Skip to Main Content Skip to Footer

CASE STUDY

Receiving a favorable SOC 2 report with in-depth audit assistance

Miles IT helps a healthcare benefits organization follow SOC 2 compliance requirements and strengthen security control activities.

 

MEET THE CLIENT

Healthcare benefits organization

The client works in the healthcare benefits industry and handles deidentified patient data.
 

Because of their unique technology infrastructure and industry, they needed help demonstrating organizational security controls to receive SOC 2 accreditation.

PRIMARY GOALS

Demonstrate security standards through a SOC 2 audit

Though their existing documentation and controls were reasonable, the client wanted to ensure that their controls could be matched against the SOC 2 COSO framework.

magnifying glass search icon

Obtain Accredited SOC 2 Audit

The client sought to establish a clear, structured approach for their organization to receive accredited audits now and in future years.

computer icon

Provide Evidence of Organizational Controls

With their unique technology environment, the client needed assistance clearly illustrating their control activities.

thumbs up icon

Meet Customer Requirements

To build trust and transparency among customers, it was essential to share the SOC 2 audit report when the engagement was complete. 

OUR PROCESS

Thorough risk assessments & audit guidance

Under the leadership of our Director of Compliance and Risk Management, we performed several risk assessments to help the client prepare for SOC 2 accreditation and assisted them throughout the audit process.

Cybersecurity experts pointing at computer screens displaying code and system information
  • HIPAA Risk Assessment

    +

    First, our team performed a HIPAA Risk assessment and an organizational risk assessment to gain clarity on the client’s evaluation of their risk levels.

  • SOC 2 Type I Audit Guidance

    +

    Next, we worked alongside the client to achieve a SOC 2 Type I audit report leveraging our years of experience in SOC 2 audits to ensure a smooth audit process.

  • Penetration Testing

    +

    After undergoing the SOC 2 Type I audit, we conducted penetration testing to determine ways the client could improve their security posture.

  • External Vulnerability Scanning

    +

    In an effort to continually improve its security posture, the organization engaged Miles IT for external vulnerability scanning services. This ultimately became a key artifact during the audit process to demonstrate other aspects of risk management and assessment.

  • SOC 2 Type II Audit Guidance

    +

    To help the client attain a SOC 2 Type II report, we provided guidance to the staff involved in the process. At times, we served as the intermediary between the auditor and the client to help “translate” the control needs and ultimately determine what was necessary to provide sufficient evidence.
     

    The client is now on their third SOC 2 Type II audit; we continue to guide them through the process for a smooth audit every time.

OUR STRATEGY

Streamline audit approach & enhance controls

Leveraging our 13 years of experience undergoing SOC audits for ourselves and clients, we assisted the organization with assessments, documentation, and training to simplify the audit engagement.

Documentation Revisions

open book icon

We reviewed, condensed, and rewrote parts of the client’s security policies & procedures, including a Disaster Recovery Plan (DRP), account policies, and incident response plans, to better align with operational methodologies.

Audit Process Training

graduation cap icon

Our team shared knowledge surrounding audit procedures, including how to respond to specific questions, appropriate types of artifacts to prove specific controls, and strategies for managing significant audit activities.

Third-Party-Vendor-Specific Risk Assessment Guidance

professional services icon

To better understand the oversight of third-party vendors, we guided the client through the process of conducting sub-service entity risk assessments, which involve reviews of SOC 2 audits & Vendor Security Posture Questionnaires.

Disaster Recovery Tabletop Test

As an additional scope item, we performed a tabletop test, where a specific business interruption scenario was discussed with participants to determine how their current plan dictated their response actions and the practicality of that plan.

THE RESULTS

Client obtained a favorable SOC 2 report & gained experience with the audit process

With our help, the client received SOC 2 accreditation and is now undergoing their third SOC 2 Type II audit.

Favorable Opinions on SOC 2 Type 1 & II Audits

chart 2 icon

The client received a SOC 2 Type I audit and two subsequent SOC 2 Type II audits, all with favorable auditor opinions.

In-Depth Knowledge of Audit Process

manufacturing gears icon

With a strong understanding of SOC 2 audit management, the client can take the lead on information and artifact gathering in the future.

Established Customer Trust

icon of a person

Now, the client’s customers can view the results of the audit and gain clarity on the presence and effectiveness of their control activities.

Marketing team gathered with computers

MOVING FORWARD

Continual accreditation & ongoing partnership

Since the client has a significant understanding of audit procedures, the Miles IT team now serves as their partner, allowing for mutual validation of controls and artifacts. We also provide recurring vulnerability scanning to help evaluate some of their technical controls.
 

If you’re looking for assistance with SOC 2 audits or another type of regulatory compliance, contact us to see how we can help.