Case Study: SOC 2^SM Report Saves Money, Time and Enables Health Services Company to Retain Client

Learn how a National Employee Drug Testing Company was able to demonstrate established controls were in place to protect PII and PHI information to establish and facilitate client retention.

Download a PDF of this case study.

Withum’s SOC Services team delivered a SOC 2^SM report for a national Employee Drug Testing Company that satisfied its client’s request for an independent assessment of their controls over data security. While fulfilling this need, Withum advised the Company that they did not need to encompass all five categories of the TSP framework, which is the basis for the SOC 2^SM report, saving the Company time and money in the process.

The Client

A national healthcare services company specializing in employee drug testing with international clientele had access to personally identifiable information (PII), protected health information (PHI), and other private information for all of its client’s employees.

The Challenge

The Company’s contract with its client was up for renewal. Since the Company had access to confidential information on the client’s employees, the client insisted that they would not renew the contract without assurances that the Company’s controls around the processing, transmission, and storage of employee information, including drug testing results, were adequate to protect their employees. The Company took this opportunity to reach out to Withum’s SOC Services team to discuss how a System and Organization Controls (SOC) report could help them assess and communicate their control structure to their client.

The Approach and Solution

Withum met with the Company for an initial consultation to understand the need for a SOC report. During the preliminary discussions, Withum helped to provide context about the SOC suite of services, and the intent and benefits of the various options. Based on that preliminary discussion, the Company chose to engage Withum to provide SOC 2^SM reporting services. The SOC team reviewed the Company’s controls to determine the scope of the engagement and organize the initial findings. Through this approach, Withum learned that the Company did not need to have all of the categories (Security, Availability, Confidentiality, Processing Integrity and Privacy) assessed in obtaining their SOC 2^SM.

Withum’s SOC team assisted the Company in consulting with their client to define the scope. The client was understanding and agreed to the scope, Withum completed the SOC 2 audit and assessment, and with their newly issued SOC 2^SM report, the client chose to renew the contract with the Company. As a result, Withum was able to provide the Company support to refine the scope of the SOC 2 assessment to meet their client’s requirements, while also ensuring that they limited their resource requirements to execute the SOC 2^SM, both in terms of cost and time committed from internal resources.

SOC 2^SM reports provide user organizations with assurance over their critical systems and sensitive data that is supplied to outsourced services. The purpose of a SOC 2^SM report is to ensure the effectiveness of organizational controls related to its operations.

The Results

Withum’s SOC Services team was able to deliver a SOC 2^SM report that satisfied the Company’s client request, allowing them to continue their long-time business partnership. Withum gave value beyond the SOC 2^SM report by enabling the Company to right size the scope based on their services. By re-adjusting the scope of the SOC 2^SM assessment and putting the Company’s best interest first, the Company was able to save both time and money, while maintaining a trusted, long-term business relationship.