Identifying and Minimizing Operational Risks Through SOC Reporting
DISA/MTS Global Solutions (DISA/MTS), formerly Midwest Toxicology Services, was founded in Indianapolis, Indiana in 1992 to provide drug testing and third-party administration services for private companies needing to comply with government regulations and substance abuse testing programs.
Most of the organizations DISA/MTS serves do not yet require formal System and Organization Controls (SOC) reporting. However, a contract with a new client of DISA/MTS prompted the company to take a closer look at its internal control environment to gain a comprehensive understanding of its systems and help minimize risk. This was DISA/MTS’ first formal examination of its internal controls regarding security and confidentiality risks, and its leaders were eager to partner with a firm that could walk them through the process while providing thorough assessments of internal controls and SOC reporting expertise. Because the company’s accounting firm did not have SOC experience, DISA/MTS engaged KSM’s SOC Services Group to perform the necessary assessment.
KSM’s initial engagement included the completion of a third-party service provider (TPSP) questionnaire on the new client’s behalf. The internal control structure at DISA/MTS was focused primarily on operational risks; however, KSM dug deeper to identify and present the wide range of security and confidentiality risks that may impact an organization in the substance abuse testing industry.
After completing the TPSP questionnaire, DISA/MTS expanded KSM’s project scope to include a SOC 2 readiness consulting engagement and subsequently, a SOC 2, Type 2 attestation engagement that would provide further guidance and satisfy additional contractual requirements for the new client. As part of this process, KSM worked with DISA/MTS’ executive management group to initiate a thorough examination of the core business principles and current controls. Over the course of several meetings, which included facility tours, KSM was able to identify and provide guidance on eliminating control gaps to establish a robust control environment that met the criteria of the security and confidentiality trust services principles.
KSM’s completion of the initial TPSP questionnaire gave DISA/MTS the necessary information to continue with an in-depth SOC 2 readiness engagement and better address the criteria of the subsequent SOC 2 report. Throughout this comprehensive and educational process, DISA/MTS’ management team gained a more effective understanding of how to assess operational risk, and its improved internal control environment significantly enhanced the company’s ability to mitigate that risk. The new client who prompted the SOC assessment was satisfied that DISA/MTS had thoroughly reviewed and strengthened its internal control environment. As a result of the SOC engagement with KSM, DISA/MTS is positioned to better serve all its clients as well as win new clients that require rigorous control measures.
Keeping you updated on COVID-19 and its impact on businesses and individuals.