What do we do?
The System and Organisation Controls (SOC) 2 aims to protect the interest of the user entity while receiving services from the service organization. A Certified Public Accountant (CPA) assesses these controls to issue a Type 1 or a Type 2 report. A Type 1 report attests control testing for a point in time, whereas a Type 2 report attests control testing over a period.
We utilize a well-defined 6-phase Methodology to help an organization achieve successful SOC 2 compliance.
What are SOC2 Trust Principles?
- Common Criteria Security: The system is logically and physically protected against unauthorized access.
- Availability: The system is available for operation and use as committed or agreed to.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information that is designated ‘confidential’ must be protected
- Privacy: An organization or a person can only use personally identifiable information in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Public Accountants (CICA).
These preceding principles have more detailed risks/controls that an organization must comply with.
How can Anvaya help you achieve SOC2 Attestation?
Anvaya brings a focused methodology and structured approach to determine the applicable risks and controls required to achieve SOC2 Attestation.
We ensure that the service organization has adequate internal controls to demonstrate any Certified Public Accountant (CPA) to issue SOC2 reports. Our approach involves:
- PHASE I – Determining the objectives. This phase consists of determining the goals from the user entity and the service organization.
- PHASE II – Gap Analysis. We compare the listed purpose, the applicable SOC2 Controls, and the risks during this phase to identify the gaps and solutions.
- PHASE III – Control Design and Documentation. We apply our proven methodology to assess risks and define control responsibilities to internal stakeholders. We help the organization nominate vital roles such as risk officers to drive ongoing compliance. At the end of this phase, you will have complete documentation of the controls and the associated risks.
- PHASE IV – Auditing and tracking. We strive to create a process to track the risks and audit across functional areas in this phase. We define the gaps in each function/process and clear these gaps till all internal controls required are implemented.
- PHASE V – Audit and Assessments. We help the internal client teams assess compliance to internal controls to provide a measurable framework to demonstrate progress and identify any glaring gaps.
- PHASE VI – Readiness for external audit. We provide the executive team a formal report of the progress from an independent perspective and enable the organization to prepare for proper Attestation.