Service Organization Controls (SOC) – Audit Readiness Services
Service Organization Controls (SOC) reports are internal controls reports designed to help service organizations that operate information systems and provide information system services to other entities. The intent of these reports is to demonstrate trust and confidence in their service delivery processes and controls through a formal attestation by an independent Certified Public Accountant. There are three types of SOC reports, each designed to help service organizations meet specific user needs:
- SOC 1 Report - Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls over Financial Reporting (SSAE 16)
- SOC 2 Report - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
- SOC 3 Report - Trust Services Report for Service Organizations
AppSec Consulting offers a variety of consulting and audit readiness services for clients who are pursuing a formal SOC report and attestation. Services include:
- Risk assessment
- Development of a risk and controls matrices
- Gap assessment
- Policy and documentation creation
- Mapping key policies and procedures to risk controls
- Remediation and risk treatment assistance
- Project management
- Other audit readiness activities including the development of required testing procedures.
AppSec Consulting provides assistance every step of the way to ensure clients are fully prepared for formal audit activities.
The AppSec Consulting Difference
- Industry Knowledge and Technical Expertise. Our security consultants are some of the best trained professionals in the industry. They have the leadership skills and technical know-how to help your organization build a robust controls framework.
- Experience. Our firm has assisted clients of all sizes in preparing for a formal SOC audit and report. We are there every step of the way to ensure the audit process goes smoothly and according to plan.
- Individual Certification. Our security consultants achieve and maintain a number of industry certifications including CISSP, CISA and CISM.
- Scoping – AppSec Consulting will work closely with client management and stakeholders to properly identify all services/solutions to be considered in-scope for the SOC report. Additionally, AppSec Consulting will work with the service organization to identify all Trust Service Principles (TSPs) to be included in the SOC 2/3 report.
- Planning – AppSec Consulting will work closely with your team to develop a customized project plan that takes into consideration all available resources (internal and external), competing initiatives, and organizational goals and objectives. This plan will include the following:
- Key project milestones
- Identification of business process owners and assigned tasks
- Initial risk assessment
- Development of control objectives
- Development of related policies and procedures
- Mapping of policies and procedures to control objectives
- Development of audit testing procedures
- Assistance with remediation (optional, if requested)
- Pre-audit and audit assistance
- Implementation – AppSec Consulting will provide assistance and project management services as necessary to support all the activities defined above.
- Audit and Reporting – AppSec Consulting will assist client with pre-audit and audit activities. This includes coordination with the CPA firm that will perform the actual audit. This approach allows the auditor to be completely independent and provides clear separation of duties.
- Peace of Mind – Clients get the peace of mind knowing AppSec Consulting is a trusted partner that will lead them through the entire SOC audit process.
What You Get
- Comprehensive SOC audit preparation services, with expert assistance throughout the entire process.
- Access to AppSec Consulting’s expert staff and associated tools available to streamline an ongoing and sustainable program.
- An independent SOC report you can share with clients and prospects that provides assurances regarding the suitability/operational effectiveness of service organization controls.