SOC 2 compliance in Canada is growing larger each year as more and more Canadian companies are being asked for assurances of their internal control environments regarding services they provide to customers. From data centers to Software as a Service (SaaS) entities – and more – SOC 2 compliance in Canada is here to stay. With that said, take note of the following five (5) important elements regarding SOC 2, ranging from its background to pricing, and more.
1. Learn about the five (5) Trust Services Principles (TSP). The SOC 2 trust principles consist of the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
2. Changes are in place for SOC 2 compliance for Canada businesses. The SOC 2 Trust Principles are part of the AICPA Service Organization Control (SOC) framework, which allows for three (3) reporting options – SOC 1, SOC 2, and SOC 3. SOC 2 has quickly become the global “go to” assessment standard for technology service organizations in Canada, data centers, SaaS entities, software development organizations, and many other businesses, are an excellent for the SOC 2 framework.
And if you are curious as to the SOC 1 vs. SOC 2 debate, SOC 1 reporting “should” be used primarily for reporting on service organizations exhibiting a close affiliation with the concept known as “Internal Controls over Financial Reporting (ICFR). Think banks, trust departments, actuaries – companies that truly have financial implications within their internal controls. We at NDNB preface “should” because many service organizations are still being issued SOC 1 reports when they’re really a candidate for SOC 2 reporting. However, this is changing as more and more companies are becoming much more educated on the entire AICPA Service Organization Control (SOC) framework, thus starting to realize the true benefits of SOC 2 reporting over SOC 1 reporting.
Now, back to SOC 2! For reporting periods on or after December 15, 2014, SOC 2 will consist of the following general areas:
- Organization and management
- Risk management and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations, and
- Change management
3. Operational and Technical Changes. One of the biggest – if not often the biggest – challenge for SOC 2 compliance is that of putting in place operational specific processes and procedures being requested by auditors. It means spending untold numbers of hours confirming such measures are in place and formalized such initiatives for ensuring compliance with the SOC 2 mandates. Companies are very good at what they do – or they wouldn’t be in business – but unfortunately also loathe the formality of compliance. Let NDNB help in formalizing your processes and procedures when it comes to SOC 2 compliance for Canada.
4. Defining Scope. Remember that there are five (5) Trust Services Principles – (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality, and (5). Privacy. Thus, as a service organization, you’ll need to decide which of the five – one, a few, or all of them – are to be included within the scope of your SOC 2 assessment. How to decide – by carefully understanding your specific business platform and balancing that with the reporting needs of intended users of the report. SOC 2 reports for Canadian Software as a Service (SaaS) entities, for example, most certainly include the TSP’s of “security” and “availability”, while a SOC 2 assessment for a healthcare company should assess against the “confidentiality” and “privacy” Trust Service Principles (TSP). Again, scoping and choosing the correct TSP’s are a big part of SOC 2 compliance for Canadian companies.
5. It’s an Annual Commitment. If you’re being asked to become SOC 2 compliance by a customer, regulatory body, or any other significant entity, then welcome to the world of regulatory compliance. More specifically, get used to the SOC 2 compliance mandate on an annual basis, which means you should seek out a qualified and reputable CPA firm who can provide a 3 or 5 year fixed fee proposal. From Vancouver to St. Catharines – and many other locations throughout Canada – NDNB has a well-established track record of providing high-quality, fixed fee regulatory compliance audits, so contact us today.