At Sullivan, Rogers & Company we strive to partner with companies which enable us to provide enhanced service to our clients. Forming mutually beneficial relationships with outstanding service providers enables us to better service our clients as we seek new growth opportunities.
For many service organizations, complying with multiple industry standards and regulations is mandatory in order to do business with customers that trust them to safeguard information. A datacenter may be required to provide a Payment Card Industry (PCI) Report on Compliance (ROC), a Health Insurance Portability and Accountability Act (HIPAA) report, and a Service Organizations Controls (SOC 1) report (formerly known as a SAS 70 report). Historically, each standard and regulation required its own third party report every year.
Now there is a way for service organizations to combine multiple compliance requirements into one engagement. Changes in standards (click here to read more) allow service organizations to include additional subject matter in their internal control descriptions. This additional subject matter may include anything that is not covered by the AICPAs Trust Services Principles & Criteria (TSPC), including controls relating to PCI and HIPAA requirements and any other specific controls required by customers.
Under previous standards, service organizations had to document and follow their own controls. The TSPC covers the domains of Security, Availability, Processing Integrity, Confidentiality, and Privacy and are easily mapped to PCI DSS, NIST, ISO 27001, etc. providing service auditors with the capability of testing any controls that overlap.
Seizing upon this opportunity to provide a simplified process which still fulfills customer requirements for separate reports, Sullivan, Rogers & Company has partnered with Compliance Point, a leading Qualified Security Assessor (QSA). Together, we provide an integrated framework that merges the TSPC controls with controls from other standards.
With our combined engagement approach, service organizations only have to present supporting documentation once. This documentation is then tested by the combined engagement team, and the results provide the basis for the SOC, HIPAA, and PCI reports issued separately by Sullivan, Rogers & Company and Compliance Point.
At the conclusion of the engagement, Sullivan, Rogers & Company and Compliance Point evaluate the results of the testing, and issue the reports separately as required by the governing bodies. Sullivan, Rogers & Company issues the SOC report covering the TSPC and any additional subject matter, and Compliance Point issues the ROC covering additional subject matter areas individually.
Our methodology enables service organizations to consolidate any or all of PCI, HIPAA, ISO 27001, GLBA, FISMA, or PCI with SOC reporting under the SOC report umbrella. Service organizations that can take advantage of the new standards will benefit from increased engagement efficiency and reduced overall fees.
Learn more about our Service Organization Controls services here.