SOC 2 for managed services organizations, such as those offering managed network, O/S, and application specific services, is a growing trend, ultimately requiring many organizations to become compliant with the AICPA Service Organization Control (SOC) reporting framework. It’s thus critically important to understand scope considerations for SOC 2 managed services reporting, along with other essential issues for ultimately ensuring an efficient and cost-effective assessment process. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance. As such, take note of the following critical points regarding SOC 2 managed services assessment reporting.
1. Properly define scope. Keep in mind that the SOC 2 framework allows service organizations to report on up to five (5) of the Trust Services Principles. Some organizations simply report on one, maybe a few, while others undertake assessments with all five of the TSP’s. What dictates how many of the TSPs are to be included for reporting are simply the services one is seeking to include within the scope of the assessment. This essentially comes down to your managed service offerings. From a minimum baseline perspective, expect to include the following TSP’s in a SOC 2 managed services assessment: (1). Security. (2). Availability. Together, these two (2) TSP’s encompass critical security measure applicable to a managed services entity.
2. Understand the need for policies and procedures. Regardless of how many of the TSP’s a service organization includes within the scope of a SOC 2 assessment, information security and operational specific policies, procedures – and other supporting documentation – is a big part of SOC 2 compliance. It means putting in place high-quality, well-written documents, which is often a challenge for many businesses. The solution is finding comprehensive templates to start off with – provided your organization doesn’t have current and accurate documentation in place – which seems to be the case many times. Try myinformationsecuritypolicy.com, as they offer a 300 + page information security policy and procedures manual available for instant download. Businesses are generally very good at what they do, but also generally very bad at documenting what they do, hence the need for comprehensive policies and procedures.
3. Preparing documentation for audit evidence is critical. Auditors ask – and ultimately demand – a large amount of documentation for audit evidence when conducting a SOC 2 assessment. It means that both you and the CPA firm performing the engagement need to have a VERY clear understanding of what is being asked for, in what form, etc. More specifically, agreeing on sampling is critical, along with confirming the types of evidence, such as digital screenshots, hardcopy paper evidence, physical inspection, etc. This needs to be done before any type of fieldwork kicks off, ultimately for helping ensure an efficient audit process and a good working relationship with the external CPA firm you’ve hired.