Looking for SOC 2 guidelines, then call the experts today at NDNB Accountants & Consultants (NDNB), providers of nationwide, fixed-fee SOC 2 assessments. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today! We provide a complimentary SOC 2 Policy Packet for each our clients!
As for some helpful SOC 2 guidelines for auditing success, take note of the following:
Learn about the SOC Framework: The American Institute of Certified Public Accountants (AICPA) launched the Service Organization Control (SOC) framework in 2011, (now known as Systems and Organization Controls) effectively replacing the old and misused Statement on Auditing Standards No. 70 (SAS 70), and that was a good move indeed. Service organizations had changed dramatically since the launching of SAS 70 in April, 1992, thus a new framework was born consisting of SOC 1, SOC 2, and SOC 3 reporting. As for SOC 2, it incorporates the SSAE 18 standard for reporting, while SOC 2 relies on AT 101 and the applicable Trust Service Principles (TSP).
Learn about the Trust Services Principles and Criteria: It’s important to know that there are five (5) Trust Services Principles, which are the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Moreover, each of the applicable TSP’s have their own respective “Common Criteria” for assessing a service organization’s internal controls. Just keep in mind that all of the five (5) TSP’s have a similar theme: It’s about having documented and formalized processes and procedures in place.
Understand the Importance of a Readiness Assessment: Putting the cart before the horse – as the old saying goes – is not a particularly good idea when it comes to SOC 2 compliance. More specifically, diving right into a SOC 2 audit with minimal or zero preparation is not recommended as service organizations need time to assess and evaluate gaps, deficiencies, and weaknesses within one’s control environment. The ultimate goal of any SOC 2 report is a “clean” opinion, one void of notable exceptions, and getting there begins with SOC 2 assessment for your business.
Determine the Proper Scope: As a business, you’ll need to determine what the business process is for the actual SOC 2 assessment – and ultimately – which of the five (5) Trust Services Principles will be included within the scope of the audit. By default, the “Security” TSP is the starting point for every SOC 2 audit – after that – you’ll need to determine client demands, market expectations, and other variables when assessing scope for the remaining four (4) TSPs’.
The SOC 1 vs. SOC 2 discussion is well under way, thanks in large part to the American Institute of Certified Public Accountants' ( AICPA) launch of their new service organization reporting platform, known as the SOC framework. Officially, SOC standards for "Service Organization Control", which allows qualified practitioners (i.e., licensed and registered Certified Public Accountants) to issue SOC 1, SOC 2, and/or SOC 3 reports.
With the SSAE 16 standard (which is used for issuing SOC 1 reports) effectively replacing the longstanding SAS 70 auditing standard for reporting periods ending on or after June 15, 2011, there's been much debate regarding SOC 1 vs. SOC 2, specifically, when are they applicable, what is the respective scope for each, and what similarities or differences do they each share. Now, the SSAE 16 standard has been replaced by the SSAE 18 standard for reporting opinions dated on or after May 1, 2018.
Goodbye SAS 70 and SSAE 16, and Hello to SSAE 18
Service Organization Control (SOC) 1 reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA "attest" standard that, not only replaced SAS 70, but was intended to reinforce SAS 70's true intent, which was an audit conducted over "internal controls over financial reporting", more commonly known as the ICFR concept. Because SAS 70 strayed heavily from its intended use, the newly formed SOC framework placed great emphasis on the ICFR component for service organization reporting, thus advocating service organizations to opt for a SOC 1 (for which you can obtain a SOC 1 SSAE 18 Type 1 or SOC 1 SSAE 18 or Type 2 report only if your organization has a true relationship and/or nexus with ICFR. To learn more about SOC 1 vs. SOC 2, contact NDNB today.
7. Provide a Written Statement of Assertion-Yet another requirement for SOC 2 compliance is providing the service auditor (i.e., the CPA performing the SOC 2 engagement) with a written statement of assertion. This assertion, which was never a requirement for SAS 70, is essentially a document whereby management (of the service organization) is essentially "asserting" to a number of different provisions regarding their overall control environment.
8. SOC 2 is Criteria based, not control objective based-What this means is that unlike SOC 1 (SSAE 16) reports, which list control objectives for reporting and, ultimately, testing on, SOC 2 reporting is "criteria" based and requires a practitioner to use one of (or all) of the five Trust Service Principles (TSP) for the scope of the engagement. Thus, for illustrative purpose, you should not find language such as "controls provide reasonable assurance that...." in a SOC 2 report, rather, a listing of the "criteria" and a description of what is in place for meeting the applicable criteria for each of the defined Trust Services Principles.
4. Learn about AT Section 101-If you are a service organization embarking on SOC 2 compliance, then you'll need to take a few moments and understand the technical aspects of AT Section 101. In short, AT Section 101 is the professional AICPA standard used for allowing a practitioner to report on subject matter other than financial statements, such as that of issuing a SOC 2 report. And lastly, a practitioner performing an engagement in accordance with AT Section 101 is to adhere to the following five (5) general standards: (1). The practitioner must have adequate technical training and proficiency to perform the attestation engagement. (2). The practitioner must have adequate knowledge of the subject matter. (3). The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.(4). The practitioner must maintain independence in mental attitude in all matters relating to the engagement.(5). The practitioner must exercise due professional care in the planning and performance of the engagement and the preparation of the report.
1. Understand the reporting platform of the AICPA Service Organization Control (SOC) framework-The newly formed Service Organization Control (SOC) framework, put forth by the American Institute of Certified Public Accountants (AICPA), seeks to fundamentally reshape reporting requirements for today's complex and ever-changing service organization entities. Specifically, three (3) reporting options were adopted, resulting in SOC 1, SOC 2, and SOC 3. While SOC 1 reports are to utilize the SSAE 16 standard for reporting on controls, SOC 2 and SOC 3 reports, which are geared towards technology and cloud computing companies, are to utilize the Trust Services Principles (TSP) in accordance with the AT Section 101 professional standard.
2. Learn about the Trust Services Principles (TSP) framework-Unlike the historical SAS 70 auditing standard or the current SSAE 16 attestation standard, the framework for a Service Organization Control (SOC) 2 report is "criteria" based, whereby a practitioner is engaged to examine and report on a service organization's controls over one or more of the following five (5) Trust Services Principles (TSP):
There are many SOC 1 SSAE 18 requirements that you need to be aware of regarding compliance with Statement on Standards for Attestation Engagements (SSAE) No. 16. The transition from SAS 70 to SSAE 16 - and now to SSAE 18 - is not merely academic as some would believe, rather, thoughtful consideration regarding a number of critical components is necessary for fully understanding this new attestation standard put forth by the AICPA. By gaining a greater understanding of the following SSAE 18 requirements, your organization can successfully transition from SAS 70 to the new Service Organization Reporting (SOC) framework.
1. Understand the evolution of the SSAE 18 standard.
Though not an actual SSAE 18 requirement, it would be highly beneficial to learn about the important dynamics, drivers, and influential issues that propelled the AICPA into SOC 1 SSAE 18, thus effectively replacing the longstanding SAS 70 and SSAE 16 auditing standards.
2. Learn about the new Service Organization Reporting (SOC) framework.
The American Institute of Certified Public Accountants (AICPA) has completely overhauled service organization reporting on controls, which, until recently, was largely limited to utilizing Statement on Auditing Standards No. 70, commonly known as SAS 70. The result of their arduous efforts are three (3) reporting options, SOC 1, SOC 2, and SOC 3.