Is your business looking into System and Organization Controls (SOC) for Service Organizations? If you haven’t outsourced any services — like SaaS, cloud hosting, and payment processing—or you only recently launched your business, learning about SOC 2 audits may seem overwhelming.
Considering the importance of information security, especially as businesses increasingly outsource vital and highly specialized tasks, businesses must ensure that they consistently handle data securely. Application and network vulnerabilities leave organizations open to a variety of attacks that include data theft, ransomware, and malware installation. And mishandled data can cost enterprises a pretty penny.
Take a few moments to learn about how SOC 2 audits help you achieve and maintain compliance to protect your organization, clients, employees, and stakeholders.
SOC 2 Audit Guide
- Audit Types
- Report Features
What Does these SOC 2 Terms Mean?
It’s useful to first review some of the basic terminology about the various roles and reports involved in SOC 2 audits.
- User Organization – The organization, or entity, that has engaged a service organization and whose financial statements must be audited.
- User Auditor – The auditor, or auditing firm, engaged to report on the financial statements and internal controls of the user organization.
- Service Organization – The entity, or portion of an entity, engaged to provide services to a user organization and are part of the user organization’s information system.
- Service Auditor – The auditor who reports on controls of a service organization that are sometimes relevant to a user organization’s internal control, relating to an audit of financial services.
- Report on Controls Placed in Operation – The service auditor’s report on a service organization’s description of its controls.
- Report on Controls Placed in Operation and Tests of Operating Effectiveness – The service auditor’s report on a service organization’s description of its controls.
What Are SOC 2 Audits?
SOC 2 is a type of audit that ensures that your service organizations provide a safe operating environment where they are easily able to manage your sensitive data and protect the interests of your organization, as well as the privacy of your clients. The audit focuses on the internal controls that your organization has in place to govern the services of its clients.
Who Must Comply with SOC 2 Requirements?
SOC 2 requirements are mandatory for all engaged, technology-based service organizations that store client information in the cloud. Such businesses include those that provide SaaS and other cloud services while also using the cloud to store each respective, engaged client’s information.
What Is the Purpose of SOC 2 Auditing?
Service organizations have become increasingly invaluable to growing organizations for a range of vital services. Also referred to as the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, the SOC 2 audit is used by companies which outsource services that have access to customer data.
SOC 2 guidelines were developed to ensure that customer data remains confidential, secure, private, and available for use when needed. Additionally, they provide assurance regarding complete, accurate, timely, and authorized system processing. Finally, and most importantly, the SOC 2 audit report is an attestation report verified by a trusted registered public accounting firm which a service organization can provide as proof of compliance to its user organizations.
Who Requires SOC 2 Audits?
A SOC 2 audit plays an important role in regulatory oversight, as well as internal risk management processes and corporate governance. It provides client companies assurance about the security of data which is outside of their facilities and to which their service organizations have access.
Any organization that needs detailed information and assurance about the controls at a service organization may request a SOC 2 audit. The primary types of companies that undergo a SOC 2 audit include those that provide services like data hosting, colocation, data processing, cloud storage, and Software-as-a-Service (SaaS).
These service providers must ensure that any data transmitted, stored, processed, and disposed of according to the SOC guidelines set by the AICPA. SOC 2 audits may be performed as part of a regular security program or if the user organization suspects there is a data security issue with one or more of the criteria at the service organization.
SOC 2 Framework – Trust Service Criteria
The SOC 2 auditing and reporting process is guided by a framework called the Trust Service Criteria. The TSC is built upon five criteria:
- Security – A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
- Availability – All information and computing systems are ready and available for operation at all times to meet the entity’s objectives.
- Processing Integrity – All system processing is complete, accurate, valid, timely, and authorized to ensure that the entity meets its objectives.
- Confidentiality – Any information designated as confidential remains secure to meet the entity’s objectives.
- Privacy – All personal information collected, used, retained, stored, disclosed, or disposed of must meet the entity’s objectives.
- Requirements – These five essential criteria are modeled around four broad levels of requirements:
Each of these areas provides the key information that helps determine if a service organization meets the Trust Service Criteria. Although each SOC 2 report will be unique to each individual organization.
