At Maxwell Locke & Ritter, our IT Risk & Compliance practice specializes in customized risk management and regulatory compliance solutions. Our services are specifically designed to meet the needs of your company, your customers, and your regulators. We have a local team of Certified Public Accountants and Information Security Auditors with extensive experience in IT audit and compliance. Our team of advisors will help your organization navigate today’s complex regulatory environment.
- SOC Gap Analysis & Readiness
- SOC 1, Type 1 and 2
- SOC 2, Type 1 and 2
- SOC for Cybersecurity
- HIPAA Security Assessments
System and Organization Control (SOC) reports were created to decrease the audit burden on service providers by establishing a standardized report that can be issued to end users. A SOC audit from a reputable firm can serve as a market differentiator for organizations seeking to appeal to a broad range of high-value customers.
SOC 1 examinations, also known as SSAE 18 reports, are designed for organizations that provide services that impact their customers’ financial statements or internal controls over financial reporting. SOC 1 reports are commonly requested by customers who are public or operate in highly-regulated industries.
Examples of Organizations who Receive SOC 1 Reports:
- Software-as-a-Service companies that impact customer financial reporting
- Payroll processors
- Loan servicing organizations
- Accounting software providers
- Data centers
The control objectives for a SOC 1 report are defined by the service organization based on the objectives relevant to their customers. Control objectives include a combination of IT controls and relevant business process controls.
SOC 2 examinations are more technical in nature and focus on one or more trust service principles – security, availability, processing integrity, confidentiality, and privacy. All SOC 2 examinations include a set of core common criteria that are addressed by the security principle. The criteria for availability, processing integrity, confidentiality, and privacy are separate and can be added based on the specific software or services provided by the service provider.
SOC 2 reports are relevant to service organizations that are relied upon for the operational needs of their customers or for protecting sensitive customer data. Software-as-a-Service providers and companies in industries such as FinTech, HealthTech, EdTech, Data Science, Artificial Intelligence, and Security can benefit from a SOC 2 report. The control objectives for a SOC 2 report are defined by the American Institute of Certified Public Accountants (AICPA) and are primarily supported by IT controls.
SOC for Cybersecurity examinations is appropriate for any organization with cybersecurity risks, including businesses and nonprofits. SOC for Cybersecurity is an entity-wide assessment of your organization’s cybersecurity risk management program. Reports can be used by organizations to communicate the effectiveness of their cybersecurity risk management program, building trust and confidence in their market.
HIPAA Security Assessments
Organizations that store or process health data are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy and security of protected health information. Organizations that store or process electronic health data are also required to comply with HIPAA to meet their obligations as Business Associates. During a HIPAA Security Assessment, our experienced team evaluates organizations against the HIPAA framework, customizes a control framework, and identifies and prioritizes areas of noncompliance. Our goal is to help organizations be responsible stewards of personal health information and decrease the risk of fines and penalties resulting from regulatory audits or security breaches.
Our HIPAA assessments follow a streamlined five-step process:
- Discussions on existing controls and processes
- Construction of a complete customized control framework
- Identification of control gaps and deficiencies
- Evaluation of the impact of deficiencies noted
- Issuance of a final written report with prioritized recommendations
Upon request, our team can provide more hands-on assistance with remediation of deficiencies noted, including training and project management.