SOC Examinations

SOC 1 EXAMINATION

A SOC 1 report has many aliases (former SAS 70, SSAE 16, SSAE 18, and SSAE 19) but the purpose has not changed in many years. The report is most relevant to service providers that perform financial transactions processing or support a transaction processing system. SOC 1 reports are focused on service providers' internal control over financial reporting. The SOC 1 is made up of control objectives that can be defined by the service provider or through the help of Pease Bell CPAs RAS team. Control objectives are further broken down into control activities that are in place to meet the intention of the control objective. Organizations that typically consider a SOC 1 include: third party administrators, payment processors, payroll providers, cloud ERP service providers, medical billing, and data center colocations.

SOC 2 EXAMINATION

SOC 2 reports can be applied to a broader range of service providers as the report is intended to address operational controls. The SOC 2 is made up of 5 Trust Service Categories (security, availability, confidentiality, processing integrity, and privacy) and a service provider can select which ones to report against (all SOC 2 reports must include the security category). Beneath each category are criteria that must be addressed by control activities at the service provider. Organizations that typically consider SOC 2 include: cloud service providers (SaaS, PaaS, IaaS), managed service providers, systems housing third party data and data center colocations.

SOC 3 EXAMINATION

A SOC 3 report is essentially a SOC 2 report but is available for general use and can be distributed on a website for the public to consume. (SOC 2 report are considered confidential as it includes a list of controls in place at the service provider). Like the SOC 2, a SOC 3 is made up of 5 Trust Service Categories where all are optional except for security. Organizations that typically consider SOC 3 include: cloud service providers (SaaS, PaaS, IaaS), managed service providers, systems housing third party data and data center colocations.

OTHER ATTESTATION REPORTS

Pease Bell CPAs provides our clients with compliance and attestation reports that cover a variety of security frameworks including CCPA, GDPR, GLBA, HIPAA, HITRUST, ISO 27001, NIST 800-53, and Sarbanes-Oxley (SOx).

HIPAA CERTIFICATION: ENSURING HEALTHCARE INFORMATION SECURITY

HIPAA (Health Insurance Portability and Accountability Act) certification is crucial for showcasing an organization's compliance with the HIPAA Security and Privacy Rules. It involves evaluating administrative, physical, and technical safeguards in place to protect individuals' healthcare information, known as Protected Health Information (PHI). This certification enhances the organization's reputation, builds trust with patients and partners, and mitigates the risk of penalties.

GDPR COMPLIANCE: SAFEGUARDING PERSONAL DATA

The General Data Protection Regulation (GDPR) is a comprehensive EU regulation aimed at protecting individuals' personal data. While not a certification, GDPR compliance is a legal requirement. Organizations must adhere to GDPR principles, including obtaining consent, transparent privacy policies, security measures, and respecting individual rights.

CMMC: STRENGTHENING CYBERSECURITY FOR DOD CONTRACTORS

The Cybersecurity Maturity Model Certification (CMMC) is a U.S. Department of Defense initiative setting cybersecurity standards for Defense Industrial Base contractors. This certification mandates security controls to protect sensitive information from cyber threats. Pease Bell CPAs, with Certified CMMC Professionals, assists organizations in defining CMMC levels, implementing controls, and preparing for assessments.

ISO 27001 INTERNAL AUDIT: ACHIEVING INFORMATION SECURITY MANAGEMENT

ISO 27001 certification requires implementing an Information Security Management System (ISMS). Pease Bell CPAs provides internal audit services, addressing Clause 9's annual audit requirement. With a focus on objectivity and impartiality, our process evaluates an organization's ISMS against ISO 27001 requirements. Our former ISO 27001 Lead Auditor ensures a thorough assessment and valuable recommendations.