Is your business looking into System and Organization Controls (SOC) for Service Organizations? If you haven’t outsourced any services — like SaaS, cloud hosting, and payment processing—or you only recently launched your business, learning about SOC 2 audits may seem overwhelming.
Considering the importance of information security, especially as businesses increasingly outsource vital and highly specialized tasks, businesses must ensure that they consistently handle data securely. Application and network vulnerabilities leave organizations open to a variety of attacks that include data theft, ransomware, and malware installation. And mishandled data can cost enterprises a pretty penny.
Take a few moments to learn about how SOC 2 audits help you achieve and maintain compliance to protect your organization, clients, employees, and stakeholders.
SOC 2 Audit Guide
- Audit Types
- Report Features
- Auditing Preparation
Overview of SOC 2 Audit Terminology
It’s useful to first review some of the basic terminology about the various roles and reports involved in SOC 2 audits.
- User Organization – The organization, or entity, that has engaged a service organization and whose financial statements must be audited.
- User Auditor – The auditor, or auditing firm, engaged to report on the financial statements and internal controls of the user organization.
- Service Organization – The entity, or portion of an entity, engaged to provide services to a user organization and are part of the user organization’s information system.
- Service Auditor – The auditor who reports on controls of a service organization that are sometimes relevant to a user organization’s internal control, relating to an audit of financial services.
- Report on Controls Placed in Operation – The service auditor’s report on a service organization’s description of its controls.
- Report on Controls Placed in Operation and Tests of Operating Effectiveness – The service auditor’s report on a service organization’s description of its controls.
What Are SOC 2 Audits?
SOC 2 is a type of audit that ensures that your service organizations provide a safe operating environment where they are easily able to manage your sensitive data and protect the interests of your organization, as well as the privacy of your clients. The audit focuses on the internal controls that your organization has in place to govern the services of its clients.
The Purpose of SOC 2 Auditing
Service organizations have become increasingly invaluable to growing organizations for a range of vital services. Also referred to as the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, the SOC 2 audit is used by companies which outsource services that have access to customer data.
SOC 2 guidelines were developed to ensure that customer data remains confidential, secure, private, and available for use when needed. Additionally, they provide assurance regarding complete, accurate, timely, and authorized system processing. Finally, and most importantly, the SOC 2 audit report is an attestation report verified by a trusted registered public accounting firm which a service organization can provide as proof of compliance to its user organizations.
Who Requires SOC 2 Audits?
A SOC 2 audit plays an important role in regulatory oversight, as well as internal risk management processes and corporate governance. It provides client companies assurance about the security of data which is outside of their facilities and to which their service organizations have access.
Any organization that needs detailed information and assurance about the controls at a service organization may request a SOC 2 audit. The primary types of companies that undergo a SOC 2 audit include those that provide services like data hosting, colocation, data processing, cloud storage, and Software-as-a-Service (SaaS).
These service providers must ensure that any data transmitted, stored, processed, and disposed of according to the SOC guidelines set by the AICPA. SOC 2 audits may be performed as part of a regular security program or if the user organization suspects there is a data security issue with one or more of the criteria at the service organization.
SOC 2 Framework – Trust Service Criteria
The SOC 2 auditing and reporting process is guided by a framework called the Trust Service Criteria. The TSC is built upon five criteria:
A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
All information and computing systems are ready and available for operation at all times to meet the entity’s objectives.
All system processing is complete, accurate, valid, timely, and authorized to ensure that the entity meets its objectives.
Any information designated as confidential remains secure to meet the entity’s objectives.
All personal information collected, used, retained, stored, disclosed, or disposed of must meet the entity’s objectives.
These five essential criteria are modeled around four broad levels of requirements:
Each of these areas provides the key information that helps determine if a service organization meets the Trust Service Criteria. Although each SOC 2 report will be unique to each individual organization.
Like the SOC 1 audit, SOC 2 has two different types of reports.
SOC 2 Type I
This type of audit examines the controls that service organizations use to address any or all five of the Trust Service Criteria. This audit type describes the service organization’s systems and provides assurance that controls are effectively designed to meet relevant trust criteria at a specific point in time.
SOC 2 Type II
This audit type includes additional attestation that a service organization’s controls undergo testing for operating effectiveness over a period of time. User organizations and their auditing team generally select six months for the period of time to evaluate.
