SOC1 REPORTING BASED ON ISAE 3402 STANDARD & SOC2 REPORTING BASED ON TRUST SERVICE CRITERIA
An efficiently managed IT security control environment is key for any organization. Inadequately protected IT systems can leave companies vulnerable to threats such as unauthorized access to business-critical data, malware-induced disruptions, or other IT incidents that affect business continuity. The situation is even more critical if the organization processes or stores confidential data for its customers as part of an IT service.
To help service organizations provide assurance on the adequacy of controls that mitigate risks to their customers, the American Institute of Certified Public Accountants (AICPA) has developed a 5-step audit process based on the "Trust Service Principles" that assesses a service organization’s internal controls for security, confidentiality, processing integrity, availability and privacy, using general compliance requirements.
SOC1
The SOC1 report is not only about compliance but also about trust. The trust that the service provider organization receives from its customers, partners, and investors by strictly adhering to the compliance of its business processes and ensuring the effectiveness of the controls embedded in its processes. The SOC1 report provides an excellent opportunity for service provider organizations to demonstrate their commitment to establishing and operating a robust corporate control environment, thereby ensuring the quality and value-added impact of their services.
At the end of the process, an independent auditor's SOC2 (Service Organization Control) report is issued. SOC2 report can be used to show customers that the service organization operates an effective information security environment. For SOC2 reporting the best cases usually include companies that store/process customer data, provides trust services or wants to provide assurance on the operational effectiveness of information security controls for its customers. For security-conscious businesses, requiring SOC2 reports has now become a baseline when considering the use of an IT service provider, and is often included in contracts.
Deloitte has more than 15 years of experience in conducting SOC1/SOC2 audit investigations. We pride ourselves on our team of experts, whose main profile is to coordinate and conduct these audits efficiently while meeting our clients' needs. We are able to issue both SOC2-Type I (design of IT controls) and SOC2-Type II (implementation and operational effectiveness) audit reports.
By having our assurance SOC2 audit report, our clients can gain a significant market advantage and enhance their brand and reputation. Unlike a generic audit certificate, it gives a much more detailed and realistic picture of the IT security posture of an organization.
Managing third party contracts is becoming increasingly challenging. Effective third party risk management investigates the benefits of analytics and real-time automation to avoid costly billing errors and unnecessary contract management inefficiencies.
As organizations rely on more and more third parties to grow and thrive, they’re exposed to higher levels of risk. Manual processes, silos in contract administration, and technology and resource constraints can all lead to significant errors in third party billings—errors that, on average, amount to between three and five percent of an organization’s contracted spend.
Our report, Effective third party risk management, demonstrates that in order to effectively manage increasingly complex third party contracts—and reduce costly errors—organizations must shift towards a new style of third party management. In our report we discuss:
●
The risks and repercussions associated with third party contract management shortcomings
●
Common gaps in third party contract management processes
●
Examples of how new solutions and technologies can help organizations optimize their third party processes
●
Examples from leading organizations demonstrating the value of implementing a real time solution to manage third party contracts
Increasing complexity and lack of transparency around controls and algorithms design, inappropriate use of machine learning and further tools (referred to nowadays as AI), furthermore weak governance are specific reasons why algorithms are subject to such long risks as biases, errors, and malicious acts we face nowadays.
We at Deloitte help our Clients overcoming these issues with their existing solutions already using digital controls or with their new developments utilizing a variant of how a digital control can appear.
Even if the actual control is an IT development, its effects and results can escalate quickly to an unforeseen situation that can lead to not just financial losses but even reputation issues.
If your SSPA Data Processing Profile includes selections that are considered higher risk to Microsoft, a Self-Attestation against the applicable items of Microsoft's Data Protection Requirements will be followed by an Independent Assessment requirement, too. Profile selection options that will trigger an Independent Assessment are published in the SSPA Program Guide. It is a great idea to check on this each year before you submit your Profile, so you can allocate time and sufficient resources to complete the requirements you will be posted.
Interpreting Microsoft’s Data Protection Requirements (DPR), confirming applicability and compliance might be challenging for suppliers and here's where our in depth knowledge of the SSPA Program and the DPR can save you time and efforts.
Microsoft takes compliance and deadlines very seriously, which is protective of Microsoft as well as their suppliers and customers and not the least it is crucial for Microsoft suppliers to stay Green in the SSPA to be available for business with Microsoft.
IT Asset Management practices ("ITAM" with the particular focus on Software part of Assets) have gained broader attention of CIOs and IT Directors in Central Europe over recent years. Hardware and software purchases typically can make up 40% of an organization’s IT budget. A significant percentage of this budget is often spent on unused service and support costs, turning software licensing into a risk that needs to be addressed. Vendor audits further increase the stakes, resulting in unexpected budget increases to comply with the audit request and expenditures to buy missing licenses.
