SSAE 16 and SSAE 18 Audits bring tons of questions. In this section we hope to answer some questions we frequently come across during our calls and client interactions.
The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report can cover the design (type 1 report) or operating effectiveness (type 2 report) of controls around a Company’s system over any number of categories, including, Security, Availability, Confidentiality, Processing Integrity, and/or Privacy.
See our more detailed SOC 2 Report page for more information.
Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation of the related latest SOC 2 updates, which is good. However, if you are not currently including Privacy in your SOC 2, and do not have a strong privacy program in place, there will be a moderate level of short term effort required.
It should take approximately 2 to 3 months in collaboration with your Auditor to perform a readiness assessment of the specific GDPR requirements and implement said updates for most Company’s.
The upside of being required to implement GDPR is that there would be minimal effort to include Privacy and references to any unique GDPR requirements within future SOC 2 reports.
We have a small company, how do we segregate Board of Directors from Management, and then, also the Internal Audit function?
Depending on the size of your Company, you could look to another small business owner in a similar situation or trusted advisor to sit on each others board’s and create the necessary segregation. As always, consult with your auditor before taking any structural changes.
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.