SOC-2 Signed Made Easy

Soc 2 signed

hello everyone and welcome to our next webinar which is on saw to compliance it says this came after the last time we had a nice Lebanon pci-dss in ninety days that was again like a spur you know people asking how to make easy ideas happen in 90 days and after we did that not surprisingly many of our attendees asked Candace PA can there be some approach even apply this approach to even stock to and that's how we came up with the suburban are on softer compliance in 90 days again I'm not trying to sell you a pool or something by which you can do this is 90 days it's an approach that I'll be elaborating on and I really hope that you make good use of it and if you have any queries just drop it in and I'll try and answer you in the course of this you know of this webinar and if not if there are too many queries which typically there is and rest assured that I will definitely most definitely you know email back the responses to you anyway so here we go with Bernard on soft to compliance in 90 days so this is what is a brief agenda of course there's too many points and I don't know how much how I'll do this in like 45 50 minutes but I'm trying to ask my guess is as possible so stay with me there is a huge amount of compliance content which is there on a YouTube channel and you know you can go through it and you know towards the end of the webinar I will put on a link that you can make our YouTube channel you can subscribe and there are a lot of being list over there for her father's pci-dss GD P arith clacking and of course soft too so if you need to get into various levels on the basics of soft to on soft when he powers of 20 DPR so up to and cybersecurity so many areas you know so visit our YouTube channel subscribe to the videos and you can of course look for all the playlists all the content is free so as webinar and remember your questions are what will really make them make a different difference - everything so do drop in your questions as we go ahead so this is a brief about me I've been in this industry for more than 25 years now and primarily more and InfoSec and I've got my whole company was trying to psyche and we are privately into compliance we don't sell any products you're there in India we are them us and we are shortly will come up in Singapore just last month we lost in Singapore because there is a huge amount of requirements have been coming in from the South East Asia so that's who we are and okay moving at these are service portfolio we have got different departments for compliance and governance we do all the 27,000 and PCI DSS cloud rest we are very strong regulatory compliance of course a be apt we do technical advisory and reviews of make sure your products like raft si mi PS damn waves MDM Mac and stuff last but not the least we even have an online training portal you can research academy or compliance calm that's ours it's not like a tire but it's our you know online training portal for on site and you know remote or online trainings in basically infoset so let's go and with the content so soft we there's a brief overview on sock so there are three levels there is soft one I would say level the three different types of reports in soft one has sock one soft - and soft three earlier soft one and all were known as sSAE 16 which were operated - sse 18 or soft one et 101 and a stock one is there and the software is it's basically more from the ICF our internal control over financial reporting using the passo framework so it is basically your financial statement and have students at your a stable company that we are able to deliver on what you know how effectively you are delivering on your commitment straight line and soft - is again more from the IT perspective InfoSec perspective and I remember one thing the focus of these reports it is more prying facing what I mean by that is that if you have a subcontractor that you are giving you know work from your company or in our sourcing work from a company sock to is a report that you would be asking from that and that's where you know like at this time I think we you must be working on at least 26 28 or assignments on just soft - and a few one sock on also and most of it are on the SME segment you know small to medium scale enterprises having anywhere from 50 people to 500 people even a thousand are there like but that's not very many but most of it is on the you know just on the SME segment that we have and what typically happens is that with regards to softer and softer that is with regards to supple and soft oh we are doing pretty pretty good on that and soft is basically what we would like to see on the subcontractor side to see how they are delivering on the processing and you know delivery of the sls that we have signed with you so that is where most of the clients that we have is it is from the client side it is the client has said please please come up and show us yourself to report compliance report to ensure that you know to show us or give us the assurance that you are able to deliver them whatever you have committed to us okay so stock one it is coming under SSA 18 now that we have okay do you think give me a second please you okay so this is this is coming under as we said earlier it is coming but I CFR it is basically on the systems and controls and the service organization from the controls for financial reporting so financially financially stable your company is how well you are delivering how in-depth we are going to ensure that the kinda levels are maintained so that's where sock one comes into place sock one has its pace but the requirements from your client perspective moon with that high of you to ask but basically is so obtuse those covered in the sock one basically it'll be on the bail payroll processing healthcare professionals custodians for investment companies financial services health care payroll in a payment processing ESPs so that's where the stock one comes into place soft to this is what we are meeting today for so this is where or any and all of the companies who are out outsourcing world outsourcing any sort of that process even for a datacenter purposes that's where soft who comes in the place and there are respite services criterion security availability processing integrity confidentiality and