Comprehensive Information Technology Compliance Solutions

SOC Examinations
All SOC examinations are not created equal. While all companies providing SOC services follow the same AICPA guidance, (SSAE 18 for SOC 1 and TSP 100 Trust Services Criteria) approaches to conducting the audit can differ significantly. GCPA has developed an extensive internal controls database across multiple industries and information system platforms that enable us to streamline our engagements and customize our engagement framework to meet the specific needs of our clients. Our experience within multiple industries facilitates our understanding of your business processes. We can then assist in developing specific control objectives and control activities that provide assurance that all critical business processes are identified, analyzed, and tested.
At GCPA, we fully appreciate the challenges of managing the increase costs of doing business, understanding that all SOC costs cannot be passed on to the customer. We focus on reducing these costs while providing companies with opportunities to grow their respective markets.
SOC Engagement Process
GCPA works closely with your organization in developing a successful roadmap for SOC compliance. We analyze your key business processes and objectives to give us valuable insight as to your needs regarding SOC compliance. The cost and time of completion for Type 1 and Type 2 engagements varies significantly; therefore, we strive to understand your business dynamics to provide you exactly what is needed.
Utilizing leading tools, expertise GCPA streamlines the control objective and control activity identification process by utilizing an extensive internal control database containing business process and information technology controls for multiple operating systems and applications?. Our extensive knowledge and experience enables us to quickly gain an understanding of your internal control environment and identify the key controls associated with your business process and IT environment.
Reducing time, effort, and costs of audits. GCPA has worked with clients who have had SOC audits performed by other auditors. When we review the process and controls documentation, we are consistently able to reduce the number of control objectives by an average of 15-25%. This not only helps to reduce time, effort, and costs of the audit, but significantly increases the efficiencies associated with the business process. Clients are able to focus on the most important controls and not waste time and effort on controls that do not add value to the process, are redundant, or do not represent key controls.
Understanding the process. The SOC engagement process begins with a meeting with key management involved with the process and IT environment being audited. If the client has had a SOC audit previously, we will review their controls documentation to gain an understanding of the process and to facilitate questions during the initial meeting.
After the initial meeting, we provide the client with a controls listing and sample documentation to facilitate the controls documentation process. Once we have a good draft of the controls documentation, we plan our on-site visit to confirm the controls and perform controls testing if a Type II report. Our average time on site is 3-4 days depending on the complexity of the process and number of control activities.
Our customized report process enables us to quickly turnaround the first report draft for management review. We typically issue the first draft to management within two weeks of completing controls testing. Depending on management’s availability, we are able to issue the final report within 3-4 weeks of completing controls testing.
SOC Readiness Assessments
GCPA assists companies in preparing for a future SOC 1 and/or SOC 2 audit, including both Type I and Type II reports. We highly recommend a readiness assessment for any company that plans to perform a Type 2 SOC audit as its initial audit. A SOC readiness assessment simply augments the overall engagement process for the actual SOC audit. It provides for a more streamlined, efficient audit and aids in mitigating any business interruption issues when conducting the SOC engagement itself.
The readiness assessment is designed to identify the controls that should be implemented or enhanced prior to the actual audit. Some companies have existing control documentation and test their controls on a regular basis. GCPA can review those controls and identify improvement opportunities and in some cases reduce the number of identified controls due to redundancy or excessive non-key controls. For companies who have never identified or documented their controls, GCPA has developed an extensive internal controls database that assists clients in getting started with the identification of risks specific to their business and the associated control objectives.
Deliverables. The SOC Readiness Assessment provides an excellent introduction of the SOC methodology and process to client personnel. The readiness assessment establishes expectations for the future audit with regards to the time commitment required by key client personnel. Most importantly, the readiness assessment provides the client with an initial draft of their description of controls and a gap analysis detailing the recommendations needed before the actual SOC audit.
SOC 1/SSAE 18 Examination
The SOC 1 report delivers an organization’s control objectives and corresponding controls relevant to processes that impact their customers’ controls over financial reporting.
SOC 2 Examination
SOC 2 report is an attestation designed to meet a broad set of reporting needs about the controls at a service organization as it impacts security, availability, confidentiality, processing integrity, and privacy as required by the Trust Services Principles and Criteria.
SOC 3 Examination
The SOC 3 examination reports on the operational controls pertaining to the suitability of design and operating effectiveness of controls intended to meet the selected Trust Services Principles and Criteria. The SOC 3 is an extension of the SOC 2 report and is used for more public access to an your SOC reporting status
SOC for Cybersecurity
SOC for Cybersecurity reports provides a description of your cybersecurity risk management program and a set of benchmarks that we will evaluate your program against.