Skip to Content

SOC 1 and SOC 2 compliance confirms tech company’s data security

September 26, 2018 Case Study 1 min read
Sarah Pavelek Natalie Pintar
Technology provider assures multiple owners and large customer base of data security with SOC 1 and SOC 2 compliance
Cyber case study

The challenge

The company wanted to meet customer and owner demands to demonstrate data security within its web-based application, since it collects and stores a vast amount of sensitive information.

The solution

Given pressure from multiple owners for robust security and compliance, as well as customer requests to audit the company’s security controls, the company sought a third party to review its internal controls. Our engagement began with initial planning meetings to ensure clear communication with all involved parties. Our team, which included multiple partners and senior-level staff, took an all hands-on-deck approach from day one.

We began with the legacy auditing standard SAS 70 (now SOC 1) and have continued to perform SOC examinations as well as attack and penetration work. Working closely with management, we identified appropriate controls for SOC 1 and, when SOC 2 was released by the AICPA, we helped our client determine whether the addition of SOC 2 would help satisfy growing customer compliance requirements. Ultimately, SOC 2 was completed, and the company updated its privacy policy to align with requirements. The SOC 2 work led to formalized policies and we advised the company communicate to its workforce and report to its audit committee annually. Our team continues to regularly perform attack and penetration testing to help the company maintain the security of its application.

The benefit

Our experts provided guidance to the company at a very early stage, which laid the foundation for an ongoing, efficient, and collaborative working relationship. Our team was constantly in touch with company management, and we provided the majority of service on-site, which was important to the client.

Our continued close working relationship means company leadership calls on our team whenever they need advice. When the client acquired another company with contracts that required a SOC examination, they again turned to our professionals. Ultimately, the ability for our client to provide an independent, third-party report on the controls for the data security of its credit application management system has improved customer and owner confidence and reduced time spent addressing customer audit requests.

Related Thinking

Cybersecurity professional talking to colleagues about Microsoft 365.
May 23, 2023

Microsoft 365 & cybersecurity: Is your environment as secure as you think?

Article 5 min read
Business professionals learning about the FDIC OIG InTREx audit report.
May 23, 2023

After the FDIC OIG InTREx audit report: Implications and next steps for banks

Article 5 min read
A group of business colleagues sitting at a long table discussing internal controls.
May 23, 2023

Are your internal controls up to par? Seven questions leaders must ask

Article 3 min read