SOC 2 Audits: What They Are and How to Stay Compliant, Part 2 of 2
Picking up where we left off in our last blog post on SOC 2 audits entitled “SOC 2 Audits: What They Are and How to Stay Compliant, Part 1 of 2,” we want to dig a little deeper here to help you prepare for a smooth audit and full SOC 2 compliance.
Now that we’ve provided a backdrop on this important audit, we can get to the heart of the matter and look at just what goes into a SOC 2 report and how you can prepare.
What Is Included in the SOC 2 Report?
Before starting your preparation for your next SOC 2 report, it may help to know just what you must include. Performed in accordance with the AICPA’s AT-C Section 205 for Examination Engagements, and based on one or more of the Trust Services Criteria (TSC), tests and reports on the design (Type 1) and/or operating effectiveness (Type 2) of a service organization’s controls.
In a SOC 2 audit, there is no need to focus on financial reporting controls since those are covered in a SOC 1 audit. The purpose of the SOC 2 report, however, is to evaluate a business’s non-financial reporting controls, relating to security, availability, processing integrity, confidentiality and privacy of a system.
The appropriate management person in your organization will select one or more of the five TSC controls to best assess and address the potential risk, issues or general concerns regarding the services provided by the service organization.
Finally and most importantly, the SOC 2 report is actually an attestation report, which is the verification provided by your trusted registered public accounting firm. Your auditor will provide verification as to the reliability of a written statement attributed to a company regarding matters involving the service organization’s internal controls, according to the TSC.
Each time a service organization completes a SOC 2 report, it will contain an opinion from the accounting firm, stating whether or not the CPA firm agrees with management’s assertions as to whether or not the appropriate controls are in place to address each of the selected TSCs. There is no requirement or guarantee that the CPA’s opinion will be positive. It is positive when appropriate; but in other cases, the CPA firm may not agree with management’s assertion. He or she will then provide a qualified or adverse opinion.
What Are Some Basic Steps You Can Take to Prepare for a SOC 2 Audit?
Now that you have a better idea of the role of the SOC 2 audit and its resulting report, you are ready to take action and get ready. Following are a few tips we recommend to get started:
Step 1: Select the Reporting Period for Your SOC 2 Report.
The AICPA’s AT Section 801 states that a reporting period less than six months is not likely to be useful to user organizations and their auditors when performing SOC 2 Type II audits. Schedule your SOC 2 audit—whether Type 1 or II—at a minimum rate once every six months to one-year to ensure regular and thorough compliance.
Step 2: Determine the Controls You Need to Evaluate.
Depending on the reason for the request for your SOC 2 audit, your controls may include one or all five of the TSCs, which are security, availability, processing integrity, confidentiality and privacy. Consider any legal, contractual or regulatory obligations you may have to help identify your specific TSC requirements that may help pinpoint any related issues. For example, in the case of healthcare organizations, data privacy is crucial, so you may select privacy. You may toss in availability to make sure Protected Health Information (PHI) is always readily available. In general, security and availability are the most commonly tested TSCs. In the end, any issue that concerns you should be included for your peace of mind, as well as for the sake of compliance.
Step 3: Gather All Documentation.
As is so often the case, documentation is essential to achieving and maintaining complete and consistent SOC 2 compliance. Examples of pertinent documentation include organizational charts, change management information, asset inventories, and on-boarding and off-boarding processes.
Step 4: Perform a Gap Analysis.
A gap analysis allows you to verify that all key controls are documented and in place. This process requires close review of your chosen system against the criteria that you select. A gap analysis serves as a way to help you detect issues before taking on your official SOC 2 audit, giving you an opportunity to make corrections, so be sure to leave plenty of time for remediation.
Step 5: Meet with Your Auditor.
Whether you have some pressing concerns or would just like a sounding board as you prepare, a meeting with your auditor can help you feel more confident going into the preparatory phase.
With the consultation of your CPA firm, these steps can help you become increasingly comfortable with the SOC 2 audit process.
What Are Some Changes That the SOC 2 Audit Has Undergone Over the Years?
The SOC audit has undergone a number of changes over the years to make sure it best addresses the needs of user and service organizations. The AICPA continually monitors the changing technologies and any other factors that might impact business owners who manage valuable data for their own needs, as well as for the needs of clients and other third parties.
Explore some of the history of the SOC 2 audit to help you understand how far along it has come to help you keep your organization’s system safe and secure:
In the 1990s, Statement on Auditing Standards (SAS) 70 was the original auditing standard that had the original purpose of reporting on effectiveness of internal control over financial issues. However, as technology became an increasingly important issue, SAS 70 was adjusted to become the basic metric to prove that a vendor’s system was safe and secure.
On June 15, 2011, the Statement on Standards for Attestation Engagements (SSAE 16) became the official method for reporting on controls at a service organization, replacing SAS 70. SSAE 16 also introduced SOC 2 as the official report to address system security, based on the Trust Services Principles and Criteria.
SSAE 18 became effective May 1, 2017, and made key improvements on SSAE 16 to “clarify and formalize requirements for performing and reporting on the examination, review and agreed-upon procedures engagements to expand the potential of the SSAE 16.”
2018 SOC 2 Update.
As of December 15, 2018, a new update will officially go into effect for SOC 2. A few key changes include the name change from Trust Service Principles and Criteria to Trust Services Criteria, the SOC acronym change from Service Organization Controls to System and Organization Controls, the alignment of the Trust Services Criteria with COSO 2013 Framework, and adding new points of focus and criteria.
Do You Need Some Additional Help in Preparing for Your Next SOC 2 Audit?
Hopefully, you now have a better of what the SOC 2 audit is and how you can best prepare for it. Our I.S. Partners, LLC. SOC 2 team regularly works with user and service organizations to help both parties achieve ace-level compliance for a healthy and secure business relationship that benefits everyone involved.
Do you still need some help? Call us to discuss your SOC 2 needs, or anything else, at (215) 675-1400, start a chat session, send us a message or request a quote to get things rolling along. We look forward to assisting you!