Third Party Assurance

SOC 1 reports attest to the compliance of systems involved in financial transactions, providing independent assurance on controls for financial processes that have been outsourced to a third party. 

SOC 2 reports cover Information Technology Security, Availability, Processing Integrity, Confidentiality and Privacy.

SOC 2 Plus Additional Criteria reports include additional criterion specific to users' unique requirements, such ISO 27001, NIST, HITRUST and the Cloud Security Alliance (CSA) frameworks. When planned properly, this audit approach can reduce compliance costs and efforts by streamlining controls testing and combining assurance reporting in one report.

For service providers facing multiple compliance requirements, SOC 2+ reports provide an independent opinion on both the Trust Services Criteria (TSC) from the American Institute of Certified Public Accountants (AICPA) plus additional subject matter, such as: 

• ISO 27001: ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
• HITRUST: Provides standards for all stages of transmission and storage of health care information to help ensure integrity and confidentiality.
• NIST Cybersecurity: Focuses on improving cybersecurity for critical infrastructure.
• Cloud Controls Matrix (CCM): Specifically designed to provide fundamental security principles to guide cloud providers and to assist prospective cloud clients in assessing the overall security risk of a cloud provider.

While SOC 2+ increases the criteria covered, there may be significant overlap between the TSC and the selected additional criteria, which allows service providers to realize efficiencies in reporting and reduces costs for both the service provider and the service auditor. AICPA has worked to better enable this model of realizing efficiencies by creating approved mappings of the TSC to many various compliance frameworks.

SOC 3 reports are less detailed than SOC 2 compliance, and it is meant to be publicly available. SOC 3 reports are designed to meet the needs of users who require assurance about the controls at a service organization.

Our team also provides implementation and advisory services to support clients on their ISO 27001 assessment and certification journey.  

In a world filled with increasing compliance requirements, customers, business partners, and suppliers are becoming more concerned about the security of their information, and about information security in general. That’s why it is critical to stay compliant with the internationally recognized standard ISO 27001 and to understand how the new 2022 standards will impact your organization.

ISO/IEC 27001 is the international standard for information security – it sets out the specification for an Information Security Management System (ISMS). The standard provides a minimum baseline of information security controls required to develop, maintain, and continually improve the ISMS. It consists of policies, procedures, and other controls involving people, processes, and technology. 

When an organization is ISO 27001 compliant, clients can be assured that the level of data privacy and security within these organizations meet international standards and industry best practices. By implementing ISO 27001, your organization will be better equipped to build trust with both employees and customers, reduce the chances of security breaches, and safeguard your company’s valuable information, amongst many others.

Our Third Party Assurance team provides CSAE3000/ISAE 3000 type reports which include assurance engagements on management’s statement of selected performance indicators, selected sustainability information included in a social responsibility report, an entity’s cybersecurity risk management program and controls (SOC for Cybersecurity), and other reports. These reports do not include audits or reviews of historical financial information.