In recent years, it has become increasingly popular for institutions to outsource business support, system operations and IT activities to service organizations. With that trend came new standards for reporting on service organization controls (SOC).
PBMares will help you satisfy any assurance requirements and assess the effectiveness and risks of your third-party’s controls through:
Organizations across the board, including publicly traded companies, private companies and not-for-profits may require verification that the third-party data security experts who work on their financial statements operate under a strong set of internal controls. These verifications come in the form of various levels of System and Organization Controls (SOC) reports. The reports assure your clients and prospective clients that your internal controls are secure. Examples of service companies that may require such reports include data center companies, loan servicing companies, medical claims processors and payroll processors.
SOC 1 reports, also known as the Statement on Standards for Attestation Engagements (SSAE) 18, focus on your organization’s business processes and IT controls. Any that are likely to be relevant to an audit of your customers’ financial statements are documented in the report.
There are two types of SOC reports: Type 1 reports test the design of your organization’s controls as of a certain date. Type 2 reports test whether your controls are properly designed, in place and documented as well as an opinion on operating effectiveness over a set time period (usually 12 months).
These reports concentrate on five Trust Services Principles: security, availability, processing integrity, confidentiality and privacy. SOC 2’s requirements allow data providers to decide how they want to meet the criteria. This flexibility means SOC 2 reports are unique to each company, and makes the choice of auditor particularly important. You need to choose an audit team with a deep understanding of SOC controls and best practices. SOC 2 reports may be shared under an NDA with the organization’s management, regulators or select other parties.
Similar to SOC 2 reports in that they examine the same five Trust Services Principles, the results of the audit are publicly available.
Organizations need to show they are managing the threat of security breaches by having processes and procedures in place to detect, respond to, mitigate and recover from any breaches. Using the AICPA’s cybersecurity risk management reporting framework, PBMares’ team will give you the credibility you need to communicate the effectiveness of your organizations’ cybersecurity risk management program.
SOC Readiness Assessments
These assessments provide an overview of your organization’s preparedness for a successful SOC 1, 2, 3 or Cybersecurity audit. At the end of the assessment, our experts will let you know what control gaps or observations identified need to be addressed and remediated in order for your SOC audit to be successful.
Take Advantage of Our Experience
Our experienced cyber risk professionals have been performing IT audits and risk assessments for 15 years, and unlike standard IT providers, as CPAs and consultants, we have an intimate understanding of your organization’s unique processes and operations. You can rely on us for complete cybersecurity services and solutions tailored to your risk profile and network. .
Focusing on Protecting Your Company from Risk?
Certain industries, like financial institutions, are a natural fit for cybersecurity and other risk control services. However, the need for this type of help spans virtually every business including those in construction, government contracting, state and local government, hospitality and not-for-profit.