SOC

Building Trust and Confidence in Third-Party Relationships

In a global economy, businesses must have trust and confidence in their partners and vendors. SOC reports enable organizations to demonstrate to both customers and prospects the controls and safeguards for managing their data and/or infrastructure.

Independent SOC assessments have become an important part of building trust between service providers and their clients. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. SOC 2 and SOC 3 engagements address controls at the service organization that relate to operations and compliance.

Our services include:

SOC Gap Assessments

SOC Gap Assessments assist service organizations in assessing their preparedness for a SOC / ISAE 3400 audit. Gap Assessments identify those controls that should be implemented or improved prior to an actual audit. Gap assessments also help your organization mitigate the risk of a qualified opinion or reporting exceptions.

 

TrustNavigator™ – our proprietary service approach:

  • Project planning and management
  • Scope assessment
  • Identification of relevant control objectives and domains
  • Interviews and questionnaires for information gathering
  • Detailed descriptions of your controls
  • Identification of controls in place for each in-scope control objective
  • Prioritized remediation of control gaps and recommended enhancements
SOC 1

SOC 1 reports are examination engagements undertaken by a service auditor to report on a service providers controls that are relevant to user entities’ internal control over financial reporting. The services can only be delivered by a licensed firm such as TrustNet.

 

SOC 1 Services include:

  • Gap Assessments – help your organization assess the controls in place and mitigate the risk of a qualified opinion or reporting exceptions
  • SOC 1 Type 1 – Report on the service organizations description of controls and the suitability of the design of the controls to achieve the related control objectives as of a specified date
  • SOC 1 Type 2 – Report on the service organizations description of controls and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives over a specified period of time
SOC 2
SOC 2 reports are examination engagements undertaken by a service auditor to report on the service organization’s operational controls to meet the selected Trust Services Principles and Criteria. The services can only be delivered by a licensed firm such as TrustNet.

 

SOC 2 reports specifically address one or more of the following five key system attributes / domains:

  • Security – The system is protected against both physical and logical unauthorized access
  • Availability – The system is available for operation and use as committed or agreed
  • Processing integrity – System processing is complete, accurate, timely and authorized
  • Confidentiality – Information designated as confidential is protected as committed or agreed
  • Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA

SOC 2 Services include:

  • Gap Assessments – assess the controls in place to meet the Trust Services Principles and Criteria with the goal to ensure preparedness for the SOC 2 examination and help mitigate the risk of a qualified opinion or reporting exceptions.
  • SOC 2 Type 1 – Report on the service organization’s operational controls pertaining to the suitability of the design of controls intended to meet the selected Trust Services Principles and Criteria as of a point in time.
  • SOC 2 Type 2 – Report on the service organization’s operational controls pertaining to the suitability of the design and operating effectiveness of controls intended to meet the selected Trust Services Principles and Criteria over a specific period of time.
SOC 3

SOC 3 reports are engagements undertaken by a service auditor to report on the service organization’s operational controls to meet the selected Trust Services Principles and Criteria. The services can only be delivered by a licensed firm such as TrustNet.

 

SOC 3 reports specifically address one or more of the following principles and criteria:

  • Security – The system is protected against both physical and logical unauthorized access
  • Availability – The system is available for operation and use as committed or agreed
  • Processing integrity – System processing is complete, accurate, timely and authorized
  • Confidentiality – Information designated as confidential is protected as committed or agreed
  • Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA

SOC 3 services include:

  • Gap Assessments – assess the controls in place to meet the Trust Services Principles and Criteria with the goal to ensure preparedness for the SOC 3 examination and help mitigate the risk of a qualified opinion or reporting exceptions.
  • SOC 3 – Report on the service organization’s operational controls pertaining to the suitability of the design and operating effectiveness of controls intended to meet the selected Trust Services Principles and Criteria over a specific period of time. Unlike the SOC 1 and SOC 2, there is no point-in-time “Type 1” examination for a SOC 3 assessment.

TrustNavigator™ our proprietary service approach:

l

PLANNING

project planning and management

SCOPING

risk assessment, identify relevant controls, gather info

TESTING

analysis, conduct testing, remediation roadmap

REPORTING

findings and recommendations, final report

The SOC Assessment Process

Which SOC Report is right for you?

