Is your business looking into System and Organization Controls (SOC) for Service Organizations? If you haven’t outsourced any services — like SaaS, cloud hosting, and payment processing—or you only recently launched your business, learning about SOC 2 audits may seem overwhelming.
Considering the importance of information security, especially as businesses increasingly outsource vital and highly specialized tasks, businesses must ensure that they consistently handle data securely. Application and network vulnerabilities leave organizations open to a variety of attacks that include data theft, ransomware, and malware installation. And mishandled data can cost enterprises a pretty penny.
Take a few moments to learn about how SOC 2 audits help you achieve and maintain compliance to protect your organization, clients, employees, and stakeholders.
SOC 2 Audit Guide
- Audit Types
- Report Features
What Do these SOC 2 Terms Mean?
It’s useful to first review some of the basic terminology about the various roles and reports involved in SOC 2 audits.
- User Organization – The organization, or entity, that has engaged a service organization and whose financial statements must be audited.
- User Auditor – The SOC2 auditor, or auditing firm, engaged to report on the financial statements and internal controls of the user organization.
- Service Organization – The entity, or portion of an entity, engaged to provide services to a user organization and are part of the user organization’s information system.
- Service Auditor – The auditor who reports on controls of a service organization that are sometimes relevant to a user organization’s internal control, relating to an audit of financial services.
- Report on Controls Placed in Operation – The service auditor’s report on a service organization’s description of its controls.
- Report on Controls Placed in Operation and Tests of Operating Effectiveness – The service auditor’s report on a service organization’s description of its controls.
What Are SOC 2 Audits?
SOC 2 is a type of audit that ensures that your service organizations provide a safe operating environment where they are easily able to manage your sensitive data and protect the interests of your organization, as well as the privacy of your clients. The audit focuses on the internal controls that your organization has in place to govern the services of its clients.
Who Must Comply with SOC 2 Requirements?
SOC 2 requirements are mandatory for all engaged, technology-based service organizations that store client information in the cloud. Such businesses include those that provide SaaS and other cloud services while also using the cloud to store each respective, engaged client’s information.
What Is the Purpose of SOC 2 Auditing?
Service organizations have become increasingly invaluable to growing organizations for a range of vital services. Also referred to as the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, the SOC 2 audit is used by companies which outsource services that have access to customer data.
SOC 2 guidelines were developed to ensure that customer data remains confidential, secure, private, and available for use when needed. Additionally, they provide assurance regarding complete, accurate, timely, and authorized system processing. Finally, and most importantly, the SOC 2 audit report is an attestation report verified by a trusted registered public accounting firm which a service organization can provide as proof of compliance to its user organizations.
Who Requires SOC 2 Audits?
A SOC 2 audit plays an important role in regulatory oversight, as well as internal risk management processes and corporate governance. It provides client companies assurance about the security of data which is outside of their facilities and to which their service organizations have access.
Any organization that needs detailed information and assurance about the controls at a service organization may request a SOC 2 audit. The primary types of companies that undergo a SOC 2 audit include those that provide services like data hosting, colocation, data processing, cloud storage, and Software-as-a-Service (SaaS).
These service providers must ensure that any data transmitted, stored, processed, and disposed of according to the SOC guidelines set by the AICPA. SOC 2 audits may be performed as part of a regular security program or if the user organization suspects there is a data security issue with one or more of the criteria at the service organization.
SOC 2 Framework – Trust Service Criteria
The SOC 2 auditing and reporting process is guided by a framework called the Trust Service Criteria. The TSC is built upon five criteria:
- Security – A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
- Availability – All information and computing systems are ready and available for operation at all times to meet the entity’s objectives.
- Processing Integrity – All system processing is complete, accurate, valid, timely, and authorized to ensure that the entity meets its objectives.
- Confidentiality – Any information designated as confidential remains secure to meet the entity’s objectives.
- Privacy – All personal information collected, used, retained, stored, disclosed, or disposed of must meet the entity’s objectives.
- Requirements – These five essential criteria are modeled around four broad levels of requirements:
Each of these areas provides the key information that helps determine if a service organization meets the Trust Service Criteria. Although each SOC 2 report will be unique to each individual organization.
Like the SOC 1 audit, SOC 2 has two different types of reports.
- SOC 2 Type I – This type of audit examines the controls that service organizations use to address any or all five of the Trust Service Criteria. This audit type describes the service organization’s systems and provides assurance that controls are effectively designed to meet relevant trust criteria at a specific point in time.
- SOC 2 Type II – This audit type includes additional attestation that a service organization’s controls undergo testing for operating effectiveness over a period of time. User organizations and their auditing team generally select six months for the period of time to evaluate.
How Can We Start Making a SOC 2 Compliance Checklist?
The most important requirement of SOC 2 is that businesses need to develop security policies and procedures that are written out and followed by everyone. These policies and procedures serve as guides for auditors who will review them.
Policies and procedures should cover security, availability, processing integrity, confidentiality and privacy of data stored in the cloud.
Refer to our Guide of Data Classification.
- What Needs to Be Monitored? The most important things to monitor include any unauthorized, unusual or suspicious activity related to data belonging to a specific client. This type of monitoring usually focuses on the level of system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access. The best means of monitoring is through a continuous security monitoring service.
- What Alerts Are Needed? Alerts set up to detect unauthorized access to customer information and customer data, or any other anomalous behavior related to a client’s data, are crucial in assisting busy IT leaders in meeting SOC 2 requirements. In order to avoid false alarms, and unnecessary responses to those alarms, it is important to search for an alarm system that alerts only when unusual activity is beyond what is normal the operating environment, according to set policies and procedures.
