Withum’s SOC Services team delivered a SOC 2SM report for a national Employee Drug Testing Company that satisfied its client’s request for an independent assessment of their controls over data security. While fulfilling this need, Withum advised the Company that they did not need to encompass all five categories of the TSP framework, which is the basis for the SOC 2SM report, saving the Company time and money in the process.
A national healthcare services company specializing in employee drug testing with international clientele had access to personally identifiable information (PII), protected health information (PHI), and other private information for all of its client’s employees.
The Company’s contract with its client was up for renewal. Since the Company had access to confidential information on the client’s employees, the client insisted that they would not renew the contract without assurances that the Company’s controls around the processing, transmission, and storage of employee information, including drug testing results, were adequate to protect their employees. The Company took this opportunity to reach out to Withum’s SOC Services team to discuss how a System and Organization Controls (SOC) report could help them assess and communicate their control structure to their client.
Withum met with the Company for an initial consultation to understand the need for a SOC report. During the preliminary discussions, Withum helped to provide context about the SOC suite of services, and the intent and benefits of the various options. Based on that preliminary discussion, the Company chose to engage Withum to provide SOC 2SM reporting services. The SOC team reviewed the Company’s controls to determine the scope of the engagement and organize the initial findings. Through this approach, Withum learned that the Company did not need to have all of the categories (Security, Availability, Confidentiality, Processing Integrity and Privacy) assessed in obtaining their SOC 2SM.
Withum’s SOC team assisted the Company in consulting with their client to define the scope. The client was understanding and agreed to the scope, Withum completed the SOC 2 audit and assessment, and with their newly issued SOC 2SM report, the client chose to renew the contract with the Company. As a result, Withum was able to provide the Company support to refine the scope of the SOC 2 assessment to meet their client’s requirements, while also ensuring that they limited their resource requirements to execute the SOC 2SM, both in terms of cost and time committed from internal resources.
SOC 2SM reports provide user organizations with assurance over their critical systems and sensitive data that is supplied to outsourced services. The purpose of a SOC 2SM report is to ensure the effectiveness of organizational controls related to its operations.
Withum’s SOC Services team was able to deliver a SOC 2SM report that satisfied the Company’s client request, allowing them to continue their long-time business partnership. Withum gave value beyond the SOC 2SM report by enabling the Company to right size the scope based on their services. By re-adjusting the scope of the SOC 2SM assessment and putting the Company’s best interest first, the Company was able to save both time and money, while maintaining a trusted, long-term business relationship.