The Schellman Blog

Formerly known as Service Organization Controls (SOC) reports, what are now known as System and Organization Controls reports help companies establish trust and confidence in their services or products, including their delivery and business processes and their controls.

When conducting an audit, an auditor must obtain an understanding of a client’s internal control environment, including the use, applicability and nature of any manual and automated controls, in order to design appropriate procedures to test such controls.

NOTE: Schellman has since updated and expanded this content in a more recent article here. During the course of an audit, there are instances when findings can come to the auditor’s attention. If the finding is discovered prior to the report date (Type 1 reports) or end of the report period (Type 2 reports), a client will have the opportunity to remediate the finding.

From a compliance standpoint, documented policies and procedures are very important and can sometimes be required, depending on the scope of services Schellman is providing.

The HIPAA Omnibus Rule which took effect on September 23, 2013, has led to the evolution of the HIPAA Compliance environment. Now more than ever it is important to understand what the security and privacy obligations are of a business associate (BA) or a subcontractor of a BA. BA’s are now mandated to comply with the HIPAA Privacy and Security rule requirements. Below are some high level requirements that BA’s need to be aware of when assessing their compliance environment:

When auditors begin to test procedures for compliance examinations (i.e., SOC 1, SOC 2), there are cases where the clients are performing certain tasks; however, they are not documented, which puts the auditors in a precarious position.