Client description
A Managed Service Provider (MSP) in Massachusetts sought an AICPA Service Organization Controls (SOC) 2 audit to demonstrate a commitment to security and risk management to its customers and to proactively share information about its controls with prospects and other interested third parties.
Challenge
The MSP was fielding multiple requests from its customers for a SOC report. In addition, many prospective customers wanted a better understanding of the MSP’s security and availability controls as part of their vendor due diligence and contracting processes. The MSP engaged BerryDunn to complete a SOC 2 examination to effectively meet this demand.
Approach
Our goal was to prepare the MSP for a successful SOC 2 examination. Accordingly, we recommended a readiness assessment (gap analysis) first to determine if appropriate controls were in place to satisfy the requirements of the SOC 2 Security and Availability Trust Service Principles (TSP).
BerryDunn’s team made an initial visit to the MSP to gain an understanding of operations and core processes. During our onsite readiness assessment, our team conducted interviews, reviewed documentation, observed operations, and performed walkthroughs of processes to determine the MSP’s readiness for the SOC 2 exam.
The resulting Readiness Assessment report mapped the MSP’s existing controls to the controls required by the SOC 2 Security and Availability TSPs. By identifying gaps in controls and providing recommendations based on best practices, the MSP had an opportunity to improve its overall control environment prior to the actual SOC 2 examination. We risk-ranked the gaps identified and recommendations to help the MSP prioritize their remediation efforts.
After delivering the Readiness Assessment report, we monitored the MSP’s progress in implementing our recommendations by conducting check-in calls to discuss improvements and any issues or obstacles encountered. Based on our discussions, we provided additional guidance that would assist the MSP in implementing our recommendations. We made an additional visit to the MSP to discuss the risk management process and how to implement a risk management program. As a result of the MSP’s progress on our recommendations, we were able to schedule the SOC 2 audit within six months of the Readiness Assessment.
Outcomes
- Risk-ranked findings and recommendations provided the client with a clear approach to develop, refine, and document controls to meet the criteria of the TSPs.
- Consistent communication supported the client during the implementation of our recommendations.
- The client was well-prepared and completed its first-time examination.
Next steps
The client has implemented our recommendations, and was well prepared for the Type 1 engagement completed this fall. Upon completion of the Type 1 examination, the client should be ready for a Type 2 examination the following spring.
Skip to Main Content