AuditOne LLP’s sole focus is to perform SOC audits. Our clients benefit from an informed consultation designed to determine the best and most cost-effective strategy to follow in order to meet their goals. We have focused our considerable industry expertise on creating simple, elegant methodologies that are both quick to perform and easy on the budget.
Why You Need a SOC Report
Financial institutions, health care providers, and other corporations are required to perform initial due diligence, and ongoing vendor monitoring on their outsourced service providers. If you are an organization providing outsourced services, you are typically required to provide an annual SOC report. A SOC report provides information on your systems and security controls, and additionally establishes confidence in your service and organizational integrity.
AuditOne’s Service Offerings:
Annual SOC Risk Assessment
Our SOC risk assessment framework utilizes traditional risk assessment methods where inherent risk is calculated by multiplying impact by likelihood. Our process is focused on the SOC 2 trust services criteria and the underlying COSO and AICPA report guidance. AuditOne LLP will work with your management team to evaluate your relative risk across all relevant trust services criteria. When completed you will have SOC 2 compliant risk assessment and a detailed relative risk analysis of your information security controls.
Annual Penetration Testing
Our penetration testing represents a method of evaluating the security of a service provider’s external systems by simulating an attack by a person with malicious intent (e.g., a hacker or disgruntled employee). The process involves an active analysis of these systems for any weaknesses, technical flaws or vulnerabilities. Annual penetration testing helps you protect your critical IT infrastructure by identifying and validating known security vulnerabilities for both public-facing and internal resources.
SOC 1 or SOC 2 Reports
A SOC 1 report is designed to audit the internal controls over financial reporting. This report is the successor to the SAS 70 report format. This report format is still accepted for IT general control audit purposes.
A SOC 2 report addresses a service providers stated controls related to security, confidentiality, availability, processing integrity, and privacy. The AICPA defines the audit process and report structure. The AICPA recently integrated their SOC 2 format with the widely used COSO compliance framework.
The decision to obtain a SOC 1 report vs. a SOC 2 report depends on what your customers are requiring for assurance. The SOC 2 report is currently the standard for security assurance testing, and most customers will ask for this report by name.
SOC 3 Report
A SOC 2 report contains a detailed description of the client’s operation and security controls in place. This report is only provided to existing customers. A SOC 3 report is a public version of a SOC 2 report. A SOC 3 does not contain a listing of the client’s controls, and the system description section is scaled down for public disclosure. Organizations can provide a SOC 3 report to any potential customer without the requirement of a signed non-disclosure agreement (NDA). Many client’s place a SOC 3 report on their website for customers to download, which saves time and money.
Type I or Type II
A type I report is a point in time report (example: as of December 31, 2019) where AuditOne LLP assesses a client’s security controls and determines if the controls are sufficiently designed. No collection of evidence is performed. Customers may not accept a type I report due to the lack of audit review.
A type II report is a time period-based report (example: January 1, 2019 to December 31, 2019). AuditOne LLP will be assess the client’s security control effectiveness during a specific time period. Evidence collection, and audit steps are performed. The minimum time period for a type II report is typically six months. A client’s stated security controls need to be in place during this period.