Compliance Audits for Managed Service Providers: Choosing the Right Audit for You

As a provider of managed services, your customers are entrusting you with the responsibility for some of the controls that could impact the integrity, availability and confidentiality of their data. Although they transfer the responsibility for the controls, the ultimate accountability remains with your customers and in most cases, they will request evidence that appropriate controls are in place to protect their data. As a managed services provider there are several options that you can pursue to provide this evidence.

The first is to work directly with every customer and answer their audit questionnaires, provide them detailed evidence of the controls and possibly undergo on-site visits from each of your customers or their auditors. This is typically not an efficient method and can cause a significant impact on your daily operations due to the continual barrage of audit-related tasks.

The second option is to undergo a SOC 2 examination. SOC 2 is built on the Trust Principles of Security, Availability, Confidentially, Processing Integrity and Privacy. Depending upon the services provided and the level of access you have to your customers’ data you can choose one principle or all five. The SOC 2 report can be distributed to your customers as evidence of the controls in place to protect their data. In addition to the reduced audit impact the SOC 2 can bring to your organization, it also demonstrates your commitment to security and controls in your environment. At the conclusion of the examination, the AICPA provides a logo to display on your website.

The SOC 2 report addresses general controls for the protection of data but is it sufficient for your customers in specific industries such as healthcare or payment card processing? For your customers in these industries they may require additional controls as defined by the HIPAA/HITECH Acts or the PCI Data Security Standards. As with the SOC 2 examination, in order to keep from responding to each customer’s audit requests, as a managed service provider you can undergo an audit against the HIPAA/HITECH or PCI DSS security assessment and provide evidence of compliance to your customers.

These audits are not mutually exclusive. Many of our clients undergo multiple examinations/audits to meet the requirements of their customer base. A-LIGN assists our managed services client by bundling these projects and performing them together. By bundling these projects A-LIGN is able to reduce the time it takes to perform the fieldwork thereby reducing the overall fees.