When you are providing any service to a company that allows you access to their systems, software, or other parts of their company environment, controls must be in place to ensure that the information you have access to is secure at all times. Providing information and documentation about your control environment to each of your clients may be time consuming and restrict your ability to provide excellent service. In addition, certain larger organizations and public companies will require you to complete an independent assessment of your controls.
The SAS 70 / SSAE 16 / SOC 2 audit is a great way to complete one examination in a cost-effect manner and show all of your current and prospective clients how secure your system and processes really are.
Your control environment begins with your hiring process. When you grant access to your client’s systems, controls must be in place to verify the employee is qualified to complete the job and will appropriately utilize information they have visibility to. Interviews and background and reference checks will likely be required.
Also, the manner in which you provide services may require the addition of controls. If you access the client’s systems remotely, secure communication tunnels must be in place. Data transmission and data communication security must also be assured throughout the entire process.
Monitoring of systems or viewing information on your client’s systems poses its own set of control risks. Controls must be in place to ensure that confidential or private information remains in that state at all times.
The five trust service principles that may be relevant to your services and your clients may include some or all of the following:
- Security - The client’s entire system is protected against unauthorized access (both physical and logical)
- Availability – The system is available for operation and use as committed or agreed upon
- Processing Integrity - System processing is complete, accurate, timely, and authorized
- Confidentiality – Information designated as confidential is protected as committed or agreed upon
- Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with applicable client needs, laws, and/or regulations.
In most managed services companies, NOT ALL of the principles above will be relevant. Therefore, they would be excluded from the scope of the audit. Assure Professional will assist you in determining which principles are relevant to your company.
We want to be your partner. For additional information please Contact Us