Do you receive requests from customers for assurance on a number of fronts, including assurance of the controls you employ to protect the confidentiality of users’ data, as well as the security, availability, and integrity of your systems? System and Organization Control (SOC) engagements have become the gold standard for examining, assessing, and reporting on these controls.

Why Choose Fortreum?

We simplify cloud and cybersecurity for our customers

Fortreum has enterprise grade experience with the right blend of technical and analytical experience to support your cybersecurity and cloud needs.

Contact us to discuss your cyber and cloud business needs. We’re happy to share our insights and work with you as your business evolves.

    Business Considerations

    Planning is Essential

    During a SOC 2 Type 2 examination, if there are any deviations (or exceptions) noted in testing the operational effectiveness of a control, those exceptions have to be shown in the report. Starting your SOC 2 endeavor with a gap analysis, then considering a Type 1 report after remediation ensures a higher potential of success on that Type 2.

    All CPA Firms are Not the Same

    The education, experience, and expertise of a cybersecurity-focused CPA firm working alongside cybersecurity experts is important. Ensuring you work with a CPA firm that has the right cloud and cybersecurity background, get to know the assessment team, as potential outcomes on SOC and other integrated audits could be impacted.

    Establish a ConMon Strategy Early

    The key to successful maintenance of SOC 2 (especially for Type 2 reports) is to have a comprehensive continuous monitoring strategy. This strategy includes maintaining the proper staffing levels, ensuring risk assessments and threat analysis methods (e.g. vulnerability scans) are being performed and analyzed on a frequent basis.

    SOC 2 with Other Frameworks

    While SOC 2 is industry recognized, your organizations may have other frameworks that your currently pursuing (FedRAMP, ISO, HIPAA, etc.). Determining which frameworks are applicable to your business and overall timeline is important. Having a strategy for multiple frameworks in your compliance effort, consolidated efforts and estimated authorization timelines will save your organization time and money.

    Why is SOC important?

    We’ll just come right out and say it. SOC 2 isn’t mandatory. There is no agency, no industry, no law, no regulation that says you need to get a SOC 2. But, there are quite a few reasons your organization may need it. The biggest reason? A lot of companies expect to see a SOC 2 report from their service providers as part of their vendor management process (customer demand), but there are other benefits as well.

    binocular looking at data image
    Unique domino image

    Why is a CPA needed for SOC?

    Why is a CPA needed for IT auditing? I thought they were accountants?

    While that is true, SOC engagements were developed by the AICPA, which has long been a thought leader in assurance engagements. The AICPA creates standards, like those designed for SOC 2 reports, so that CPAs can easily comprehend and incorporate best business practices into existing procedures on behalf of clients. This, in turn, makes CPAs the premier providers of SOC reports for service organizations.

    CPAs have extensive marketplace recognition because of the business world’s broad and long-standing familiarity with the value and reliability of the services they perform. If you want to make your users aware of the effectiveness of the controls over your organization’s system and attach credibility to such claims, use a SOC knowledgeable CPA to issue your SOC report. Customers will recognize and appreciate the value of the reports prepared by a CPA.

    Recent Insights