CEO/CFO Certification Requirements

Managing Compliance

Current challenges and landscape

Whether you are a provider of data center services, Software-as-a-Service (SaaS) or a unique business solution through the Cloud, you are likely to encounter requests from your clients to examine your internal controls. Often you will receive multiple compliance requests from different clients for many of the same controls. In some cases you may even encounter a prospective client that is requesting an independent third party assessment adhering to reporting standards such as a System and Organization Controls (SOC) before they will consider doing business with you. While these client interactions provide you with an opportunity to showcase your client service prowess, overtime, the requests can become cumbersome, costly and can distract your operations team from completing mission critical tasks.

How Richter can help

While you cannot ignore compliance obligations to your clients, you can reduce the impact of those obligations on your organization. The concept is simple: audit once, satisfy many.

It starts with zeroing in on a scope that matters. It continues with identifying the correct report and associated examination to satisfy your clients’ requirements. It follows with a compliance report from a trusted and accredited accounting firm. The result is a reduction in audit fatigue for your organization as well as building trust and confidence with your clients.

Our offerings include:

Readiness assessments – If your objective as a service organization is to demonstrate compliance with SOC reporting standards, a readiness assessment will facilitate the identification and gap assessment of your internal control framework. Richter will assess your organization’s readiness and help define the scope by aiding your organization in the development of a system description. We can further assist your organization by documenting your existing control framework, identifying potential control gaps, and making realistic and scalable control recommendations. Richter provides your organization with practical recommendations to help your organization pass an independent assessment.

System and Organizational Controls (SOC) reports – Depending on the compliance requirements and scope of the audit, a SOC report will provide an independent assessment of a service organization’s internal controls. Richter will help determine the type of SOC report your organization requires and perform the associated audit under CPA Canada or AICPA guidelines. We offer assurance services for all SOC report types, including the following:

SOC 1 – Report on controls at a service organization relevant to user entities’ internal control over financial reporting

These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements, in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

• Type 1 – Report that contains an opinion on (1) the fairness of management’s assertion and description of controls and (2) the suitability of the design of the controls to achieve the related control objective as at a point in time

• Type 2 – Report that contains an opinion on (1) the fairness of management’s assertion and description of controls and (2) the suitability of the design and (3) operating effectiveness of the controls throughout a specified time period

SOC 2 – Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

• Type 1 – Report that contains an opinion on (1) the fairness of management’s assertion and description of controls and (2) the suitability of the design of the controls under Trust Services Criteria (TSC) as at a point in time

• Type 2 – Report that contains an opinion on (1) the fairness of management’s assertion and description of controls and (2) the suitability of the design and (3) operating effectiveness of the controls under the AICPA/CPA Canada TSC throughout a specified time period

SOC 3 – Trust services criteria for general use report

This report is designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. These reports can be freely distributed.

SOC for Cybersecurity

This report is designed to meet needs or users who need assurance on the organization’s enterprise-wide cybersecurity risk management program to demonstrate that the organization is managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.