privacy now they have to be remember one thing they have to be done by a licensed CPA whose empaneled and accredited with the AICPA so it cannot just be done by your chartered accountant so we have seen that also ridiculous thing happening a chartered accountant the local chartered accountant cannot be doing this thing it is not admissible it has to be done by a CPA who is accredited and registered with the AICPA there is no two ways about it it's not an opinion that's how it is so there are this file prospective you know if you're looking at getting it done in a very short duration like 90 days typically as a company we're looking to you not just auditing or doing a gap assessment we have got many of our clients who are also going for whom you're also thinking like an into and consulting very where the consulting team of ours same interceptor from the audit team even helps companies get ready for software engagements so I am depending on your size and scope the timelines would vary now anywhere we have done assignments on soft which is finished in two months three months and there are some assignments that is span for more than a year so the reason for the winner today is to discuss as to how things can get expedited and one of the core things is how many trust principles are applicable that's one of the first things that you need to get out of the way or get verified now this thing you typically get from a few areas one is your what your management has to say and where is your company heading how your position yourself the next thing is your clients ask them basically what are trust principles they want you to get you know interested on and if that you think would be slightly embarrassing which it is what you can do is just look at your commitments that you have been making to your clients that is you are saying that you will be having 99.9 percent of time or you will be maintaining this paperwork or you'll be doing a - you know reporting in a some X amount of time in an X amount of way or whatever be the case so based on that based on your client commitments you can select your trust principles and if you have any queries you can always sit and talk me a line and I'll be you know more than happy to do that okay there's a nice way from Chicana Hans is asking what is the difference between software and ISO 14001 okay that's a good question we can basically for 27001 and I so the overlap is very less ISO has got like 114 or requirements and software's like more than 400 now beyond the number of controls it's also the range in scale and scope of the standard and there's interesting if there is a webinar that we have done on software and I saw it is there on a YouTube I don't have it ready otherwise out of pace from the link but you know I will pacing towards the end and you can look it up or you can just do a search on youtube or this time InfoSec official and the channel is there and we've got a baby not justin soft when i saw friends and thousand won there are the war laugh but it's not too much i would say if you have implemented it very well then maybe you got an overlap of say 20% not more than that okay Jamie is I'm sorry there's a nice question would the presentation be shared with all the personal participants later yes since you have registered you'll be getting a link to it after but you have to stick around alright so okay going it so thank you for your questions than that so who start basically on soft Oh so look at this rain and scale all the cloud service cloud based providers whether it is software as a service platform as a service infrastructure as a service country so providing HR services security services in collaboration with cloud ERP services data center colocation just think about it that way so let's assume I have a company I'm a company like a mine SME or an enterprise they will organization based in India and I've got my base we are based in Singapore or Vietnam or wherever and and I am hosting I am taking a lot of work from my clients based in the US so and my data centers are my servers are hosted in our local you know data center so in that case your client in the US will be expecting you to have soft to in place and you when you're going in is sought to do ensure that only your service providers like you can see the list on the screen right now and also sort o in a tested I cannot use oversell if you're certified because there is nothing called as soft to certification so any servers so any sort of your service providers should also be soft to compliant and their service providers down the chain have to be soft to compliant so they're also you know you can cut down on your scope and you can cut down on your time lines by identifying and ensuring that your son destroyed us are soft to compliant from the get-go our get them going so that should help you alright okay another query who can oh that's a nice thing Jesus Bionic nice thing all right he's asking who can perform the auditory attestation okay see as I said Anya the station has to be done by a CEA certified public accountant who's impaneled and attested and on boarded with the AI sneaky constant based in the US it cannot be done by a local Chartered Accountant do remember that the person has to be impaneled you need to check the data station on the AICPA website okay another question if a if a customer asked for mr. stationary if a person if your customer asked for swap to connect go ahead and say the answer I except 27001 and we'll be honest similar I know I said earlier know that the overlap is very less it's hardly fifteen what he compared percent and no person in his right frame of mind will accept you're currently seven thousand won in lieu of software because as I said soft to his massive I would really suggest you to download the standard or you can write writing email I can send you the list of requirements and the stock to you can yourself you know check against ISO 27001 and see the the overlap is very you know superficial at best and there are many many areas especially privacy especially you can say prime processing integrity which is not at all if I can say that in a practical manner covered under ISO 27001 so that can I be nicer 27001 can be a good start or going for stock too but it's still a long way to go I hope that answers the question why do you leave now being an SME why do I worry need now there are regulatory requirements that will be user entity mandates the client has you know forced it on you there are made in programs there is new billions again for if you are taking work outsource to work your client bases in the u.s. very few would agree to work with you if you are not soft to compile if you are a service provider to then very few would agree to work with you if you are not software compliant and you need an independent third-party opinion that's where I said it is required to have a CPA based on it down then last but not the least if you intend now no there are so many clients of ours who are asking for software because they need to participate in our RFP so even to be competitively relevant in the in the business in the marketplace you need to have soft to in place okay I'm getting lot of queries for the timelines and stuff we'll be doing that towards the end now there is another mr. Chandler is asking is that a specific certification for the sock one and soft oh there is no certification for soft one and so it has simply you need to get compliance audited by a CPA and again actually I cannot get into too much on the basics otherwise I'll never be able to complete the agenda of this webinar today I really really request you to visit our youtube channel there is an entire playlist on software and there are many videos that we have put up with regards to the basics on software again no offense to anyone your questions I love them and I will be responding to them Einstein goes by oral respond to you by email on that there's a soft Trina softly if I can use those words softer is more like an executive summary of a software report there is thus warrant now for us or two now so I only want this off to a soft free report now a soft report is base fee done now contains a huge amount of confidential information about the company and you cannot just circle it you're soft to report to every Tom Dick and Harry or any new plan that comes up or attach it in a RFP of course it's your choice but you wouldn't really do that because it you are putting out a lot of confidential information about your company outside and that can potentially get misused so that's where the softly comes into place now I saw three would be like an executed summary where if it says that you know what all controls control requirements in soft to is applicable to you and whether they have been closed or not and stuff like that without getting into the specifics of how they are being closed out so the evidence requirements what evidence was checked and all those things would be missed out would be kept out from a soft three about so that makes like you know like a public use a soft it becomes like a public use soft to report so I hope that makes sense so in summary this is how it looks like for a soft once or two and a soft three report so if you have any inquiries I'd love to take you up on that okay there is okay there are many ways is this at the station valid only in the West that is in the u.s. region C as I said earlier this is like more where n X company who's based in the US would want their subcontractors or their service providers to get soft to compliant regardless of where they are so the inter station is if you know all your clients based in the West should be asking you for it but I cannot envisage a scenario where a company please say in the Middle East or maybe in Africa all the business interests in Africa would want to get you know certified or compliant on soft to because it simply wouldn't make sense of course aa good practices or best practices perspective perhaps but the attestation you know as I said is acceptable only in the US so again another question are organizations in the Middle East required to do software compliance well yes if your clients are based in the US your clients in the US would ask you for it if not today if not tomorrow and if you are intending to expand in the US you will need to get soft okay so going ahead okay that's it these are the truss pencils that we are looking at now let us quickly just breeze through it before you jump into it so once you're looking at getting certified in a good amount of time one of the key challenges that you have faced everywhere or we will see where we have gone for an audit and companies like like for many companies you were just in doing the gap adjustment and doing the audit and they've got their own service providers the floundering that I see is very appalling that I've always seen that I seen when you're doing our work review and why the project is getting stretched and so typically the scoping is never done properly it is very rarely done that is in fact what software what people processes in scope what data is there in scope all those things so defining the system you are looking at getting this thing done in the shortest period of time possible you need to define the systems first okay okay there is another question that is there can software at a station for any other regulation or standard order it such as PCI ADP is there's a lot of overlap between PCI gdpr and fine stuff again you've got a few videos on that on that on a youtube channel I cannot really get into this at this time but I really encourage you to go through it but there are overlaps but you can't say because I'm gdpr complying therefore I am soft to compliant we can't do that because I'm PCI DSS compliant therefore my software's done you can't see that but you can for example there is a huge overlap between GE PR and the privacy trust principle of Sato so in that case that one you know requirement the one responsible to our services criterion is taken care of but the rest are still open so you have to get it done and remember one thing like all the fight was title and as we saw earlier that is security processing integrity availability confidentiality and privacy security is mandatory you have to do it it is always security plus availability and confidentiality or privacy or you know processing integrity but you cannot just say I just to privacy trust principal and leave out the other four you can't do that security is mandatory there's a base minimum requirement I hope that makes sense now when I use the word security is mandatory it did mean it from just like a figure of speech or word I meant the security trust I Tyrion of soft so I hope that makes sense so this is where it is the five attributes of a system known as stress services principle to address the missiles criteria this is the first one that I said the security trust and Trust services librarian which is mandatory the other four are optional Naumann sa optional you have to get this thing validated from your auditor and your clients and your of course your business and what you are projecting in for the next one three five years to know where you're going with based on which was selected as principals okay I'm just getting too many questions and I'm sorry this I just briefs it finish me like 80% of my webinar and please to keep popping in your Li your queries I will try and complete it towards the end but now I'm not and halfway through my webinar so please help me complete this and then pores and I take up more questions now there are these four components that has to look into policies communication procedures and of course a monitoring part so all these other areas whether there is a policy system procedures whether you know all the communications all the responsible parties and authorized users for example I'll tell you which is not there in other standards very you know highlighted that is how you are doing your client service management so how you are giving your how you are ensuring and communicating to your client that the essays are adhere to how are you doing problem how your escalating issues to the client in case as a breach all those things the word very acutely are and very strongly in soft to so it is much beyond other standards that we have seen including in how it doing your whistleblowers how much is your management involved in the functioning of info second IT all those thing is covered in soft tool and there are other the the procedures which are they have the documentation the records and of course it day-to-day monitoring of the requirement of soft to is also very very important now if I might turn it the other way around okay ray that's a nice name he's asking what if you are doing is softer and you are looking at ISO 27001 companies I would say it's a walk in the park in just simply Co or certification as soon as you're drawn up a statement of applicability you're good to go so it is that much so soft to some zooms if I can say that ISO 27001 but it's not the other way around okay mister Panchala is asked for the biggest obstacles faced and so on a technical and process table I'm trying to do that at this time final to share as much experience as possible now and I will continue to do so I will build up more as the webinar is going ahead and coming to the first security principle this is for the production of the system from unauthorized and physical access limiting access to the system permitting authorized access based on the element needs and preventing an authorized system now understand for all the other four trust principles there are some mandatory requirements so for example if I look at availability as a trust principle it doesn't mean that the security principle doesn't have any controls of already it does so the what to say the pays minimum availability requirements are there in the security principle now the availability transfer in simple and more to it so there are optional availability controls in the same with for confidentiality or processing integrity of privacy there are mandatory sacrosanct controls which are included in the security principle and there are add-on controls or optional or additional controls per might say that in the relevant in the other trust principles so if you are in case you're wondering if there are security if the confidentiality and abilities Howard separately what exactly is there in the security principle the Socratic principle contains some monetary requirements the ability is like of the CIA the hey part over here again this is the accessibility of the system it does not enter system externality it does integrity for point of view and here the key is identifying and preventing potential threats to the system ability so it is not just happening I have a DRM days that's enough no that's not enough in the availability principle even how you are going to identify preventing a down time correcting a down time detecting a down time so the corrective detective and you know corrective controls are there plus from the administrative perspective logical perspective technical perspective so all these six sides have to be covered when you're talking about any of those trust principles the processing integrity are going to serve this principles basically have seen with regard so any sort of you know companies for doing this very divorcing or doing any sort of you know Mis development and stuff the completeness validity accuracy timeliness and authorization of the data again is this thing the key issues that we have seen every time an audit which further then stretches out the audit period is that the system documentation is missing the system documentation is missing secondly is that a soft two speaks very strongly as to how do you ensure that the input and outputs are maxed appropriately based on the processing strength of the particular process that you are and this or how it is mapping to the assailants that you have with this so all that cross mapping is very very important which is missed out many a time as you seen in an orders confidentiality again I don't think I need to breach to the toy over here but again it is the the bottom line is information designated as confidential is protected as committed or agreed so again the bottom line becomes what you are how you're projecting you have company what your website says about you whatever isolation agreement says about you so all those things get paid into the confidentiality dress services criterion because what is considered confidential ready can be very very significantly now let me ask you a quick question how do you identify what is confidential in an organization and what is not you can just check me you know you can just pop me your response let me see how what would be your response to that how would you cancel would you identify they look at the signal as point what is considered this is what we have seen as one of the areas in the confidentiality clause when you are out reading it as an issue so how do you identify what are what is the confidential information and the non confidential what is the process followed for identifying confidential and non confidential information in an organization so what would be your response to that come on come on drop me drop me ready or not okay quite a few answers popping up on my screen and okay okay there is okay somebody has written policies and procedures okay okay okay couple of them I'm gonna answer right it's based on a risk assessment I I said I need educational classification and a thorough risk assessment is required to identify who what is confidential in your organization and that's where we have seen many companies field this particular respect agent that is they have done they were not done a proper risk assessment in the organization risk assessment is required as a part of soft also it's not an option that's why I said earlier that if you have done a very good software sign meant a cess meant and complying to it so soft isochronous 9001 becomes a walk in the park where I was the principal again this is as per generally accepted privacy principles issued by the AICPA and the Canadian Canadian Institute of Chartered Accountants now again it is the rights and obligations of individuals it is very very it's very close to what you've seen GDP ah and we've got a debonair online you know YouTube page for software and GDP I do go through it and this is basically focused on the criterion that of individual rights to privacy identifying letting them know the rights ensuring that the data which is what you say is being collected it's been used for that very purpose and not for anything else so that is where the privacy principle comes into place so as we have seen earlier even adding GD P R there is a notice to the users about the privacy policies procedures what purpose it's used for the choice and consent how have you got the choice you know inform the user about Detroit's and take an appropriate consent collection collecting it in the right way then they use the retention disposal so it is very very similar to GD P R so the last trust principle is very similar to GD P R as you see thank you again points that they're putting in and I will cover it towards the end of my ribbon or as I go through and as I said earlier the phonics to point one over here for the privacy principle whether it is GDK or HIPAA there is a PDP a PV PV which is more you know as we get to see in the Southeast Asia where is like Indonesia or Malaysia or Vietnam and stuff where they have a PDP a PDP B and of course the CPP a we might do a webinar on that that is Californian Privacy Protection Act so there are all these implements are there and there is a huge overlap now if you're talking about a point-to-point overlap a very good one like I would say to me gdb are in case you are working in my opinion on that so in case you have already gtp are in place your wondrous principle is fairly garden cupboard so before we get into the tag names look into that part also and then the first things first when you're looking at a very optimal privatize approach to stop - first things first which is as I mean harping about from the beginning of this webinar your contracts RFPs and your essays that you have committed to your clients it is there in place the clients go to the ASEP website look up your look up if there is any new developments in new and in them any new sort of you know add-ons or new clarifications that might have been issued that is say what sort of training and advance is there in your organization how serious is the organization about doing SOT - now executive communication the bottom line that is it has to start from the top down now in a few companies you are saying you know this is taken more like a marketing initiative it is it will never fly even if you take it is just like a IT initiative because many of the controls are an IT it will never never fly it has to come from the top down approach because it will impact almost all the departments in the company and last but not the least discuss with your service auditor so before you even start off on your journey of soft to appoint an auditor you will need the perspective coming to the scoping part since I've spoken so much about it and there are so many inquiries and people have already put on the square on the scoping part identify your in scope services again this is very order you can probably ask your CPA or your auditor to do a pre assessment for you that will really help you because then the auditor can be in a position to even help you scope it off now and maybe then you might think about taking some sort of advisory approach from your CPA that is something that we also offered work lines select the physical locations again I'm use the word select but I'm not very happy about it see the reason is that it's not really your full choice maybe there's a process it's wherein you are a dog maybe working on a client data providing the information back to the clients or you know after massaging the data out and getting some proper in my eyes out and maybe your process is spanning across two locations and the data is flowing to the stew location and those two locations combine to deliver a particular process as a part of your initiative and software you can't say that I will include a location a in scope but not location being spoke that won't be acceptable it's really not acceptable next is the subsurface of the narration that is a as I said earlier which of your partners which off your you know down in line service providers are required to get soft to compliant it should not spring up as a surprise to you at the time of all it do a very strong risk assessment document your processes identify the control of activities and last but not the last last but not the least is identify the timeline all this comes from a very strong risk assessment or a gap assessment and a gap assessment and before that first thing is coping identified the scope is father what you are going to where you're going to do what on trust principles how many people are involved what all processes would be involved all those things and if you are doing this for the first time I really really suggest you to take the help of someone who knows what software is all about it's not really your choice in all ways and if it is a good orator like how we do we would not be cutting any corners of you so going in on it from selection again since there are a few queries on that as I said earlier it has to be licensed CPA firm and the person who is doing that it has to be a licensed CPA there should be independence so I my independence meaning you have you cannot just add it in a test your own organization or if you are you know serving on the board of that organization you cannot be and you are also licensed CPA firm or you are licensed CPA and you are also the board of the Total Annihilation you cannot certify that organization or if you're doing any sort of management tasks in the organization you cannot be certificate of the narration go for a single vendor approach now don't be jumping CPS because it's simply not happy you you need to is the CPA is not good enough but ensure that you are sticking as much as possible because maybe you know a particular CPA has not allowed some concessions to you and you think about going to some other CPA that other city you might not allow that also so ensure that you work with the single mentor approach and there's an oddity what sort of an auditing the CV is thinking about we do they have the right technical expertise because understand this is a technical standard your CPA now this is something which I'm relating based on my experience we've seen CPA so very good on Finance we're very good on in a process control for internal you know process development and stuff like that but they have zero skills with regards to IT and absolutely no understanding on InfoSec so technically you can still work with that person because that person belongs to a licensed CPA and easily being himself but if you're looking at guinea getting anything out of this as a method of helping your organization grow and improve it will never work I would really suggest you to check the credentials of the CPA what is the technical background what is the info SEC background otherwise they will not even be in a position to answer your queries as to what does this particular control mean what is you know in this particular requirement under for doing an assessment or doing a VA or doing a PP or whatever be the case what should be the scope of that all those things might not be the person will never be able to answer but I personally know CP is good people are again I've got nothing against CPAs good people but absolutely no brilliant as far as finance and economics and you know taxation and all is concerned but absolutely no background again for second idea again I'm not saying that accounting and a finance person should be strong in a nineteen emphasize I am saying that the standard is for IDN InfoSec so any short that the person you're identifying as an auditor has the right background I would say at one time that there is a if there is a suite you have a CPA who is very good in idea InfoSec but no back now with regards to finance and accounts and Taxation out suggest you to go ahead with that person rather than the other way around points to factor in at a time of audit how long does it take there's one of the frequently asked questions so typically there is a type one report and there's a point to the both okay I cannot get in the details of that or really suggest you to look up my webinar on YouTube which is called - and you I will put that in the description on this YouTube video once have once you put it up on YouTube that is but if you can go to our YouTube channel and there is a software and you can go through that covers a lot of basics but type one is like you know like taste design of the documentation but if literally and asking for evidence of implementation type to report asks for a minimum six to six months to 12 months evidence of implementation so just the audit report just the audit will take at least four to six weeks minimum and then the reporting takes place so as a company from our side we do Saku once the audit is over the report ID takes minimum four weeks so we sometimes issue provisional on its certificate it's strange that you know you have cleared the software assignment a software assessment and there are no high res findings that is assuming that there are no hydrants findings and then give it a certificate so like a compliance certificate so then you can give that to your clients a widely waiting for the report to be released so these are the timelines so if you're looking at completing the entire thing in three ones three months time that is 90 days like half of it will go in the audit part so factor that in also the cost for certification again depends on many factors so many a time you were clients to call and say how much time does it take how much would it cost to get software certified so we asked them for the scope and you know many times they say that okay we got this XY said see who's telling us so in so and they never asked these questions I so my answer to you would be at I don't know how and what basis anybody came to a you know amount for the on it because it all depends on scope number of employees number of locations number of trust principle whether it's a fun time to period covered all those things how many controls are there in scope background maturity all those things goes in the arriving at a cost for doing the certification for you now understand the first time that the cost would be slightly higher but the next time around you can expect lowering in price because you're already software compliant and you can assume that okay they you'd be doing a key something right for the next time as I said - reports is like a snapshot in time looks at the suitability of the design of cantos listen to get the background evidence so type 2 is type 1 plus it for six to twelve months so many startups come to us for us off to sew it weekly tell them he can do a tight one now because you don't really hear even your company is not different in existence for six months or so you don't have the evidence so do a type one and maybe after six eight months of implementing you can do a time - it's not going to be phenomenally expensive but remember one thing that is clients would typically be looking at a soft - type to report so as much as possible even though it hurts the revenues we tell companies do not waste a lot of time and money doing a type one but go ahead for a time to report so I hope that makes sense so this is how it is the report structure how it looks like we've already done this in detail earlier so but I still hope it makes sense to you all contains orders upon European management accession description of controls by degree and all those things softly as I said one of the control activities test for of operating effectiveness test of results all those things and it's the results of test all those things aren't covered in a soft fee software and soft - yes it would be the report structure again it's an auditors opinion there will be management's assertion when there is a sign-off from the board as to what the organization is all about how it works what is happening what processes all those things are there in base and any sort of and then in comes a description then tests of controls and the corresponding results aren't there and operated in the report less where it takes a lot of time it runs into a few hundred pages a soft to report and acting it takes a lot of time and patience and again what's in them a soft one type one report again suitability and design of controls and again type two controls the stability of design of contours plus a test of effectiveness for at least six to twelve months of evidence now coming this is the core of the webinars oh you've stuck in so long I'm juicing it up in this last line that is they're the first things for looking at the finance approach get the scope in place Rocka involve your auditor that is extremely important for you getting management buy-in on the scope line for many companies would simply say that forget the final attestation since you're doing this for the first time just doing any shell gap assessment or scoping show that to your management show the repercussions show the implications show the budgets for a full-fledged implementation and then go for a final compliance attestation so this is really get many things out of out of place or out of the way for you now do a product line with the end in mind so do a reverse calculation from the date so if you're looking at getting certified by in the next three months to a reverse approach okay so then the audit takes like a month or you might say that let me just get ready in three months time so then the audit is shifted right in the fourth month so in that case how much time are you you know the internal effectiveness will take risk assessment eight versus front put eight documentation will take and then finally doing a reorder day and the training so do a reverse calculation do a project plan with the target date in mind and say this like a dozen times don't do an initial gap assessment very important to you this will really get sent a tone of what you're going towards have a weekly review column without this it is doomed to failure have weekly review claw calls were looking at getting this done in three months time 90 days identifying training the team members now from the scale of the queries that you may have seen there are so many misconception in the team imminent IT even in management ask your CPA to do the training for you within the organization as to what is soft well about what how it works and what are the control areas what does mean the gaps and what are the expectations from the team work and the senior management pitch and all those things do a very effective training program and tricks support from your auditor from day one no unpleasant surprises understand this is a very and what it is always subjective by nature no matter how much wins you can give - Oh towards objectivity but it will always be subjective my nature depending on various circumstances based on the mentality based on the background of the auditor what evidence is shown not shown including you know if I might say that what the auditors wife fed him when he came before he came for the audit so how old his mood is so it depends even on that to some extent so but take support from your auditor from day one so there are no unpleasant surprises for you start collecting evidences and review it on a time time basis don't wait for the evidence collection towards the end and whatever you have done just tick it off and say okay these four hundred controls I finished hundred three hundred more to go which are the most urgent and what is the most important how much will take more time how much would take next time all those things are there so start collecting the evidences this okay so that brings me to the end it's a chart over the time but thank you so much each and every one I can say has been there with me through the entire webinar thank you sang thank you so much for this so these are the past webinars that has happened so far I was talking about is thirteenth webinar that is soft to Anu that you can go through yeah and of course drop in through our queries thank you so much for this and towards the end of the webinar you can see there's a brief survey towards the end of this webinar please Street put in a lot of time and money in this webinar do ensure that you fill up that webinar feedback she give some feedback it could be critical feed packets will be some good words some appreciation anything would be there even some critical feedback or requests for future webinars put all that in and I I personally assure you that we'll be going and responding to each one that's our YouTube channel and putting it up again so do go through a YouTube channel and you can subscribe to it as you're there that's a Facebook page you keep on posting a lot of tidbits of content that's a LinkedIn page which is there my coordinates to drop me a line and we always do respond back to you on whatever there there is so thank you so much for being such a great audience and I look forward to seeing you in the next one I think you might be doing something good on gdpr coming up or something on pci-dss but again it depends on what you have to say about this so do you open your feedback that regards to your feedback on what could be on your horizon as should be the next webinar so thank you again and have a great evening ahead take care bye bye