Not every SOC 2 audit must cover all five criteria. Depending on your organization, or the reason for performing an audit, an organization may use a few or all of the TSCs to define the scope of the audit. Additionally, the scope may be wider or narrower in relation to what is analyzed.
Refer to our Guide of Data Classification.
What Is Included in the SOC 2 Audit Report?
In a SOC 2 audit, there is no need to focus on financial reporting controls since those are covered in a SOC 1 audit. The SOC 2 report evaluates a business’s non-financial reporting controls relating to security, availability, processing integrity, confidentiality, and privacy of a system.
In the SOC 2 audit report, the auditor will provide a written evaluation of the service organization’s internal controls. It will contain a determination by the accounting firm, as to whether the appropriate controls are in place to address each of the selected TSCs.
There is no guarantee that the CPA’s opinion will be positive. An unqualified opinion confirms the management’s assertion that the current controls are effective. In the case of a negative determination, the CPA firm will provide a qualified or adverse opinion.
Get more information on How to Read Your SOC 2 Report.
How to Prepare for a SOC 2 Audit
Now that you have a better idea of the role of the SOC 2 audit and its resulting report, you are ready to take action and get ready.
Step 1: Select the Reporting Period for Your SOC 2 Report.
The AICPA’s AT Section 801 states that a reporting period shorter than six months is not likely to be useful to user organizations and their auditors when performing SOC 2 audits. Schedule your SOC 2 audit—whether Type 1 or II— at regular six-month to 12-month intervals = to ensure regular and thorough compliance.
Step 2: Determine the Controls You Need to Evaluate.
Depending on the reason for the SOC 2 audit, your controls may include one or all five of the TSCs. Consider any legal, contractual, or other regulatory obligations you may have to help identify specific TSC requirements.
For example, in the case of healthcare organizations, data privacy is crucial, so they may focus on privacy. In general, security and availability are the most commonly tested TSCs.
Step 3: Gather All Documentation.
Documentation is essential to achieving and maintaining complete and consistent SOC 2 compliance. Examples of pertinent documentation include organizational charts, change management information, asset inventories, and on-boarding and off-boarding processes.
Step 4: Perform a Gap Analysis.
Gap analysis allows you to verify that all key controls are documented and in place. This process requires close review of your chosen system against the criteria selected. A gap analysis serves to detect issues before beginning an audit. It gives your organization the opportunity to make corrections, so be sure to leave plenty of time for remediation.
Step 5: Meet with Your Auditor.
Whether you have pressing concerns or would just like some advice as you prepare, a meeting with your auditor can help you feel more confident going into the preparatory phase.
Know what lies ahead; refer to our SOC 2 Timeline.
The SOC audit has undergone a number of changes over the years to make sure it best addresses the needs of user and service organizations. The AICPA continually monitors the changing technologies, third-party practices, and other factors that impact data security. See how SOC 2 audits have evolved over the years.
In the 1990s, Statement on Auditing Standards (SAS) 70 was the original auditing standard that had the original purpose of reporting on the effectiveness of internal control over financial issues. However, as technology became an increasingly important issue, SAS 70 was adjusted to become the basic metric to prove that a vendor’s system was safe and secure.
On June 15, 2011, the Statement on Standards for Attestation Engagements (SSAE 16) became the official method for reporting on controls at a service organization, replacing SAS 70. SSAE 16 also introduced SOC 2 as the official report to address system security, based on the Trust Services Principles and Criteria.
SSAE 18 became effective May 1, 2017, and made key improvements on SSAE 16 to “clarify and formalize requirements for performing and reporting on the examination, review, and agreed-upon procedures engagements to expand the potential of the SSAE 16.”
2018 SOC 2 Update
As of December 15, 2018, a new update went into effect for SOC 2. A few key changes include the SOC acronym change from Service Organization Controls to System and Organization Controls, the alignment of the Trust Services Criteria with COSO 2013 Framework, and adding new points of focus and criteria.
Additional SOC 2 Resources
- SOC 2 FAQs
- Who Is Certified to Complete a SOC Audit?
- How Pen Tests & Vulnerability Scans Assist SOC 2 Compliance
- SOC 2 Readiness Testing for Service Organizations
- Areas of Security Practice Critical to SOC 2 Compliance
- Learn about AT Section 101
Professional Assistance Preparing for Your Next SOC 2 Audit
The I.S. Partners, LLC. SOC 2 team regularly works with user and service organizations to help both parties achieve top-level compliance for a healthy and secure business relationship that benefits everyone involved. Contact our office to get things rolling.