The challenge
The company wanted to meet customer and owner demands to demonstrate data security within its web-based application, since it collects and stores a vast amount of sensitive information.
The solution
Given pressure from multiple owners for robust security and compliance, as well as customer requests to audit the company’s security controls, the company sought a third party to review its internal controls. Our engagement began with initial planning meetings to ensure clear communication with all involved parties. Our team, which included multiple partners and senior-level staff, took an all hands-on-deck approach from day one.
We began with the legacy auditing standard SAS 70 (now SOC 1) and have continued to perform SOC examinations as well as attack and penetration work. Working closely with management, we identified appropriate controls for SOC 1 and, when SOC 2 was released by the AICPA, we helped our client determine whether the addition of SOC 2 would help satisfy growing customer compliance requirements. Ultimately, SOC 2 was completed, and the company updated its privacy policy to align with requirements. The SOC 2 work led to formalized policies and we advised the company communicate to its workforce and report to its audit committee annually. Our team continues to regularly perform attack and penetration testing to help the company maintain the security of its application.
The benefit
Our experts provided guidance to the company at a very early stage, which laid the foundation for an ongoing, efficient, and collaborative working relationship. Our team was constantly in touch with company management, and we provided the majority of service on-site, which was important to the client.
Our continued close working relationship means company leadership calls on our team whenever they need advice. When the client acquired another company with contracts that required a SOC examination, they again turned to our professionals. Ultimately, the ability for our client to provide an independent, third-party report on the controls for the data security of its credit application management system has improved customer and owner confidence and reduced time spent addressing customer audit requests.
