SOC 2 guidance is a must have for service organizations undertaking a SOC 2 Type 1 or Type 2 assessment for purposes of today’s growing regulatory compliance mandates. Because SOC 2 is gaining momentum as a viable reporting option when compared to SOC 1 SSAE 16 reporting, it’s critical to learn about the following 5 important elements for auditing success, provided by NDNB Accountants & Consultants.
1. SOC 1 vs. SOC 2. When the AICPA put for their Service Organization Control (SOC) framework, they made a clear distinction between SOC 1 and SOC 2 reporting. SOC 1 reports utilize the well-known SSAE 16 standard, while SOC 2 reporting relies on the little-known AT Section 101 standard put forth by the AICPA. SOC 1 SSAE 16 reports are technically those geared towards service organizations with a credible nexus to the ICFR concept – Internal Controls over Financial Reporting, while SOC 2 reporting is aimed towards technology driven service organizations. Data centers, SaaS entities, managed services providers – these are all excellent examples of SOC 2 candidates.
2. SOC 2 utilizes the Trust Services Principles (TSP). The TSP’s consist of the following five (5) criteria based provisions:
- Security: The system is protected, both logically and physically, against unauthorized access.
- Availability: The system is available for operation and use as committed or agreed to.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants
3. Choosing which Trust Services Principles are key. Defining the scope for a SOC 2 assessment means identifying and agreeing upon which of the relevant TSP’s are to be included for the audit itself. It’s thus important to discuss reporting needs and expectations with clients, and all other intended users of the report. It’s very common to see a SOC 2 report only cover one TSP, yet it’s just as common to see all five (5) TSP’s covered also. Again, it largely depends on an organization’s reporting needs and client demands. Working with a highly qualified CPA firm is a good investment for SOC 2 guidance – call and speak with Christopher Nickell, CPA, at NDNB Accountants & Consultants today (1-800-277-5415, ext. 706).
4. Policies and Procedures are Critical. One of the biggest areas for deliverables in the eyes of SOC 2 auditors is collecting copious amounts of documented information security and operational policies and procedures. Because SOC 2 is often geared towards businesses within the information technology industry, documentation relating to network security, change management, incident response, access controls – and many other core I.T. areas – are what’s needed for helping ensure compliance with the SOC 2 framework. It’s therefore critical to obtain industry leading information security policies and procedures for assisting with compliance. There’s no need to spend hundreds of hours authoring documents when you can simply purchase a template with pre-populated information. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
5. SOC 2 is gaining credibility. Initially, there was some confusion about SOC 2 compliance, ultimately allowing SOC 1 SSAE 16 reporting to become the dominant standard for reporting on controls at service organizations, but that’s changed. As more and more organizations gain a stronger understanding of the AICPA SOC framework, SOC 2 assessments have thus become quite well known, especially for technology oriented service organizations. After all, the SOC 2 platform was essentially developed for many of today’s growing technology oriented companies, such as data centers, software as a service(SaaS) entities, managed services providers, and others. Work with a nationally recognized IR CPA firm such as NDNB who provides expert SOC 2 guidance.