SOC 2 audit reports are being issued on a wide variety of service organizations – mostly technology oriented businesses, such as data centers, Software as a Service (SaaS) entities, and others – thus it’s important to gain a stronger understanding of AICPA SOC 2 audit reports. Learn the essentials about SOC 2 reports with the following 10 “must know” items, brought to you by NDNB Accountants & Consultants:
1. Understand the difference between SOC 1 and SOC 2 and the overall Service Organization (SOC) Control reporting platform. Keep in mind that SOC 1 SSAE 16 reporting is “technically” geared towards service organizations having a clear nexus with internal controls relating to financial reporting – a concept known as ICFR. SOC 2, however, was developed for use by the continued explosive growth of technology oriented service organizations – data centers, SaaS, managed service providers, etc. In short, SOC 2 is gaining strong traction in the marketplace as a viable and worthy audit report for many business today. It was initially largely overshadowed by SOC 1 SSAE 16 reports – as recently as 2012 – but that’s not the case anymore.
2. Learn about the SOC platform. The Service Organization Control (SOC) reporting platform effectively replaced the one-size fits all historical SAS 70 auditing standard for reporting on controls at service organization. Businesses now have three (3) reporting options: SOC 1, SOC 2 and SOC 3, with SOC 1 incorporating the SSAE 16 standard, and SOC 2 and SOC 3 utilizing the little-known AT 101 reporting standard. Additionally, there’s an international equivalent to SOC 1, which is ISAE 3402, put forth by IFAC. The SOC framework was highly needed as the SAS 70 standard essentially was technically misapplied in many situations – thankfully, that’s not the case anymore with service organization control reporting.
3. Understand what the Trust Services Principles (TSP) are. As a major component of any SOC 2 audit report, the Trust Services Principles (TSP) – of which there are 5 – essentially include an examination of the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
The key, from a scope perspective, is determining which of the five of TSP should a service organization include for SOC 2 audit reporting – this can be determined by speaking with a well-qualified CPA firm with years of compliance experience.
4. Learn about the description of the “system”. Sounds rather technical, but a description of a service organization’s “system” is essentially the following: “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities”. It essentially means you’ll need to author a comprehensive document discussing your organization’s operational, business specific and security policies, practices, and procedures. It’s a strict requirement for SOC 2 audit reports, and it actually becomes a large part of the final audit report itself. Authoring the description of a “system” can be a tedious process, all the more reason to seek guidance and advice from an expert CPA firm with years of SOC 2 reporting experience.
5. Provide a Written Statement of Assertion. SOC 2 also requires that management of the service organization provide a written statement of assertion, which is essentially a document asserting to a number of provisions and disclosures relating to the actual SOC 2 audit report. It’s a relatively straightforward document, for which your CPA firm conducting the audit can provide a template for you.
View Part II, SOC 2 Audit Report | 10 Things You Need to Know About.