If you’re a service provider, you’ve probably been asked by your customers to perform different types of assessments, audits and checklists.
Although you want to meet your customers’ third-party assurance demands, it can be confusing to determine which assurance audit to perform. Can you consolidate these requests and pare down your compliance efforts? Is there a one-size-fits-all assessment? How do you even get started?
With quite a few assurance audit options to choose from, getting started means first understanding these options, their benefits and their costs. We cover the top seven options below:
1. SOC 1
When it comes to System and Organization Controls (SOC) audits, it all boils down to whether you handle or store data on behalf of your customers. If you do, it’s recommended to perform at least one of the SOC audits.
The SOC 1 audit helps a service organization examine and report on its internal controls relevant to its customers’ financial statements. If your customers also want an in-depth look at your IT controls, you can incorporate General IT Controls (GITC) into your SOC 1 audit.
- SOC 1 pros: For the services you provide that affect your customers’ financial statements, you will demonstrate to them the design, fairness and operating effectiveness of your internal controls. A SOC 1 is the industry standard for third-party service providers who perform financial processing on behalf of their customers.
- SOC 1 cons: A SOC 1 audit does not have a standard scope, so a customer needs to read the audit report to determine if the controls that they require are included.
2. SOC 2
This brings us to SOC 2 audits. SOC 2 differs from SOC 1 in that the SOC 2 audit’s scope is based on the criteria that the service organization selects: security (required in all SOC 2 audits), availability, processing integrity, confidentiality and/or privacy. Undergoing a SOC 2 audit helps a service organization examine and report on its internal controls relevant to those five criteria as they relate to customer data.
With SOC 2, you can determine which of those criteria cover the scope of the services your customers are looking for assurance on. This includes IT controls.
- SOC 2 pros: It can be tailored to fit your environment, and there is flexibility in the controls you implement to meet the criteria. You can also have an opinion included on another assessment type/audit. Like SOC 1, a SOC 2 audit is an industry-standard assurance audit for third-party service providers.
- SOC 2 cons: If you have multiple services and one of them affects your customers’ financial statements, you may also need a SOC 1 audit.
3. SOC for Cybersecurity
SOC for Cybersecurity was developed in 2017 by the American Institute of Certified Public Accountants (AICPA). Their goal was to standardize reporting on the effectiveness of an organization’s cyber risk management controls. SOC for Cybersecurity provides information to the clients of a service organization about the performance of that service organization’s cybersecurity risk management program, giving clients assurance that their data is being protected by adequate controls.
- SOC for Cybersecurity pros: It can be performed at any organization, not just at service providers. It provides an extra level of confidence in your organization’s cybersecurity controls as they are audited by an independent CPA firm, and gives you an audit opinion based on a recognized standard.
- SOC for Cybersecurity cons: Newly introduced by the AICPA, SOC for Cybersecurity is still gaining traction and is not yet as popular as SOC 1 and SOC 2.
HITRUST is a comprehensive security and privacy program. With HITRUST certification, you can include security and privacy along with other regulatory factors that your customers are looking for assurance on.
- HITRUST pros: HITRUST isn’t just for the healthcare industry anymore. Any organization, including service providers, can also use it for assurance purposes. It’s a two-year certification with an interim assessment in between, so it’s not an annual event like a SOC audit. Plus, when you become HITRUST certified, you also receive a NIST certification letter.
- HITRUST cons: On the years you are up for recertification, the cost is generally higher than a SOC audit. HITRUST audits also have a larger number of defined requirements. First-year costs to get prepared for certification can be daunting, and there tends to be a larger time commitment.
5. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed for organizations that accept, process, store or transmit credit card data. It helps organizations ensure they are maintaining a secure environment.
- PCI DSS pros: Formal validation is not mandatory for all organizations. The assessment level of effort is based on the volume of credit card transactions, so performing this assurance doesn't always have to be a heavy lift. It can also be done at any organization, not just at service providers.
- PCI DSS cons: Fines can be levied for not being in compliance.
6. ISO 27001
ISO 27001 is an internationally recognized certification that provides requirements around your information security management system (ISMS), ultimately helping you create a high-quality system. It’s set by the International Organization for Standardization (ISO).
- ISO 27001 pros: It’s internationally known, and it gives you an opportunity to improve internal processes. It can be done at any organization, not just at service providers.
- ISO 27001 cons: It provides a management standard for managing security, not for implementing security. You may need an additional certification to satisfy customer demands for third-party assurance.
Created by the National Institute of Standards and Technology (NIST), these are a set of information system security standards that help federal agencies (and other organizations) meet the requirements of the Federal Information Security Management Act (FISMA).
- NIST pros: When followed, NIST helps organizations ensure they have appropriate security controls in place. It lays out a plan to help organizations comply with other regulations (such as HIPAA, SOX and FISMA) and meet other frameworks (such as SOC 1, SOC 2 and HITRUST). It can also be done at any organization, not just at service providers.
- NIST cons: There is no certification from the National Institute of Standards and Technology (NIST) regarding security, but there are some related assessments to show compliance (e.g., FISMA, MARS-E, Fedramp). HITRUST offers their own branded NIST certification, but it is not an official NIST-sanctioned designation/certification.
Which assurance audit is right for you?
So which audit, assessment or certification should you pursue? It all depends on:
- What industries you are in.
- Who’s asking you for assurance and what types they are asking for.
- Whether you have a strong relationship built with your customers to enable an open and honest conversation that determines a mutually agreeable plan.
- Whether you can find one audit/assessment that meets all of your customers’ needs.
What we recommend at Wipfli is talking internally with your team to discuss all of your customers’ assurance demands and then bring in an outside compliance expert to help you go through your options and make the best decision on which audit/assessment to perform.
By understanding your options and using the input you’ve collected from your customers, you can make a decision based on the costs and benefits. Then you can go back to your customers and have those open and honest conversations with them on the ways the single audit you’ve chosen can satisfy their needs.
If you need assistance choosing which audit/assessment to perform, contact us. We have deep experience performing assurance audits, especially SOC and HITRUST. We can also help you strengthen your internal controls before performing an audit, setting you up for success.
Contact us to learn more, or continue reading these assurance-related blogs:
HITRUST vs SOC 2: Leveraging the best path to assurance
The business associate’s path to HITRUST CSF Certification
SOC 1 vs SOC 2: What’s the difference?
What will my first SOC audit be like?