Why Skoda Minotti for your SOC 2 (AT 101) Report

Reach the highest IT reporting standards ▪ Prove your organization’s information systems are superior ▪ Assure security, availability, processing integrity, confidentiality and privacy  

Skoda Minotti Risk Advisory Services brings you custom-built assessment and reporting tools so SOC 2 engagements can be completed efficiently, effectively and on budget. Our in-house resources, knowledge across a range of industries and IT expertise provide you with the most sophisticated level of service at a fair cost compared to Big 4 expenses. A SOC 2 report with Skoda Minotti gives you compliance along with a recognizable third-party assurance report.

SOC 2 Examination Services:

  • SOC 2 Readiness Assessment: Preparing for your first SOC 2 (AT 101) audit? After reviewing current policies and procedures, Skoda Minotti Risk Advisory Services prioritizes which controls should be considered for implementation prior to the audit.
  • SOC 2 Type 1 Report: You will receive a well-defined, highly detailed and quality report that proves to customers that an independent third party has audited you and that you meet the compliance objectives of you and your customers.
  • SOC 2 Type 2 Report: Upon completion of control testing throughout the year, your detailed SOC 2 Type 2 report lets your customers know that you have completed testing that validates your controls and processes.

SOC 2 Criteria

Test your information systems against best practices and ensure that you have critical controls in place to provide security, confidentiality of stored information, processing integrity of transactions, system availability and privacy.

Not sure if you need a SOC 1, 2, 3, or all of the above? A Skoda Minotti Risk Advisory Services specialist will walk you through these reporting standards and advise on what your organization needs to stay compliant, competitive and cost-efficient. SOC 2 reporting criteria are identical to Trust Services/SOC 3—but the difference is how the report is formatted. SOC 2 reports provide detailed reporting and testing procedures for third parties to evaluate.

Industries for SOC 2

SOC 2 benefits the following industries and associated providers (and many more—ask us for advice):

  • Hosting providers
  • Production printing
  • Software as a Service (SaaS)
  • Application service providers (ASP)
  • Health care service providers
  • Government service providers

*Be sure to consider a SOC 1 (SSAE 18) report if your service potentially impacts one or more clients' financial reporting activities.

Skoda Minotti SOC 2 Compliance Roadmap

While we tailor every audit to meet each client’s unique requirements and challenges, our roadmap to compliance typically follows a five-phased approach that creates the general framework of each audit. Our goal is to create an efficient, unobtrusive audit so that you can focus on your business, and we can focus on your compliance.

Our team of audit professionals serves our clients by combining knowledge of industry standards and regulatory requirements with proven methodologies and tools to produce cost-effective, value-added results. And what really sets us apart from our competitors is our highly personalized, client-centric level of service. We view ourselves as your business partner and treat our engagements as an opportunity to continuously improve your business processes, rather than a mere exercise in compliance.

Scope & Plan

(Phase 1): SOC 2 engagements are based on the defined principles from the original WebTrust and SysTrust that include specific evaluation criteria; however, each company’s scoping requirements can vary depending on the type of services they perform. We will work with you to ensure your compliance standards (e.g., ISO27001, HIPAA, GLBA) are in alignment with your policies and procedures and help make your security program stronger. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope (Principles under Review). During the scoping and planning phase of the engagement, we’ll provide you with a customized questionnaire and audit request list and complete all planning activities offsite.

Readiness Assessment

(Phase 2): A Readiness Assessment is designed to assess a company’s preparedness for a SOC 2 audit. By conducting a thorough gap analysis, our advisors will assess the current control environment by identifying strengths and providing recommendations for areas that need improvement, as well as review your current policies and procedures to ensure they cover the areas needed. As part of our detailed recommendations, we will provide a prioritized listing of controls that should be considered for implementation or enhancement prior to the audit (Roadmap to SOC 2 Compliance). A Readiness Assessment typically requires two weeks of combined on-site and remote fieldwork and is a valuable and effective assessment that will give you a good idea of where you currently are and where you need to be.