SOC 1

Internal controls over financial reporting
Type 1 or Type 2
Restricted Distribution

SOC 2

Trust Services Criteria
Security, Availability, Processing Integrity, Confidentiality, Privacy
Type 1 or Type 2
Restricted Distribution

SOC 3

Trust Services Criteria
“Summarized SOC 2”
Public distribution

Type 1 vs Type 2

h

Type 1 Assessment

At a point in time

i

Type 2 Assessment

Over a period of time
Not less that 6 months (usually only in the first year)
12 month testing cycle thereafter

The SOC Journey

U

Phase 1 - Readiness Assessment

Elapsed Time: (3 to 6 Weeks)

Onsite and offsite assessment

Types of Gaps

Documentation (Policies and Procedures)

Procedures Execution

Technical Tools 

Configuration

Audit Trail

Phase 2 - Remediation

Elapsed Time: (2 to 8 Weeks)

Client execution

Remediation

Document policies and procedures

Implement procedures

Technical tools 

Configuration

Audit trail – retention of artifacts  

Phase 3 - Assessment and Reporting

Elapsed Time:         Type 1:     4 to 6 Weeks

                                         Type 2:     7 Months

Includes onsite assessment (required)

1st round of testing 

2nd round of testing 

How does TrustNet test a control?

Inquiry, Observation, Inspection, Re-performance

SOC Accelerator

Building Trust and Confidence in Third-Party Relationships

Our SOC 2 Accelerator Program is designed to help businesses from the startup phase through to the finish line of a SOC 2 assessment. TrustNet has performed hundreds of SOC assessments and has tremendous experience successfully guiding businesses through the process.

The SOC Accelerator Package includes:

l

Project Management

U

Readiness Assessment

Expert Consultation

Policies and Procedures

Implementation Tracking

Limited compliance and security resources, modest budgets, and less developed company policies and procedures are just a few of the issues facing first-timers. Our SOC Accelerator Program is designed to mitigate these issues and prepare our Client’s for success.

TrustNet provides the people, process and technology

Readiness Assessment
  • Framework Mapping
  • Expert guidance and analysis
  • Controls mapping
  • Gap assessment
  • Readiness dashboard
  • Remediation plan
Policies and Procedures
  • Establish boundaries, guidelines, and best practices
  • Customized pre-built policies and procedures
  • Controls mapped to SOC framework
  • Periodic review and communication strategies
Consulting
  • One-on-one consulting with SOC experts
  • Best practices
  • Answers to all your questions
  • Phone, email and chat
Implementation Tracking
  • Customized implementation playbooks and checklists
  • Control assignment and tracking
  • Evidence collection process
Project Management
  • Dedicated project manager throughout the project
  • Tools to plan and track each task
  • Management of timelines and deliverables
  • Progress updates and stake-holder reporting

SOC Accelerator Value

Save Time

Accelerate your SOC process

Reduce Risk

Reduce the risk of audit failure

Lower Cost

Eliminate unnecessary expenses

SOC for AWS

With the growing migration to cloud hosting, many companies are operating their systems on Amazon Web Services (AWS). AWS provides a comprehensive set of cloud services for information technology professionals to build, deploy, and manage their applications. AWS has a vast network of secure and redundant data centers that help ensure the safety of their data. Additionally, AWS has undergone SOC audits that demonstrate to their clients and investors that their infrastructure is completely secure. While this makes AWS SOC compliant, the audit does not extend to their cloud customers. This is where an experienced independent third-party, like TrustNet, becomes of value.

DOES AWS' SOC REPORT MAKE YOU SOC COMPLIANT?
No. Even though your services are built with AWS, your organization has not gone through a SOC audit. When undertaking a SOC audit, the majority of the audit must be passed by the cloud customer. The cloud customer is responsible for implementing administrative policies and internal security controls. TrustNet, a leading provider of SOC 2 audits, has extensive knowledge and experience in assisting companies operating in the AWS cloud environment.
WHAT PARTS OF YOUR SOC AUDIT ARE COVERED BY AWS?
Parts of your audit are covered through what is commonly known as “a carve-out.” AWS is responsible for some of the controls that will meet SOC 2 criteria, such as physical compliance safeguards. Your business however will need to go through the rest of the audit for you to be SOC compliant.
WHAT WILL A SOC AUDIT COST ME?

Since you have used AWS for part of your controls, you will have fewer controls to comply with. Additionally, you may be able to “carve-out” additional controls based on your service providers, thereby reducing your total number of controls that need to be audited.

TrustNet offers premium pricing for companies utilizing AWS. Please refer to the SOC pricing page for additional pricing information.

How is pricing determined?

b

Which of the 5 Trust Principles are in Scope

Environment Size and Complexity

Role of subservice providers

Physical Locations

Organization Size

The SOC Report Sections

5

Section 1

Assessors Opinion

5

Section 2

Management’s Representation

5

Section 3

Role of subservice providers

5

Section 4

Testing Matrix

Section 3 / Section 4 – Controls Examples

Best Practices and Risk Avoidance

9

Start Early

~

Limit the scope

especially in the year one

Evaluate vendor relationships

inclusive vs. carve out

Qualified vs Unqualified Opinion

Organization Size

Why Should I Choose TrustNet?

TrustNet serves clients of all sizes, across multiple industries with extensive expertise and over a decade of experience. We are not the largest provider and we’re certainly not the most expensive. What we provide is deep experience, efficiency, and quality professional services. Just ask our clients.