Do you receive requests from customers for assurance on a number of fronts, including assurance of the controls you employ to protect the confidentiality of users’ data, as well as the security, availability, and integrity of your systems? System and Organization Control (SOC) engagements have become the gold standard for examining, assessing, and reporting on these controls.
A SOC Gap Assessment is how you get a benchmark for “where you are” against “where you need to get to” for a successful SOC examination. A gap assessment is the first step on your SOC journey, setting you up for better results when it is time for your SOC 2 Type 2 audit. Our gap assessment work will:
Provide an overview of SOC, determine the categories that should be in scope based on your service, identify showstoppers, and any control issues that will delay your SOC progress.
SOC is a detail oriented and nuanced process towards preparing your environment for assessment that your team will undergo. For the security category of SOC 2, your organization will need to demonstrate how it meets “common criteria”. The common criteria and some examples of what would be included are:
Under the availability and confidentiality categories, you would also include criteria for:
Assess your organization’s service against SOC 2 requirements with the most experienced SOC auditors. A Type 1 (or “point in time”) examination will determine the suitability of the design of your control environment, as well as the description of your system as of a specified date. Companies will often use a Type 1 report to demonstrate their control environment without waiting for the period of time needed for Type 2. Often companies will also use a Type 1 as a “stepping stone” between the completion of remediation from their gap assessment and the eventual Type 2 examination.
This is what most companies strive for with SOC. A Type 2 examination will do everything the Type 1 does (suitability of design), but adds operational effectiveness of controls over a period of time. This is the highest level of reporting that you can do for SOC. Let the Fortreum SOC experts who helped write the guide on it, get you there.
Fortreum has enterprise grade experience with the right blend of technical and analytical experience to support your cybersecurity and cloud needs.
We’re happy to share our insights and work with you to fast-track your CMMC Certification.
During a SOC 2 Type 2 examination, if there are any deviations (or exceptions) noted in testing the operational effectiveness of a control, those exceptions have to be shown in the report. Starting your SOC 2 endeavor with a gap analysis, then considering a Type 1 report after remediation ensures a higher potential of success on that Type 2.
The education, experience, and expertise of a cybersecurity-focused CPA firm working alongside cybersecurity experts is important. Ensuring you work with a CPA firm that has the right cloud and cybersecurity background, get to know the assessment team, as potential outcomes on SOC and other integrated audits could be impacted.
The key to successful maintenance of SOC 2 (especially for Type 2 reports) is to have a comprehensive continuous monitoring strategy. This strategy includes maintaining the proper staffing levels, ensuring risk assessments and threat analysis methods (e.g. vulnerability scans) are being performed and analyzed on a frequent basis.
While SOC 2 is industry recognized, your organizations may have other frameworks that your currently pursuing (FedRAMP, ISO, HIPAA, etc.). Determining which frameworks are applicable to your business and overall timeline is important. Having a strategy for multiple frameworks in your compliance effort, consolidated efforts and estimated authorization timelines will save your organization time and money.
We’ll just come right out and say it. SOC 2 isn’t mandatory. There is no agency, no industry, no law, no regulation that says you need to get a SOC 2. But, there are quite a few reasons your organization may need it. The biggest reason? A lot of companies expect to see a SOC 2 report from their service providers as part of their vendor management process (customer demand), but there are other benefits as well.
Why is a CPA needed for IT auditing? I thought they were accountants?
While that is true, SOC engagements were developed by the AICPA, which has long been a thought leader in assurance engagements. The AICPA creates standards, like those designed for SOC 2 reports, so that CPAs can easily comprehend and incorporate best business practices into existing procedures on behalf of clients. This, in turn, makes CPAs the premier providers of SOC reports for service organizations.
CPAs have extensive marketplace recognition because of the business world’s broad and long-standing familiarity with the value and reliability of the services they perform. If you want to make your users aware of the effectiveness of the controls over your organization’s system and attach credibility to such claims, use a SOC knowledgeable CPA to issue your SOC report. Customers will recognize and appreciate the value of the reports prepared by a CPA.
Stay informed with our Industry Compliance Roadmaps, Technical Testing, Interviews and Resources to help you simplify cybersecurity and compliance.
