June 7, 2017

SOC 2 Compliance | Trusted Third-Party Relationships

Overview


More than 65% of security breaches can be traced to third parties; thus, companies want to avoid working with at-risk vendors. As results, many organizations that provide services to other companies are being asked for a SOC 2 type II audit report. A SOC 2 report helps to provide your customers with insight into your control environment and assurance you are doing the right things to keep their company safe.

Where We Excel


Our management level consultants have experience with hundreds of SOC 2 engagements. In addition to our seasoned personnel we offer the following benefits on every project:

  • Competitive pricing and discounts for multi-year contracts,
  • Flexible on-site or remote fieldwork by using our secure audit documentation workflow tool (inview), and
  • Director-level support and involvement in each phase of the engagement.

FAQs


  • Why are my customers asking for a SOC 2 report?
  • what are the benefits of a SOC 2 report?
  • What is the scope of a SOC 2 report?
  • What are the SOC 2 Trust Services Principles (TSPs)?
  • Which Trust Services Principles (TSPs) should I consider?
  • What is the difference between a SOC 2 Type I and SOC 2 Type II report?
Over 65% of security breaches can be traced to third parties; thus, companies want to avoid working with at-risk vendors. As results, many organizations that provide services to other companies are being asked for a SOC 2 type II audit report.
Companies who obtain SOC 2 reports are able to demonstrate to current and prospective customers that they take security and risk management seriously. Often, this commitment is a competitive advantage in the marketplace. In addition, the SOC 2 reporting process is a great opportunity to improve internal processes, reduce risk, and formalize tribal knowledge.
Determining the appropriate scoping for SOC 2 reports is dependent on customer and organizational requirements. One benefit to the SOC 2 reporting process is that auditees have the opportunity to specifically define the scope and boundaries of their system which provides focus to the report. Key elements of scope include the relevant system, reporting period (usually a 12 month period), and SOC 2 trust services principles (TSPs).
There are five trust services principles. (Security, Availability, Confidentiality, Processing Integrity, and Privacy)
Choosing the appropriate TSP depends on the nature of your system and the type of services your company provides. As a rule, all reports must include Security. Many companies handling data that require high up-time include Availability, handing sensitive or private data include Privacy, processing transactions (especially financial transactions) include processing integrity, and required to maintain confidentiality of processes or data include confidentiality.
A “Type 1” report is a report that issues an opinion on the suitability of design of controls as a point in time. A “Type 2” report issues an audit opinion on the operational effectivness of controls over a period of time (usually 12 months). Almost all companies are required to seek a SOC 2 Type II report.