SOC 2 compliance is quickly become a hot topic in today's world of technology and cloud computing, and as such, service organizations should take note of 5 important items regarding this specific Service Organization Control (SOC) reporting framework.
1. SOC 2 compliance is part of the AICPA Service Organization Control (SOC) reporting platform. In an effort to dramatically revamp reporting on service organizations (and to align with the growing trend of globally accepted accounting principles), the American Institute of Certified Public Accountants (AICPA) launched the SOC reporting platform, for which there are three (3) reporting options: SOC 1, SOC 2, and SOC 3.
2. SOC 2 compliance is conducted in accordance with AT 101. AT 101 is a little-known professional standard that has now been given the spotlight, thanks in part to the requirement that SOC 2 reports utilize this "attestation standard" for purposes of reporting.
3. Understand the differences between SOC 1, SOC 2 and SOC 3. While SOC 1 (SSAE 16) compliance is generally tailored for service organizations who have a credible nexus with the ICFR concept: Internal Control over Financial Reporting, SOC 2 compliance is designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations. SOC 3, on the other hand, (much like SOC 2) utilizes the five (5) Trust Services Principles (TSP) as the general framework for conducting this type of engagement (SysTrust | WebTrust). And while SOC 2 allows for reporting on any number of the TSPs, SOC 3 requires that all five (5) TSPs be included for issuing a report.
The five (5)TSPs are the following:
• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
4. SOC 2 requires a written statement of assertion and a description of one's "system". The written statement of assertion is required by management of the service organization, along with a description of one's "system". Of interest is that the historical SAS 70 auditing standard required a description of "controls", which is generally perceived to be not as comprehensive or detailed as that of the description of a "system" for SOC 2 compliance (and SOC 1).
5. SOC 2 compliance is gaining traction for technology based service organizations. At first glance, SOC 2 compliance was greatly overshadowed by SOC 1 (SSAE 16) compliance, but this is slowly changing as technology and cloud computing entities are beginning to realize the value of SOC 2. In the future, expect many non-ICFR type service organizations to be issued SOC 2 compliance reports, and not SOC 1. Interestingly, a number of service organization are opting for both SOC 1 and SOC 2 compliance. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets.
6. Documentation is Critical: SOC 2 compliance - while looked upon as a technical audit, and rightfully so - also requires that comprehensive information security policies and procedures be written and followed. Policy documentation forms the basis for a strong internal control environment - and auditors will be requesting your security policies and procedures - so it's vitally important to develop them. NDNB offers all of our clients a complimentary SOC 2 Policy Packet containing dozens of essential infosec documents, those essential for SOC 2 compliance.