CASE STUDY
Receiving a favorable SOC 2 report with in-depth audit assistance
Miles IT helps a healthcare benefits organization follow SOC 2 compliance requirements and strengthen security control activities.
MEET THE CLIENT
Healthcare benefits organization
The client works in the healthcare benefits industry and handles deidentified patient data.
Because of their unique technology infrastructure and industry, they needed help demonstrating organizational security controls to receive SOC 2 accreditation.
PRIMARY GOALS
Demonstrate security standards through a SOC 2 audit
Though their existing documentation and controls were reasonable, the client wanted to ensure that their controls could be matched against the SOC 2 COSO framework.
Obtain Accredited SOC 2 Audit
The client sought to establish a clear, structured approach for their organization to receive accredited audits now and in future years.
Provide Evidence of Organizational Controls
With their unique technology environment, the client needed assistance clearly illustrating their control activities.
Meet Customer Requirements
To build trust and transparency among customers, it was essential to share the SOC 2 audit report when the engagement was complete.
OUR PROCESS
Thorough risk assessments & audit guidance
Under the leadership of our Director of Compliance and Risk Management, we performed several risk assessments to help the client prepare for SOC 2 accreditation and assisted them throughout the audit process.
-
HIPAA Risk Assessment
+
First, our team performed a HIPAA Risk assessment and an organizational risk assessment to gain clarity on the client’s evaluation of their risk levels.
-
SOC 2 Type I Audit Guidance
+
Next, we worked alongside the client to achieve a SOC 2 Type I audit report leveraging our years of experience in SOC 2 audits to ensure a smooth audit process.
-
Penetration Testing
+
After undergoing the SOC 2 Type I audit, we conducted penetration testing to determine ways the client could improve their security posture.
-
External Vulnerability Scanning
+
In an effort to continually improve its security posture, the organization engaged Miles IT for external vulnerability scanning services. This ultimately became a key artifact during the audit process to demonstrate other aspects of risk management and assessment.
-
SOC 2 Type II Audit Guidance
+
To help the client attain a SOC 2 Type II report, we provided guidance to the staff involved in the process. At times, we served as the intermediary between the auditor and the client to help “translate” the control needs and ultimately determine what was necessary to provide sufficient evidence.
The client is now on their third SOC 2 Type II audit; we continue to guide them through the process for a smooth audit every time.
OUR STRATEGY
Streamline audit approach & enhance controls
Leveraging our 13 years of experience undergoing SOC audits for ourselves and clients, we assisted the organization with assessments, documentation, and training to simplify the audit engagement.
Documentation Revisions
We reviewed, condensed, and rewrote parts of the client’s security policies & procedures, including a Disaster Recovery Plan (DRP), account policies, and incident response plans, to better align with operational methodologies.
Audit Process Training
Our team shared knowledge surrounding audit procedures, including how to respond to specific questions, appropriate types of artifacts to prove specific controls, and strategies for managing significant audit activities.
Third-Party-Vendor-Specific Risk Assessment Guidance
To better understand the oversight of third-party vendors, we guided the client through the process of conducting sub-service entity risk assessments, which involve reviews of SOC 2 audits & Vendor Security Posture Questionnaires.
Disaster Recovery Tabletop Test
As an additional scope item, we performed a tabletop test, where a specific business interruption scenario was discussed with participants to determine how their current plan dictated their response actions and the practicality of that plan.
THE RESULTS
Client obtained a favorable SOC 2 report & gained experience with the audit process
With our help, the client received SOC 2 accreditation and is now undergoing their third SOC 2 Type II audit.
Favorable Opinions on SOC 2 Type 1 & II Audits
The client received a SOC 2 Type I audit and two subsequent SOC 2 Type II audits, all with favorable auditor opinions.
In-Depth Knowledge of Audit Process
With a strong understanding of SOC 2 audit management, the client can take the lead on information and artifact gathering in the future.
Established Customer Trust
Now, the client’s customers can view the results of the audit and gain clarity on the presence and effectiveness of their control activities.
MOVING FORWARD
Continual accreditation & ongoing partnership
Since the client has a significant understanding of audit procedures, the Miles IT team now serves as their partner, allowing for mutual validation of controls and artifacts. We also provide recurring vulnerability scanning to help evaluate some of their technical controls.
If you’re looking for assistance with SOC 2 audits or another type of regulatory compliance, contact us to see how we can help.