AICPA Service Organization Control Reports - SOC 2

“If your company currently uses third-party vendors to provide services that include the collection, processing and/or retention of sensitive information, you should consider inquiring into whether they have successfully completed a SOC 2 Type 2 audit, as it helps to ensure a higher standard for protecting your data.” Jeanne Madden, Vice President Operations, ADP Tax Credit Services

EnterpriseGRC Solutions participates in the development of content for GRC and Security products.  EnterpriseGRC professionals implement a full stack of products and platforms necessary to a nimble Security Architecture.  

(Original article is found on LinkedIn and reposted on

  • Customers and prospects demand a SOC 2 Type II report covering actual effectiveness of your core product systems.
  • Your evidence could reveal a lapse in security which may need to be disclosed.
  • Was your service down for any significant time?
  • Was the data processed effectively?
  • Did your application continually encrypt data over the audited timeframe?
  • External auditors share how well your systems, software, and procedures worked with actual data collected across a specified timeframe.
  • Findings in the report become the subject of conversation with all of your customers. These findings require remediation in order to maintain existing business.
  • In today’s cloud economy, customer due diligence has gone from nice to have to mandate.  


Customers demand evidence of reliable controls before placing their trust and dependency on service organizations. One of the most widely accepted ways to earn trust is the AICPA SOC 2 type II report, aka, the TSP 100.  Trust Services Principles (TSP) are a professional attestation containing essential criteria based information for assessing controls. When engaged in reporting, however, determination of suitable and continuous evidence is time-consuming and sometimes impossible. Beyond the cost of third party advisory services, the disruption that SOC 2 engagement can heap across your organization is both substantial and avoidable.

EnterpriseGRC professional gather and implement system based controls mapping to align enterprise technology to the criteria of the TSP 100, making failure and success in IT controls continuously available to this reporting process.

Recently updated with enhanced privacy controls, (released in April of 2016), Trust Principles set out by the AICPA enable companies to limit exposure in reliance on third parties and is especially necessary when doing business with organizations falling under FISMA and SEC regulation. Third party vendor risk management often prevents business from placing a dependency on any MSP, SaaS, IaaS, or PaaS provider who has failed or not yet engaged to successfully complete a SOC 2 report. 

soc 21


Facing SOC 2 Assessment, organizations often fail due to improper security settings, incorrect configurations, low levels of encryption, or poor policies and procedures. Continuous testing over those controls could have prevented costs in business disruption, time-consuming client discussion, or lost business opportunities.EnterpriseGRC Solution uses tools and programs that automatically checks system configuration settings across all target environments, reporting against expected system based SOC 2 Illustrative criteria. Review and response to address recommended fix actions allow timely remediation to found problems, and further rewards the business by rapid completion of unnecessarily disruptive SOC 2 audit events.

EnterpriseGRC clients gain further advantage through alignment with the AICPA SOC 2 standard. Managing an effective SOC 2 assessment program supports elements in achieving compliance with many other control frameworks including the security aspects of the following laws and mandates:

  • UK Cyber Essentials
  • Federal Information Security Management Act 2001 (US)
  • Gramm‐Leach‐Bliley Act (GLBA) 1999 (US)
  • Federal Financial Inst. Examination Council’s (FFIEC) security guidelines (US)
  • Sarbanes‐Oxley Act (SOX) 2002 (US); State security breach notification laws (e.g. California) (US)



Using a facilitated compliance management program + Automated Risk Analysis Platform (ARAP™) allows EntrpriseGRC to provide Chief Risk & Security, as well as IT and DevOps leadership evidence areas representing their top challenges meeting HIPAA Security Compliance:

  • Missing patches for operating systems and applications.
  • Monitoring and detecting sensitive data loss (data exfiltration).
  • Locating weak passwords.
  • Lack of logs and audit trails than can conduct forensics to identify and respond to a breach.
  • Security validation for new systems.
  • Missing or outdated anti-malware technology.
  • Encryption of sensitive information in transit.
  • Remediate deficiencies that would otherwise be impossible to manage due to the lack of trained staff maintaining security controls. 

CIS Benchmarks grouped by SOC2 Evidence Requirement


  • Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
  • A hyperplane of integrated “risk assessment” amongst segmented vulnerability domains
  • Works with Private, Hybrid, and Public Clouds and Support AWS, Azure, GCP (Google Cloud Platform)
  • Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
  • Supports most compliance authorities (PCI, HIPAA, NIST, SOC2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
  • Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
  • Complies with DISA standards in all aspects of delivery and reported results
  • SOC2 Compliance performed by EnterpriseGRC Solutions with system evidence generated via Cavirin ARAP or a variety of similarly focused products within the Elastic Compliance Network

Continuous Facilitated Compliance

EnterpriseGRC Solutions Security and Compliance actively contributes to all major standards and organizations responsible for the mapping of regulatory requirements and the most highly leveraged national and international standards. In addition to organic CIS Benchmarks and DISA STIG NIST based configuration hardening and change management, we implemented all assessments with NIST Cybersecurity Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy. Clients who elect to use multiple policy packs, including ISO/IEC 27002:2013, will benefit from the extended use of multiple frameworks to align Information Security Programs and Policy.

continuous monitoring

About EnterpriseGRC Solutions

EnterpriseGRC Solutions is empowered to implement governance, security, risk, and compliance automation products and programs, emphasizing system based policies specific to security settings for secure configuration management. EnterpriseGRC is a women-owned small business offering compliance readiness, Security & GRC tools, Enterprise Security Architecture, Cybersecurity Risk Assessment, and a wide variety of resources for security and GRC technology support. Founded October of 2002 as Phoenix Business and Systems Process, and rebranded in 2011 as EnterpriseGRC Solution, the company is positioned to solve an organization's greatest cloud security and cyber challenges. True to its tagline "Simple Solutions to Complex Problems" the company offers pragmatic, remote and on-site web-enabled compliance implementation, training, strategy, management consulting, security and risk management services.