Florida US based parent, Indian BPO subsidiary based in Bangalore
First time SOC 2 certification – 4 Trust Services Criteria in scope
SOC 2 Type II certification
Florida-based parent company gets the contract, fulfilled by the Indian subsidiary
Main work is assistance in claims processing – but no data transferred / moved out of US (view only work and processing output stored in US based systems with access & data storage-related controls in place)
Like most HIPAA-impacted BPOs – staff only access data & systems located in the US through systems based in India. HIPAA compliance not in scope
Access controls, Data Loss prevention, Confidentiality, Security & Availability main concerns
Was an attest engagement for us, with a partner having completed SOC Readiness assessment and Gap identification and remediation
Attestation work completed in approx. 7 weeks
Data Centre offering CoLo Services – MEA Region – SOC 2 Type I & II
First time SOC 2 Type I assessment , followed up with a Type II
Security & Availability criteria in scope
First-time SOC 2 assessment
“Remote Audit” done in COVID times
Full use of technology to perform virtual site visit amidst COVID. Microsoft holo lens / online video tools to walk us through the physical access controls in the Middle Eastern coastal country
Gap assessment & Attestation performed by EntPerMaSys. Remediation measures implemented by a partner entity
Completed in 6-8 weeks timeframe (Type I) and 12 weeks (Type II)
Data Archiving Platform – India & US based - SOC 1 & SOC 2 Type II
Repeat SOC 2 & SOC 1 Type II attestations for India listed company’s US subsidiary with a “Group Holding” structure but only select subsidiaries scoped
Security, Confidentiality & Availability Criteria in scope
SOC 2 Type II and SOC 1 Type II
SOC 2 completed almost 1 week ahead of agreed schedule, SOC 1 completed 3 weeks ahead of schedule due to urgency expressed by client (customer sign-ups on hold due to SOC re-certification requirements)
Noticed some gaps in previous SOC 1 attestation – which we brought up with the client prior to starting the work
Took them on board wrt the gaps and suggested changes for a more robust SOC 1 report
Completed 2nd year follow-on SOC 2 Type II & SOC 1 Type II attestation
India & US based – Startup using AI/ML based platform for Banking Industry
First time SOC 2 Type II certification for AI/ML based Loan application processing platform that did not directly collect PII / SPI from applicants
Started with Privacy being not in scope
Audit client’s own initial internal assessment was that B2B model did not require inclusion of Privacy criterion
Our advice on the applicability of the Privacy criteria was well appreciated – given the industry vertical (Banking/ Financial analytics) and usage of AI / ML algorithms in processing PII / SPI
SOC 2 Type II completed in 10 weeks (attestation – with prep work done by a partner)
Although the overall attestation was delayed due to the inclusion of additional criteria initially not in scope – final report was more usable and relevant for user entities of the service organization
Audit client is a happy multi-year repeat customer now
US based – Clinical Research organization – SOC 1 Attestation
First time SOC 1 Type II certification for full service CRO with headquarters in US and locations in India, Philippines, Singapore, China
Only Bangalore (India) and US locations in scope
Controls operating differently in both locations, with some IT controls centralized in China (out of scope location)
Finance department had documented certain controls operating in other departments since they were impacting the books eg:
Controls in payroll, employee on-boarding & exits operating in HR department
Corporate Governance related controls as needed for SOC 1 – present in India (due to Indian Companies Act provisions) – but not applicable to corporate headquarters in US
IT related controls operate differently in India as compared to US
Most of India’s “Operational Controls” (eg timesheet time booking, project creation and deletion) – impact US Time & Material billing processes, but not India processes since India financials get eliminated during consolidation process
Required a more “consultative” approach – while maintaining Auditor Independence
(Chennai) India based – IT Services company
SOC 2 Type II (Repeat assessment) (first assessment performed by a Big 4 )
Chennai (India) location in scope
All 5 TSC categories in scope
Sensitive HR functions being performed in EU locations meant that Privacy controls’ documentation and their operating effectiveness required careful assessment
Report formats synchronized with previous (Big 4) auditor at customer request for continuity with previous year’s report (for the repeat location)
Get In Touch
No 6, Ward No 65,
Vinir Towers, BDA 1st Stage,
BTM Layout, Bengaluru,
Karnataka 560068.
500 DELAWARE AVE,
STE 1 1960, WILMINGTON ,
DE 19899, USA.