AuditOne LLP’s sole focus is to perform SOC audits. Our clients benefit from an informed consultation designed to determine the best and most cost-effective strategy to follow in order to meet their goals. We have focused our considerable industry expertise on creating simple, elegant methodologies that are both quick to perform and easy on the budget.
Why You Need a SOC Report
Regulated service providers are required to perform initial due diligence, and ongoing vendor monitoring on their outsourced service providers. If you are an organization providing outsourced services, you are typically asked for an annual SOC report. A SOC report provides an third party audit of your security controls and establishes confidence in your organization.
AuditOne’s Service Offerings:
Annual SOC Risk Assessment
Our SOC risk assessment framework utilizes traditional risk assessment methods where inherent risk is calculated by multiplying impact by likelihood. Our process is focused on the SOC 2 trust services criteria and the underlying COSO and AICPA report guidance. AuditOne LLP will work with your management team to evaluate your relative risk across all relevant trust services criteria. When completed you will have SOC 2 compliant risk assessment and a detailed relative risk analysis of your information security controls.
Annual Penetration Testing
Our penetration testing represents a method of evaluating the security of a service provider’s external systems by simulating an attack by a person with malicious intent (e.g., a hacker or disgruntled employee). The process involves an active analysis of these systems for any weaknesses, technical flaws or vulnerabilities. Annual penetration testing helps you protect your critical IT infrastructure by identifying and validating known security vulnerabilities for both public-facing and internal resources.
SOC 1 or SOC 2 Reports
A SOC 1 report is designed to audit the internal controls over financial reporting. This report is the successor to the SAS 70 report format.
A SOC 2 report addresses a service providers stated controls related to security, confidentiality, availability, processing integrity, and privacy. The AICPA defines the audit process and report structure. The AICPA recently integrated their SOC 2 format with the widely used COSO compliance framework. The SOC 2 report is currently the standard for information security assurance testing, and most customers will ask for this report by name.
Type I or Type II
A Type I report is a point in time report (example: as of December 31, 2021) where we assess your security controls and determines if the controls are sufficiently designed to meet AICPA criteria. No collection of evidence is performed. New clients typically start with a Type I report. We have created a sample control set and will walk you through this process.
A Type II report is a time period-based report (example: January 1, 2021 to December 31, 2021). We will audit your security controls effectiveness during a specific time period. Evidence collection, and audit steps are performed. The minimum time period for a type II report is typically six months. A client’s stated security controls need to be in place during this entire period. This process is typically a 60 day project from project kick off to report issue.
We have created a SOC readiness assessment to determine the maturity of a client's controls. Watch this YouTube video explaining our SOC audit process, including our readiness assessment, and sample controls. Download our SOC readiness assessment and check off the items you currently have in place and return the assessment to us for review.