As growing businesses gain success and momentum, the next logical step is to engage in some healthy outsourcing when it comes to key tasks and services. At that point, it is just as important to keep track of each service organization’s internal controls and processes.
The American Institute of Certified Public Accountants (AICPA) has developed a complete framework to properly assess these controls with the Service Organization Control (SOC) report framework with SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity.
The key factors in determining the right SOC audit is learning which one will help to gain the necessary insights, an industry “seal of excellence” and peace of mind when working with your service organization; all without adding too heavily to your in-house team’s busy workload. At the same time, you need to follow a reliable set of industry standards that serve as a guideline to protect your business, customers and stakeholders.
If you need to work with your service organization to ensure that all of your organization’s data is completely secure while still adhering to standards set forth by the AICPA, it may help you to take a closer look at the AT Section 101 and SOC 2 combination to see what they have to offer.
An Overview of AT Section 101
AT section 101 is the specific section of the Attestation Standard, established by the AICPA, to serve as the professional standard for SOC 2 and SOC 3 audits. While businesses focusing on financial reporting adhere to the Statement on Standards for Attestation Engagements 18 (SSAE 18) , AT Section 101 was designed to provide a set of industry-wide standards to which business owners must adhere when performing SOC 2 and SOC 3 audits.
This professional standard serves as a few components of the auditing process:
- Fundamental support for the report produced by the certified public accountant or auditor, who is known as the “practitioner,” according to the Attestation Standard. The support includes the representation regarding observation of the standards of fieldwork.
- Aid to the practitioner in their job conducting and supervising the attest engagement.
An Overview of The SOC 2 Audit
Also referred to as the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, the SOC 2 audit is used by companies that outsource services that have access to vital customer data. The primary types of companies that undergo a SOC 2 audit include those that provide services like data hosting, colocation, data processing, cloud storage and Software-as-a-Service (SaaS).
These service organizations must ensure that any data transmitted, stored, maintained, processed and disposed must remain confidential, secure, private and available for use at any time. Additionally, your service provider’s system processing must be complete, accurate, timely and authorized. The SOC 2 report covers all of these concerns since it relies on the Trust Service Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy.
These essential principles are modeled around four broad areas:
Each of these areas provide the key information that helps determine that the service organization is adhering to the Trust Service Principles of the SOC 2.
SOC 2 Type I And Type II
Like the SOC 1 audit, SOC 2 has two different types of reports with Type I and Type II:
SOC 2 Type I.
This type of audit examines the controls that service organizations use to address any or all five of the Trust Service Principles. The Type II audit provides assurance that controls are effectively designed to meet the desired objectives at one specific point in time.
SOC 2 Type II.
The Type II audit covers all the same information as the Type I audit, but it also includes additional attestation that a service organization’s controls undergo testing for operating effectiveness over a period of time, instead of at a specific point.
3 Need-To-Know Details About the SOC 2 Audit And AT Section 101
Now that you have the basic information about the SOC 2 audit, along with the two types of reports you may choose, along with more information about AT Section 101 and its purpose, it may help to take one more look at them with these three need-to-know details in hand before determining whether the SOC 2 audit is what you need:
- Choosing Your Practitioner for Your Attest Engagement Wisely Is Essential
- Huge Growth Is on The Horizon For At Section 101 And SOC 2
- The SOC 2 Serves A Broad Range of User Entities
1. Choosing Your Practitioner for Your Attest Engagement Wisely Is Essential
An attest engagement must be performed by a practitioner who has adequate training and experience in the actual attest function being performed, as well as adequate knowledge of the subject matter. He or she must also be certain that the subject matter available can stand up to evaluation against suitable and available criteria.
Your practitioner must also be independent in fact, philosophy and approach when performing or supervising an attest function while adhering to the Standards of Fieldwork and for Standards of Reporting.
2. Huge Growth Is on The Horizon for AT Section 101 And SOC 2
As companies continue to grow in our ever-expanding digital world, the need for SOC 2 audits and the AT Section 101 professional standard will only increase in the coming years. AT Section 101 will play a vital role in reporting on a service organization’s controls, thanks to the increasing reliance on cloud computing, SaaS, managed services, data hosting and many other technology related services that are more efficiently performed by specialized businesses.
Basically, you are not alone when it comes to searching for a trusted auditing firm to help make sure your service organizations have controls in place to protect your company’s vital data.
3. The SOC 2 Serves A Broad Range of User Entities
Companies that hire service organizations are also referred to as “user entities,” and there is a broad range of user entities. You may wonder whether you really need to perform a SOC 2 audit; particularly if you own a smaller business. No matter what your business type or size is, you will need to perform a SOC 2 audit at some point if you outsource data-related services. Additionally, it is imperative that your practitioner adhere to AT Section 101, to ensure protection of your company’s data for the sake of your customers, stakeholders and your brand.
Let Us Help You Break Down SOC 2 And AT Section 101 Even Further
At I.S. Partners, LLC., our auditing team understands how complex the SOC framework and Attest Engagements seem to our clients at first. We can go over all the key points with you to make sure you understand just what you need from your SOC 2 audit to keep you and your valued service organizations in lockstep.
Ours is the first and only auditing firm that provides the “seal of excellence” to SOC 2 Type I and Type II recipients, along with unqualified practitioner opinions.
Call us at 215-675-1400, request a quote, or launch a live chat so we can provide clarification on any questions or get started on your upcoming SOC 2 audit!