From the outcome of our Readiness Assessment we will issue a detailed listing of gaps with supporting recommendations. Management will have the time needed to respond to and/or implement required remediation steps. Post-remediation supporting documentation can be submitted to our client portal for auditor validation to be performed remotely, without the need for additional time on-site. Our goal is to provide sufficient preparation time, guidance and a remediation period prior to an official report being issued.

Type 1 Report & Marketing

(Phase 3): Upon completion of the remediation efforts and auditor validation, the procedures required to issue the Type 1 report have been completed. This is the first step in proving to customers that an independent third party has audited you, and you are on track to continually meet the defined criteria year over year. A readiness assessment is insufficient to provide clients as evidence of having proper controls in place and why our process is designed to include the issuance of a Type I report.

Type 1 Report

  • Your SOC 2 Type 1 will be a well-defined, highly detailed and quality report that meets the compliance objectives of you and your customers. The quality of the report is of utmost importance to us. Prior to delivery, each report undergoes a thorough quality assurance review to ensure that the report meets our internal quality standards and procedures. Only once the review is completed will the report be issued.

Marketing

  • This is the opportunity for your audit to essentially pay for itself. A major benefit from completing the SOC 2 audit report is the tangible ROI that is created from having your company audited under the SOC 2 principles. How do we assist in this process? As part of our deliverables package, we will provide a customized draft press release, a high-resolution SOC 2 logo to place on your website and five professionally bound copies of your final report to share with your existing and/or prospective clients.
  • Continuous Monitoring and Type 2 Report (Phase 4): After you have successfully implemented control activities to achieve your SOC 2 Type 1 compliance, maintaining compliance to achieve a SOC 2 Type 2 report is the next objective for most organizations. The control activities implemented during your initial assessment must be followed over a period of time (typically not less than six months). We assist you by implementing periodic checks during this time to validate control activities are still operating effectively; however, there is no remediation phase at this point. The following outlines the processes that occur immediately after your initial Type 1 report:

Control Activity Calendar

  • This tool is utilized to assist organizations with reminders of when certain activities must occur.

Interim Audit Requests

  • Throughout intervals during the next six to 12 months, we issue periodic audit requests to validate that control activities are being followed.
  • Any request will be updated in our customer portal and validated by a senior auditor.
  • Results of each periodic audit will be updated for management’s review.

Walkthroughs 

  • This is a series of interviews with management and process owners to reconfirm our understanding of the system and flow of transactions, identifying existing controls and assessing new controls implemented since the last on-site assessment. This process can last from one day to several weeks, depending on the size and number of client site locations.

Testing of Controls

  • Through a combination of inquiry, observation and inspection procedures, the operating and design effectiveness of each control is assessed.
  • Testing results are communicated to management.
  • Management responds to identified deficiencies (if applicable).

Upon completion of our control testing during the year, your SOC 2 Type 2 audit report is developed and issued. This report is more detailed than your SOC 2 Type 1 report and includes additional details regarding the testing procedures performed to validate your controls and processes. It is designed to meet the compliance objectives and requirements of you and your customers. The quality of the report is of utmost importance to us, and just like the Type 1 report, we provide a customized draft press release, a high-resolution SOC 2 logo to place on your website and five professionally bound copies of your final report to share with your existing and/or prospective clients.

Renewal & Planning

(Phase 5): Upon completion of your SOC 2 Type 2 audit report, planning next year’s audit begins. This entails issuing audit recommendations, providing guidance and agreeing to terms for future engagements. 

Project Timeline: Five-Phased Audit Approach

Your Guide

Which SOC report does your company need? Click below to get your free reference guide.

SOC Reporting Guide - Free Offer CTA

Questions? Contact Us:

Latest Blogs

Sign up to receive our latest blog, newsletters and events.

► Get Connected