GET AN APPOINTMENT

Services

SOC 1 / 2 Audits (SSAE 21 & CSAE 3416)

User entities and organizations want reporting that provides assurance on controls over operations and compliance, rather than just on controls over financial reporting. The AICPA created a framework to enable a broader type of third-party attestation reporting on controls at service organizations beyond merely financial reporting. This framework is the Service Organization Control (SOC) reporting framework. The SOC framework has 3 different reporting options: SOC1, SOC2, and SOC3.

SOC 2 reports are appropriate for engagements to report on controls at a service organization related to the Trust Service Principles, defined by the AICPA in TSP Section 100. The Trust Service Principles are:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

SOC 2 engagements are performed in accordance with AT section 101, Attestation Engagements, using guidance in the AICPA Guide, Reporting on Controls at the Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

Trust principles are broken down as follows:

Security:

The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information. IT security tools such as network and web application firewalls (WAFs), two factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data.

Availability:

The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties. This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.

Processing Integrity:

The processing integrity principal addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized. However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.

Confidentiality:

Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information. Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.

Privacy:

The privacy principle addresses the systems collection, use, retention, disclosure and disposal of personal information in conformity with an organizations’ privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP). Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. A type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.

How SOC 2 Audit is conducted?

  • 1. Scope

  • The first step is to decide on what the scope of your SOC 2 program needs to be. This can be the entire organization or part of it. The driver of your scope is depending on the objectives you are trying to meet. For example, you may choose to include the whole organization or only part of the organization. But keep in mind that certain corporate functions like HR, Corporate IT, and Legal will likely fall in scope no matter what.

  • 2. Design of Controls

  • Unlike many other frameworks, SOC 2 does not have a rigid set of control requirements. Instead, SOC 2 establishes criteria, and organizations have some freedom to articulate how their processes meet those criteria.This will reduce the audit burden of the organization and help make sure what you are audited against reflects the reality of your environment.

  • 3. Readiness Assesment

  • Next, do a readiness assessment. This is where a SOC 2 audit firm like risk3sixty will assess your organization against your SOC 2 controls and identify any gaps.This will give you an expert's insight into your current maturity and a punch list of items you will need to resolve to achieve certification and build a great security program.

  • 4. Program Information

  • Finally, you will need to build the program. Common items include:

  • - Establishing a governance structure (CC1)

  • - Policies (CC2)

  • - Risk assessment (CC3)

  • - Internal security assessments like controls spot checks, penetration testing, or third party security assessments (CC4, CC5)

  • - Cleaning up user access (CC6)

  • - Formalizing the SDLC (CC8)

  • - Implementing a vendor risk management program (CC9)

  • 5. SOC 2 Type I

  • Most first year organizations choose to do a SOC 2 Type I audit.

  • A SOC 2 Type I is a "point in time" audit where the auditor reviews the "design" of the program. This typically involves the auditor reviewing a single example of each control working effectively to prove out you have a process in place.

  • The SOC 2 Type I audit allows you to get a report in hand as quickly as possible and gives you confidence that the controls you implemented will survive the SOC 2 Type II audit.

  • 6. SOC 2 Type II

  • A SOC 2 Type II audit is an assessment of your controls "operating effectively" for a defined period of time (usually a 12-month period).

  • A SOC 2 Type II audit involves:

  • - Walkthroughs with control owners

  • - Requesting and reviewing 100s of audit artifacts to gain assurance controls are in place

  • 7. The SOC 2 Report

  • SOC 2 is not pass/fail. You will get a SOC 2 report even if the auditor finds a lot of issues. Anything that the auditor finds will be disclosed in the report.

  • WHO CAN GET SOC 2 COMPLIANCE ?

  • SOC 2 is widely applicable for service organizations like Payroll Processors, Medical Claims Processors, Data Analytic Providers, Loan Servicing Companies, Datacentre Companies, Third-Party Administrators (Retirement Plans, Medical Benefits, Pharmacy Benefits), Bank Trust Departments, Real Estate Title Companies, Advertising Companies, Insurance Companies, Loan Servicing, Hospice, Secure Printing, Software-as-a-Service (SaaS) companies that may impact the financials & security of their user entities.

  • WHAT ARE THE TYPES OF SOC 2 REPORTS ?

  • SOC 1:This kind of report takes associate degree up-close to scrutinize the inner controls of a service organization that directly impacts a user entity’s control over monetary reportage. On winning completion, the service organization receives a document that sets it apart from its peers by showcasing its sound management objectives and management activities. The report conjointly displays these facts to all or any user organizations and their auditors, typically satisfying the user auditor’s needs. A winning report permits the auditors of these users you are doing business with to actually grasp the inner controls of your organization.

  • SOC 2: A SOC 2 Report describes the controls of the service organization that covers security, accessibility, process integrity, confidentiality and privacy. It’s necessary to observe that there are 2 sorts of SOC two reports:

  • A Type I focuses on the correct representation of management’s description of the organization’s system and therefore the eligibility and effectiveness of applicable controls to fulfil trusted services criteria as of an explicit date.

  • With a SOC 2, Type II, equivalent information is presented, however it is that which was gathered throughout a fixed time period.

  • Regardless of the kind, a winning SOC 2 Report could be a powerful weapon for any service organization because it sets you apart from your competitors by shining a spotlight on your effective operational strategy and controls. A SOC 2 Report permits customers and stakeholders to quickly develop confidence in your organization because of your efforts to showcase your controls in such a clear manner.

  • SOC 3: SOC 3 addresses equivalent subject areas as a SOC 2 Report, however, is given in an exceedingly shorter outlined format. Unlike the results you receive from SOC 2 that may usually solely be viewed by parties that already have information regarding the character of your services and organization, a SOC 3 Report will be used as a promoting tool, open to public. Your winning results will be shared with potential purchasers and customers to point out to them that you simply have the acceptable controls to side-step risks on non-financial problems. This will enable them to position trust in your organization and you’ll have a competitive edge that creates your SOC investment a worthy one.

  • WHAT ARE THE REQUIREMENTS OF SOC COMPLIANCE?

  • SOC has a very rigid requirement; SOC Reports are very unique to each organization. Hence, major items are listed based on:

  • SOC 1 – Internal Control over Financial Reporting (ICFR)

  • SOC 2 – Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality and Privacy)

  • SOC 3 – Trust Services Criteria for General Use Report