flexibility to decide which ones based on the scope and service offering(s). However, at a minimum, we recommend you comply with the Security trust principle. This provides a baseline assurance to your clients and partners that their information is protected from unauthorized access.

Map and Gap

The next step is to map your existing environment against the relevant TSP criteria. This is a gap assessment. The ultimately goal of the gap assessment is to determine what gaps exist, and what exactly you must to do close those gaps. This includes purchasing new equipment, hiring staff to implement those controls, writing documentation, and many other details. The ideal gap assessment lays out a road map for meeting compliance requirements.

Remediate Gaps

This is probably the most time-consuming of all efforts. As mentioned previously, the amount and level of efforts and resources from the gap analysis will determine the date of the SOC 2 audit. Historically, in our experience, if your organization is doing this ?from the ground up,? you will need 6 to 12 months to implement all the required controls. Of course, this is highly dependent on several factors, such as the number of gaps needed to be remediate, available personnel to do the remediation, any new equipment needed, the timeline established to remediate findings, and of course management?s ongoing support and involvement.

To keep things on track, focus on procuring and implementing the required controls first. This includes buying technologies like firewalls and SIEM solutions. Get these controls working? Second, integrate these new controls into your operational practices. Make sure you have good reporting and administration of the controls. Lastly, document the relevant policies and procedures around those controls.

Decide Which TRUSTED SERVICE PRINCIPLES (TSPs) are applicable?, SOC2 Compliance services implementors and auditors

Audit Preparations

Once the remediation is nearing completion, the next step is to engage a CPA firm. The more involved your CPA is with your business, the more likely they will be able to understand the nuances of your implementation. Furthermore, if you work with a consulting partner to implement the controls, they too should have a relationship with the CPA firm. The closer your consultants are to the CPA, less likely the two groups will disagree. Keep in mind that a consulting partner or value added reseller (VAR) can tell you one thing, but at the end of the day, it is the CPA firm who signs the audit.

Remediate Gaps,SOC2 Compliance services implementors and auditors

SOC-2 Report Template Contains:

Independent services auditor?s report
Management?s assertion
System description
Applicable trust services criteria and related control activities

FEATURES

Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organization.

Audit Preparations, SOC2 Compliance services implementors and auditors

Process, SOC2 Compliance services implementors and auditors

Determining exactly which service offering(s) you want to make compliant

BENIFITS

Obtaining a SOC 2 report requires an investment of both time and money for a service organization and, at some point, might seem like more work than it's worth. However, the advantages to obtaining a SOC 2 report far outweigh the initial investment. Following are ten benefits: