11 Common Questions About SOC 2 Auditing and Reporting
In the past few years, you have probably noticed the huge uptick in businesses approaching you with an interest in engaging your organization to benefit from your highly specialized service, which might include payroll and data processing, SaaS and cloud services like hosting, analytics, application migration and storage.
Of course, once working with a client, this means your organization has access to a variety of sensitive data for which you become equally responsible for its protection.
Even if your business is just taking off, you are probably fully aware of the fact that data handling is very serious business and that your clients will need assurances regarding their highly valuable data. However, you may wonder how to keep that data safe.
As usual, the American Institute of Certified Public Accountants (AICPA) came through to develop the SOC 2 audit, which tests a service organization’s internal controls to provide a report chock full of the necessary assurances for the client, customers, employees, any third-party stakeholders and the service organization itself.
While you probably know that you need to comply with a SOC 2 audit—many auditors and service organization leaders use the shorthand of calling it “sock two”—in accordance with the service agreement you may sign with each client, the details of it all may still seem murky to you.
As you can see from the following chart, made available via Google Trends, the interest in cloud services alone warrants the nearly meteoric allure of hiring service organizations, as well as the need to develop a system of checks and balances for both the client and the service organization.
Increase of cloud services engagements from October 2008 through October 2018
You are far from alone if you have questions while doing your part to fulfill your client’s needs for your specialized technological services. Considering how complex SOC 2 appears on the surface, we thought it might help you if we share our answers to 11 common questions.
1. What Is SOC 2?
SOC 2, which is short for System and Organization Controls 2, is one section of a comprehensive auditing suite that focuses on system-level controls of a service organization. Where SOC 1 focuses on the internal controls over financial reporting, SOC 2 concentrates on the protection and privacy of data.
2. What Is the Backstory on SOC 2?
The AICPA designed and established SOC 2 as the premier auditing standard to address the continuing trend of cloud computing. However, SOC 2 was not the original name, or even the original concept of this auditing standard.
The original standard, now known as SOC 2, was preceded by SAS 70, which provided guidance to the independent auditor to issue an appropriate opinion and report on the organization’s control objectives.
In 2011, the Statement on Standards for Attestation Engagements (SSAE) No. 16 replaced SAS 70 and established a new attestation standard (AT 801). SSAE No. 16 later became SOC 1 to focus only on the financial controls. SOC 2 was developed to concentrate on data sent to service organizations, primarily to prevent misuse, whether intentionally or inadvertently.
3. What Are the Two Types of SOC 2?
SOC 2 provides two options for auditing service organizations, which are Type 1 and Type 2.
With a Type 1 audit, the auditor reviews and reports on the service organization’s system and the design of its controls, relating to one or all of the five Trust Services Criteria (TSC).
A Type 2 audit includes all the same information as Type 1, but it also features the auditor’s assessment that a service organization’s controls have been tested for operational effectiveness over a period of time.
4. What Are the Trust Services Criteria?
Formerly known as the Trust Services Principles (TSP), the TSC still serve as the control criteria used for the assessment and reporting on controls for information and systems. The five TSC are:
- Processing Integrity
5. What Does the 2013 COSO Framework Integration Involve?
The AICPA’s Assurance Services Executive Committee (ASEC) and its Trust Information Integrity Task Force monitors and ensures technical accuracy of the TCS to cover the expanding operational scope for organizations that rely on TSC.
Upon review, the ASEC determined that integration with the 2013 COSO Framework was vital for service organizations engaged with a publicly traded company subject to compliance requirements of the Sarbanes-Oxley Act (SOX) Section 404.
6. What Are the Basic Requirements for SOC 2 Compliance?
The most important requirement of SOC 2 is that businesses need to develop security policies and procedures that are written out and followed by everyone. These policies and procedures serve as guides for auditors who will review them.
Policies and procedures should cover security, availability, processing integrity, confidentiality and privacy of data stored in the cloud.
7. What Needs to Be Monitored?
The most important things to monitor include any unauthorized, unusual or suspicious activity related to data belonging to a specific client. This type of monitoring usually focuses on the level of system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access. The best means of monitoring is through a continuous security monitoring service.
8. What Alerts Are Needed?
Alerts set up to detect unauthorized access to customer information and customer data, or any other anomalous behavior related to a client’s data, are crucial in assisting busy IT leaders in meeting SOC 2 requirements. In order to avoid false alarms, and unnecessary responses to those alarms, it is important to search for an alarm system that alerts only when unusual activity is beyond what is normal the operating environment, according to set policies and procedures.
9. What Is a SOC 2 Readiness Assessment?
A SOC 2 scoping and readiness assessment helps service organizations better determine the necessary scope of a specific audit. This important exercise helps IT teams understand which important elements of the control environment require attention and remediation before performing the official audit.
10. Who Must Comply with SOC 2 Requirements?
SOC 2 requirements are mandatory for all engaged, technology-based service organizations that store client information in the cloud. Such businesses include those that provide SaaS and other cloud services while also using the cloud to store each respective, engaged client’s information.
11. How Often Must a Service Organization Schedule a SOC 2 Audit?
Most SOC 2 reports cover a 12-month period, but there are times when service organizations perform this audit every six months, depending on the client’s preference and any ongoing concerns in the operational control environment.
Do You Need Help Preparing for Your Upcoming SOC 2 Audit?
Do you still have questions about the SOC 2 audit and report? It is a crucial and complex audit, and our SOC 2 team at I.S. Partners, LLC. can help you sort it all out in time for your next SOC 2 auditing and reporting period.
Call us at 215-675-1400 or send us a message to go over any other questions you may have, or to simply learn more about our comprehensive SOC 2 auditing services and how we can help your service organization.