Your browser version is outdated. We recommend that you update your browser to the latest version.

Service Organization Control (SOC), ISO27001 and Privacy Compliance Projects

  • Over 25 years of experience in compliance oriented reporting as an auditor and in a client support role

  • As the auditor, have managed over 50 SOC related engagements at approximately 15 different clients.  Audits have been performed under the reporting standards issued internationally, in US and in Canada (ISAE, SSAE, CSAE standards) and also the predecessor standards most notably, the SAS70. 

  • Engagements have included SOC1 and SOC2 projects, specialty regulatory compliance reporting engagements and Privacy Compliance and support projects including GDPR and Quebec Law 25 Privacy updates.

  • In the client support role, have providing the key coordinator and project manager for preparation for the audit and coordinating the audit.  Tasks include external auditor scoping and engagement, definition of appropriate controls relevant to the scope of the audit, scheduling, evidence collection and coordination with control owners, evaluating and assisting with evidence analysis and potential compensating controls, report writing and collaboration with the external auditors.  

  • A model workbook for SOC2 controls was developed and used multiple times which quickly and efficiently helps clients with controls identification and project planning.  The workbook was converted to a Confluence based SOC2 documentation framework and has been used at several clients to document the control characteristics and supporting evidence relating to the control.  This documentation has assisted the client and external audit with understanding of the controls and accordingly made the audit more efficient and time effective for the client and the auditor. 
  • Model policies and procedures for all the relevant control areas have been developed and customized as necessary to once again, help achieve a faster and efficient implementation of the SOC2 framework.
  • Experienced with several GRC/SOC2 SaaS tools including OneTrust (Tugboat Logic), Vanta and Drata.  Have assisted clients in establishing their Tugboat Logic instance and the supporting materials for the audit projects.
  • Within the auditor role, have managed all aspects of the SOC engagement, providing overall direction in the establishment of the initial engagement, execution and reporting of the engagement, providing the key client interaction, and preparation of all deliverables.  Teams have ranged from 2 to 15 people in size, some of which extending to many thousands of hours effort.  
  • Engagements have ranged from an IT controls subject matter to a wide range of business process areas including payroll, HR, benefits, finance, fund and trust accounting, supply chain and inventory management.  

  • Represented below is a summary of the relevant engagements performed in this area.  A detailed overview of one of these engagements is also provided below.

 

Client

Scope of work

Type of Engagement

Telecommunications

Acting for management - assisted in the preparation of ISO27001 controls documentation for 2 business units. Provided SME in the framework and anticipated IT control practices.

ISO27001

Transportation and Logistics       

Acting for management - assisted in the development of the company's ISO27001 collateral, including all required policies and procedures.  Ensured documentation was prepared that would also support a SOC2 audit at a later time.        

ISO27001

Health Information       

Acting for management - assisted in development of full range of policies and procedures for compliance to GDPR and Quebec Law 25 Privacy regulations; as well, mapped these regulations to new set of controls for meeting the SOC2 Privacy principle 

SOC2 (Security, Availability, Confidentiality, Privacy criteria)

GDPR and Quebec Law 25 Privacy compliance

Telecommunications    

Acting for management - audit preparation and coordination over multiple business units and product areas including mobility, IP VPN, telephony, managed SIEM, hosting services  

SOC1 and SOC2 (Security, Availability, Confidentiality criteria)

 

Financial Technology 1   

Acting for management - developed controls framework in support of SOC 1 engagement.  Pre-assessment of controls, gap assessment and reporting on areas of deficiency and needing attention.    

SOC1 - IT and business controls (FX trading, customer management)

Financial Technology 2

Acting for management - developed controls framework in support of SOC 2 engagement.  Pre-assessment of controls, gap assessment and reporting on areas of deficiency and needing attention.   Assisted with numerous policies and procedures.  Coordinated with external audit and the reporting requirements.    

SOC2 - Security criteria

Financial Technology 3

Acting for management - developed controls framework in support of SOC 2 engagement.  Pre-assessment of controls, gap assessment and reporting on areas of deficiency and needing attention.   Assisted with numerous policies and procedures.  Coordinated with external audit and the reporting requirements.   

SOC2 - Security, Availability and Processing Integrity

Bank

Electronic Benefits Transfer (EBT) program for the electronic delivery of government payments and supplements to eligible recipients via a plastic card. 

SOC1 - Canadian standards

Full service brokerage

Integrity of stock exchange quote metering

Agreed Upon Procedures

Payroll Services (numerous reports and divisions over a 6 year period)

Payroll and supporting IT processes (including web, PC, Oracle/Unix, mainframe and SAP based technologies)

SOC1 - Canadian and US standards 

Pension administration (numerous reports over a 4 year period)

Pension Admin and supporting IT processes (including Windows and SQL Server technologies)

SOC1 - Canadian and US standards

IT outsourcing services and hosting (approximately 7 different clients)

IT processes (various SAP, mainframe, Unix and Windows environments as well as network services)

SOC1, SOC2 - Canadian and US standards

CD, DVD and games distribution (numerous divisions and reports over a 6 year period)

Distribution, order management, receivables, inventory management and supporting IT processes (including SAP and AS/400 environments)

SOC1 - US standards 

Credit card manufacturing and distribution

Credit card distribution and supporting processes

SOC2 - Canadian standards

Pension administration

Defined benefit retroactive calculations project – client developed a system and a process to rectify incorrect payments to their members

SOC2 - Canadian standards  (2 reports, one for pre-implementation and another post-implementation)

Network equipment provider

Order to cash, Procure to pay, Inventory management, Financial close process and supporting IT general controls

SOC1 - US standards and Agreed Upon Procedures

 

Client:

Network equipment provider

Duration:

2 years

Key Roles/ Services Performed:

Engagement Manager

Details:

When this multi-national network equipment provider sold its lines of business as part of its windup, the company continued to perform the business operations as each of the purchasers readied their own operations to absorb the significant operations that they purchased.  To provide the purchasers and their auditors with assurance on the accuracy and completeness of the financial results and operations being performed on behalf of the purchasers, the company requested a SOC1 over the in-scope operations.  Reports were provided for two annual periods.

Scope covered the following areas:

  • Order to cash – order entry, order fulfillment, billing, collection
  • Procure to pay – direct purchasing and accounts payable
  • Inventory management
  • Financial close process
  • IT general controls for applications supporting the above services

Managed the procure to pay, inventory management and IT general controls components, which for each audit comprised approximately 4,000 hours of effort.   A team of up to 15 persons were managed in this engagement.

Participated in all stages of planning, execution, project management, reporting and client service management.  This was a complex audit not only because of the scope of processes, but the variability in the processes by purchaser, the global nature of the operations, the multitude of platforms being examined and the multi-locations of the audit teams (Canada, US and Asia) and client support teams that were managed.   The client also utilized extensive outsourcing organizations for its IT support, contract manufacturers, and 3PL distribution services which were part of the scope of the audit.

Benefits to Client:

As a senior member of this large engagement team, my involvement was instrumental to meeting the client’s deadlines for reporting and for helping ensure that this complex and significant audit was completed as smoothly as possible.  The client and also the end users of the reports were complimentary of the team and the reports enabled the company to fulfill its mandate of ensuring their ongoing operations were well controlled.