What Is Included in the SOC 2 Audit Report?
In a SOC 2 audit, there is no need to focus on financial reporting controls since those are covered in a SOC 1 audit. The SOC 2 report evaluates a business’s non-financial reporting controls relating to security, availability, processing integrity, confidentiality, and privacy of a system.
In the SOC 2 audit report, the auditor will provide a written evaluation of the service organization’s internal controls. It will contain a determination by the accounting firm, as to whether the appropriate controls are in place to address each of the selected TSCs.
There is no guarantee that the CPA’s opinion will be positive. An unqualified opinion confirms the management’s assertion that the current controls are effective. In the case of a negative determination, the CPA firm will provide a qualified or adverse opinion.
How SOC 2 Responds to the Needs and Requests of Third-Parties
The attestation matters covered in a SOC 2 audit extend beyond the line of basic historical financial statements and may include some of the following:
- A possible forecast for projected financial information associated with a loan application
- A deeper examination of an entity’s compliance with relevant rules, laws, regulations, requirements, contracts and agreements
- A review of pro forma information presented to a potential creditor or investor
- An exploration of the effectiveness of an entities security controls over an information technology system operating in a cloud-based environment
- SOC 2 auditing may also address issues involving additional non-financial statements, such as a statement on greenhouse gas emissions. Each of these evolving relevant attestation engagements serve to expand and enhance the quality of the SOC 1 for service organizations and clients.
What Is AT Section 101?
AT section 101 is the specific part of the Attestation Standard, established by the AICPA, which serves as the professional standard for SOC 2 and SOC 3 audits. While businesses focusing on financial reporting adhere to the SOC standard, AT Section 101 was designed to provide a set of industry-wide standards for performing SOC 2 and SOC 3 audits.
How It Serves Practitioners of SOC Audits
SOC audits are performed by certified public accountant or auditor, who is known as the “practitioner.” AT Section 101, along with any accompanying documentation, serves two primary functions for the practitioner in reporting:
- Provides principal support for the practitioner’s report that includes representation regarding observance of the standards of fieldwork. This function is implicit in the reference in the report to attestation standards, specifically in AT Section 23, entitled Suitability and Availability of Criteria. It states, “The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.”
- Assists the practitioner in conducting and supervising the attest engagement.
AT Section 101 has become an increasingly important section of the Attest Engagements for reporting on controls at service organizations.
It applies to engagements in which an entity engages a CPA — or “the practitioner”— to issue an examination, review, or agreed-upon procedures report on specific subject matter regarding a service organization’s internal controls. The section may also be an assertion about the subject matter that is the responsibility of another party.
Attest documentation usually needs to confirm that the process by which the organization has developed its prospective financial statements was considered in determining the scope of the examination.
What Makes SOC 2 Audits Different?
- Separate Discussion of Review Engagements: This separation clearly differentiates services per a review of engagements.
- Required Representation Letters: the AICPA now requires a review or audit practitioner to request a written representation letter in all attestation engagements.
- Risk Assessment of Examination Agreements: For SOC 2, practitioners now must dig deeper to gain a more in-depth understanding of the development of the subject matter. This new rule encourages the practitioner to become more aware of the risks of any material misstatement in the examination engagement.
- Incorporation of Detailed Requirements: A few of the key detailed SOC 2 requirements include the need for an engagement letter or the equivalent of written reviews performed in reviews and examinations. The ASB believes that this addition offers a higher level of assurance.
- Scope Limitation Imposed by the Engaging or Responsible Party: Based on the practitioner’s assessment of the effect of the scope limitation, the review or engagement practitioner needs to express a qualified opinion, disclaim an opinion, or withdraw from the engagement.
Get more information on How to Read Your SOC 2 Report.
The SOC audit has undergone a number of changes over the years to make sure it best addresses the needs of user and service organizations. The AICPA continually monitors the changing technologies, third-party practices, and other factors that impact data security. See how SOC 2 audits have evolved over the years.
In the 1990s, Statement on Auditing Standards (SAS) 70 was the original auditing standard that had the original purpose of reporting on the effectiveness of internal control over financial issues. However, as technology became an increasingly important issue, SAS 70 was adjusted to become the basic metric to prove that a vendor’s system was safe and secure.
On June 15, 2011, the Statement on Standards for Attestation Engagements (SSAE 16) became the official method for reporting on controls at a service organization, replacing SAS 70. SSAE 16 also introduced SOC 2 as the official report to address system security, based on the Trust Services Principles and Criteria.
SSAE 18 became effective May 1, 2017, and made key improvements on SSAE 16 to “clarify and formalize requirements for performing and reporting on the examination, review, and agreed-upon procedures engagements to expand the potential of the SSAE 16.”
2018 SOC 2 Update
As of December 15, 2018, a new update went into effect for SOC 2. A few key changes include the SOC acronym change from Service Organization Controls to System and Organization Controls, the alignment of the Trust Services Criteria with COSO 2013 Framework, and adding new points of focus and criteria.
Additional SOC 2 Resources
- Who Is Certified to Complete a SOC Audit?
- How Pen Tests & Vulnerability Scans Assist SOC 2 Compliance
- SOC 2 Readiness Testing for Service Organizations
- Areas of Security Practice Critical to SOC 2 Compliance
- Preparing for an Audit: the SOC 2 Timeline.
Professional Assistance Preparing for Your Next SOC 2 Audit
The I.S. Partners, LLC. SOC 2 team regularly works with user and service organizations to help both parties achieve top-level compliance for a healthy and secure business relationship that benefits everyone involved. Contact our office to get things rolling.