Ready to Get Started?

Our team of professionals is ready to dive in and collaborate with your team

What is it?

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

System and Organizations Control (SOC) reports are globally recognized attestation reports that provide Organizations credibility and a competitive advantage in the marketplace. SOC reports are intended to provide transparency into the internal controls operated within a service organization to enable user entities to assess and address the risks associated with that service organization. SOC 2 reports are intended to meet the needs of a broad range of users that need assurance regarding the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed. In 2018, the American Institute of Certified Public Accountants (AICPA) revised the SOC 2 Trust Services Criteria to integrate with the Committee of Sponsoring Organizations (COSO) Integrated Internal Controls Framework (2013) which has placed an increased scrutiny on organizations vendor management and risk management practices. The SOC 2 Trust Services Criteria (TSC) are categorized into five components:

  • Common Criteria/Security - Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems—damage that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability - Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity - System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality - Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy - Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

When undergoing a SOC 2 attestation, Organizations are required to complete the Common Criteria for Security as the foundational TSC. Organizations can then choose to include the Availability, Processing Integrity, Confidentiality, and Privacy TSC if applicable to the services provided by the Organization.

Types of SOC 2 Reports

SOC 2 Type 1: A test of design to determine whether your controls are designed appropriately to achieve the desired Trust Services Criteria as of a point in time.

SOC 2 Type 2: A test of operational effectiveness to determine whether your controls are both designed appropriately to achieve the desired Trust Services Criteria and their operational effectiveness over a defined period of time.

Why do our client’s need help?

Whether your Organization offers payroll processing services or provides a Software as a Service (SaaS) offering, your clients need assurance that their transactions are being processed completely, accurately, and timely.

What we offer

RISCPoint’s team of compliance consultants can assist your organization from designing, selecting, and implementing controls through the completion and on-going maintenance of SOC Compliance.

Our tailored Third-Party advisory services include:

  • Workshops and Compliance Roadmap Development:
    • Overview of Third-Party Reporting Compliance Process
    • Boundary review and audit scoping
    • ROI identification and justification
    • Tailored educational sessions for key stakeholders and executives
    • Development of detailed roadmap for compliance
  • Gap assessments
    • Overview of Third-Party Reporting Compliance Process
    • Review of existing compliance documentation (Policies, procedures, process flows, etc.)
    • Identification of gaps in the current control implementation
    • Development of risk-ranked recommendations and future state roadmap
  • Flexible Enterprise Control Framework Development
    • Identification of existing controls and the development of leading practice controls that achieve compliance with multiple third-party attestation requirements
    • Remediation Assistance

Why work with us?

  • We employ a team of industry experts who have assisted a large number of governmental contractors or all sizes achieve authorization.
  • Our advisors have worked with and at some of the largest 3PAOs and bring the knowledge of what auditors, authorizing officials, and the authorization process.
  • Our wide partner network includes security software vendors, hosting providers, as well as security engineers – we will be your one-stop-shop for all your authorization needs.
  • We offer a wide range of security and compliance services and specialize in the development of enterprise-wise controls environments which will allow you to meet multiple standards and frameworks (FISMA, FedRAMP, SOC 1, SOC2, HITRUST, HIPAA, ISO 27001, and others) and minimize the time spent on audit and compliance works so you can focus on your day-to-day operations.

Start the Conversation

Work with our team of professionals to help find a tailored solution for your company

Contact Us