A Guide to Understanding SOC 2 Reports
What is the purpose of a SOC 2 Audit Report?
A SOC 2 audit allows businesses and organizations to:
- Understand the IT security environment of third-party service providers (also known as service organizations) who handle sensitive data
- Assess the risks of that business relationship
- Obtain independent assurance on the design and operating effectiveness of their IT security system controls.
Who developed the SOC 2 Audit Report and why?
The American Institute of Certified Public Accountants (AICPA) created the Systems and Organization Controls (SOC) framework to help CPA firms review and report on the adequacy of security controls of third-party service providers pertaining to the protection and privacy of sensitive data.
What is a SOC 2 Audit Report?
A SOC 2 Audit Report is a formal attestation by a CPA regarding the adequacy of a third-party service provider’s controls over the infrastructure, software, people, procedures, and data used in providing products and services. The report provides information about the service provider’s systems relevant to one or more “Trust Service Criteria (TSC)” that include data security, data availability, data processing integrity, data confidentiality, or privacy.
Who should perform a SOC 2 examination?
A SOC 2 examination should be performed by a licensed CPA firm whose professionals have auditing experience and deep knowledge of Information Security. A CPA without information security expertise may not be able to provide the service properly.
Who needs a SOC 2 Assessment?
Third-party service providers that collect, process, transmit or store sensitive data for organizations will likely need a SOC 2 Audit Report. That’s because more and more organizations – both public and private – require assurance that the data handled by third parties on their behalf is processed securely and reliably. By successfully completing a SOC 2 audit, service providers demonstrate to customers that they have implemented security controls to mitigate the risks associated with performing services for them.
What are the types of SOC 2 reports?
There are two types of SOC examinations and reports. The auditor issues an opinion and attests that controls are in place and designed effectively at a point in time (SOC 2 Type I Report) or that controls are designed effectively and operate effectively over a period of time (SOC 2 Type II Report).
Type I - Provides an opinion on the fairness and suitability of management’s description of the service organization’s system as of a specified date (point in time). A SOC 2 Type I Report only focuses on whether the applicable Trust Services Criteria and controls of the service organization are suitably designed but does not determine if they are operating effectively. Essentially, a Type I report provides an opinion on whether the controls at the service organization exist.
Type II – Provides an opinion on the fairness and suitability of both management’s description of the service organization’s system and the operating effectiveness of the controls throughout a period of time, which is usually between six and twelve months. A SOC 2 Type II report provides an opinion on whether the controls exist and if they are working as designed. It also includes details of the test results, controls, and specific tests performed. They are restricted-use reports because they contain sensitive information.
What are Trust Services Criteria (TSC)? (Formerly known as Trust Services Principles)
The Trust Services Criteria used in a SOC 2 audit are classified into the following five categories:
- Security: Information and systems are protected against unauthorized access (physical and logical), unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information of systems and affect the entity’s ability to meet its objectives. This is one of the most commonly tested criteria as it helps provide broader assurance over the systems being protected from unauthorized access, use or modification.
- Availability: Information and systems are available for operation and use to meet the entity’s objectives and meet service level agreements (SLA) or contracts. Incident Response Plans (IRP), Business Continuity Plans (BCP), and Disaster Recovery Plans (DRP) all play a major role on availability of systems given the unpredictability of unforeseen events such as data breaches or natural disasters.
- Confidentiality: Information designated as confidential is protected (i.e. restricted to authorized persons in the organization) to meet the entity’s objectives and customer contracts. A third-party service provider may be subject to this criterion if it handles information deemed “confidential” when providing services to another organization. This does not specifically apply to personal data (see below).
- Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Processing integrity would be included in a SOC 2 examination if the third-party provider, for example, processes transactions on behalf of another company.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued jointly by the AICPA and Canadian Institute of Chartered Accountants (CICA) and to meet the entity’s objectives. The Privacy criteria may be relevant to the scope of a SOC 2 audit when the service organization deals with data subjects and has access to Personal Identifiable Information (PII) from those subjects.
Why is SOC 2 Type 2 a sought-after audit?
A SOC 2 Type 2 report has become a widely sought-after audit given today’s environment where we are seeing an increased number of security and data breaches, continued growth of technology oriented third-party providers, and concern over the security, availability, processing integrity, confidentiality, and privacy of data.
Newer regulations such as GDPR and CCPA are also driving the need for SOC 2 reporting in the areas of data protection and privacy.
For public companies, SOC reporting helps them comply with the Sarbanes-Oxley requirement to demonstrate that internal controls over financial reporting are in place and operate effectively, some of which are outsourced to a third parties. As such, public companies are increasingly requiring their third-party services providers to obtain a SOC 2 Report as part of their contract agreements.
Third-party service providers benefit from a clean SOC 2 report because it provides assurance to customers that their information is safe and secure. A favorable SOC 2 report is significant to third parties since it gives them the ability to instill confidence in customers that use their products and services. Additionally, some government agencies and organizations are requiring their third-party vendors to obtain a clean SOC 2 audit report.
How can my organization get ready for a SOC 2?
Scope the Audit
First, the third-party service provider must select one or more of the trust services categories to be audited. The choice depends on the service provider’s services, systems, and processes. Not all Trust Service Criteria may apply to a service organization. As such, it is important that they collaborate with their CPA Firm to identify the criteria that would be applicable to their environment.
Conduct a Readiness Assessment
If the entity has not done a SOC 2 audit in the past, it is recommended that it begin with a Readiness Assessment. This is a process that gives the third-party provider an opportunity to identify possible gaps in the testing criteria so it can remediate shortcomings before the formal SOC 2 Audit. This process can be an iterative cycle and be performed internally or by a CPA firm. When performed by the auditing firm, the assessment will be more objective and independent. A readiness assessment is highly recommended to minimize the risk of a “bad” opinion.
Comprehensive written policies and procedures are critical for a successful SOC 2 examination and should be considered one of the basic pre-requisites. The policies and procedures should be monitored, enforced, and periodically updated. As part of the SOC 2 audit, the auditor will not only assess the policies and procedures to determine if they address the applicable Trust Service Criteria, but also test that they have been communicated and are being followed.
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.