SOC Attestation Services Case Studies

Healthcare BPO based in Bangalore & Florida-US
Florida US based parent, Indian BPO subsidiary based in Bangalore

First time SOC 2 certification – 4 Trust Services Criteria in scope

  • SOC 2 Type II certification
  • Florida-based parent company gets the contract, fulfilled by the Indian subsidiary
  • Main work is assistance in claims processing – but no data transferred / moved out of US (view only work and processing output stored in US based systems with access & data storage-related controls in place)
  • Like most HIPAA-impacted BPOs – staff only access data & systems located in the US through systems based in India. HIPAA compliance not in scope
  • Access controls, Data Loss prevention, Confidentiality, Security & Availability main concerns
  • Was an attest engagement for us, with a partner having completed SOC Readiness assessment and Gap identification and remediation
  • Attestation work completed in approx. 7 weeks
Data Centre offering CoLo Services – MEA Region – SOC 2 Type I & II
First time SOC 2 Type I assessment , followed up with a Type II

Security & Availability criteria in scope

  • First-time SOC 2 assessment
  • “Remote Audit” done in COVID times
  • Full use of technology to perform virtual site visit amidst COVID. Microsoft holo lens / online video tools to walk us through the physical access controls in the Middle Eastern coastal country
  • Gap assessment & Attestation performed by EntPerMaSys. Remediation measures implemented by a partner entity
  • Completed in 6-8 weeks timeframe (Type I) and 12 weeks (Type II)
Data Archiving Platform – India & US based - SOC 1 & SOC 2 Type II
Repeat SOC 2 & SOC 1 Type II attestations for India listed company’s US subsidiary with a “Group Holding” structure but only select subsidiaries scoped

Security, Confidentiality & Availability Criteria in scope

  • SOC 2 Type II and SOC 1 Type II
  • SOC 2 completed almost 1 week ahead of agreed schedule, SOC 1 completed 3 weeks ahead of schedule due to urgency expressed by client (customer sign-ups on hold due to SOC re-certification requirements)
  • Noticed some gaps in previous SOC 1 attestation – which we brought up with the client prior to starting the work
  • Took them on board wrt the gaps and suggested changes for a more robust SOC 1 report
  • Completed 2nd year follow-on SOC 2 Type II & SOC 1 Type II attestation
India & US based – Startup using AI/ML based platform for Banking Industry
First time SOC 2 Type II certification for AI/ML based Loan application processing platform that did not directly collect PII / SPI from applicants
  • Started with Privacy being not in scope
  • Audit client’s own initial internal assessment was that B2B model did not require inclusion of Privacy criterion
  • Our advice on the applicability of the Privacy criteria was well appreciated – given the industry vertical (Banking/ Financial analytics) and usage of AI / ML algorithms in processing PII / SPI
  • SOC 2 Type II completed in 10 weeks (attestation – with prep work done by a partner)
  • Although the overall attestation was delayed due to the inclusion of additional criteria initially not in scope – final report was more usable and relevant for user entities of the service organization
  • Audit client is a happy multi-year repeat customer now
US based – Clinical Research organization – SOC 1 Attestation
First time SOC 1 Type II certification for full service CRO with headquarters in US and locations in India, Philippines, Singapore, China
  • Only Bangalore (India) and US locations in scope
  • Controls operating differently in both locations, with some IT controls centralized in China (out of scope location)
  • Finance department had documented certain controls operating in other departments since they were impacting the books eg:
    • Controls in payroll, employee on-boarding & exits operating in HR department
    • Corporate Governance related controls as needed for SOC 1 – present in India (due to Indian Companies Act provisions) – but not applicable to corporate headquarters in US
    • IT related controls operate differently in India as compared to US
    • Most of India’s “Operational Controls” (eg timesheet time booking, project creation and deletion) – impact US Time & Material billing processes, but not India processes since India financials get eliminated during consolidation process
    • Required a more “consultative” approach – while maintaining Auditor Independence
(Chennai) India based – IT Services company
SOC 2 Type II (Repeat assessment) (first assessment performed by a Big 4 )
  • Chennai (India) location in scope
  • All 5 TSC categories in scope
  • Sensitive HR functions being performed in EU locations meant that Privacy controls’ documentation and their operating effectiveness required careful assessment
  • Report formats synchronized with previous (Big 4) auditor at customer request for continuity with previous year’s report (for the repeat location)