Like the SOC 1 audit, SOC 2 has two different types of reports.
- SOC 2 Type I – This type of audit examines the controls that service organizations use to address any or all five of the Trust Service Criteria. This audit type describes the service organization’s systems and provides assurance that controls are effectively designed to meet relevant trust criteria at a specific point in time.
- SOC 2 Type II – This audit type includes additional attestation that a service organization’s controls undergo testing for operating effectiveness over a period of time. User organizations and their auditing team generally select six months for the period of time to evaluate.
What Are the Basic Requirements for SOC 2 Compliance?
The most important requirement of SOC 2 is that businesses need to develop security policies and procedures that are written out and followed by everyone. These policies and procedures serve as guides for auditors who will review them.
Policies and procedures should cover security, availability, processing integrity, confidentiality and privacy of data stored in the cloud.
Refer to our Guide of Data Classification.
- What Needs to Be Monitored? The most important things to monitor include any unauthorized, unusual or suspicious activity related to data belonging to a specific client. This type of monitoring usually focuses on the level of system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access. The best means of monitoring is through a continuous security monitoring service.
- What Alerts Are Needed? Alerts set up to detect unauthorized access to customer information and customer data, or any other anomalous behavior related to a client’s data, are crucial in assisting busy IT leaders in meeting SOC 2 requirements. In order to avoid false alarms, and unnecessary responses to those alarms, it is important to search for an alarm system that alerts only when unusual activity is beyond what is normal the operating environment, according to set policies and procedures.
What Is Included in the SOC 2 Audit Report?
In a SOC 2 audit, there is no need to focus on financial reporting controls since those are covered in a SOC 1 audit. The SOC 2 report evaluates a business’s non-financial reporting controls relating to security, availability, processing integrity, confidentiality, and privacy of a system.
In the SOC 2 audit report, the auditor will provide a written evaluation of the service organization’s internal controls. It will contain a determination by the accounting firm, as to whether the appropriate controls are in place to address each of the selected TSCs.
There is no guarantee that the CPA’s opinion will be positive. An unqualified opinion confirms the management’s assertion that the current controls are effective. In the case of a negative determination, the CPA firm will provide a qualified or adverse opinion.
Get more information on How to Read Your SOC 2 Report.
The SOC audit has undergone a number of changes over the years to make sure it best addresses the needs of user and service organizations. The AICPA continually monitors the changing technologies, third-party practices, and other factors that impact data security. See how SOC 2 audits have evolved over the years.
In the 1990s, Statement on Auditing Standards (SAS) 70 was the original auditing standard that had the original purpose of reporting on the effectiveness of internal control over financial issues. However, as technology became an increasingly important issue, SAS 70 was adjusted to become the basic metric to prove that a vendor’s system was safe and secure.
On June 15, 2011, the Statement on Standards for Attestation Engagements (SSAE 16) became the official method for reporting on controls at a service organization, replacing SAS 70. SSAE 16 also introduced SOC 2 as the official report to address system security, based on the Trust Services Principles and Criteria.
SSAE 18 became effective May 1, 2017, and made key improvements on SSAE 16 to “clarify and formalize requirements for performing and reporting on the examination, review, and agreed-upon procedures engagements to expand the potential of the SSAE 16.”
2018 SOC 2 Update
As of December 15, 2018, a new update went into effect for SOC 2. A few key changes include the SOC acronym change from Service Organization Controls to System and Organization Controls, the alignment of the Trust Services Criteria with COSO 2013 Framework, and adding new points of focus and criteria.
Additional SOC 2 Resources
- SOC 2 FAQs
- Who Is Certified to Complete a SOC Audit?
- How Pen Tests & Vulnerability Scans Assist SOC 2 Compliance
- SOC 2 Readiness Testing for Service Organizations
- Areas of Security Practice Critical to SOC 2 Compliance
- Learn about AT Section 101
- Preparing for an Audit: the SOC 2 Timeline.
Professional Assistance Preparing for Your Next SOC 2 Audit
The I.S. Partners, LLC. SOC 2 team regularly works with user and service organizations to help both parties achieve top-level compliance for a healthy and secure business relationship that benefits everyone involved. Contact our office to get things rolling.