Thousands of service organizations across North America are being required to perform annual SOC 2 audits, so now’s the time to learn more about the AICPA SOC framework. NDNB, one of the country’s leading provider of compliance services, offers the following SOC 2 implementation guide for helping organizations in understanding SOC 2 reports. Today’s compliance drumbeat is beating louder than ever, so get prepared and learn all you can about SOC 2 audits for ensuring an efficient and cost-effective auditing process from beginning to end.
SOC 2 Implementation Guide – Here’s What You Need to Know:
Determine and Confirm Scope in terms of Trust Services Criteria
Begin with a SOC 2 Scoping & Readiness Assessment
Undertake Essential Documentation Remediation
Undertake Essential Technical & Security Remediation
Undertake Essential Operational Remediation
Be Prepared to Provide Evidence to Auditors
Engage in Continuous Monitoring of Your Controls
Know that Regulatory Compliance is Here to Stay
Are you familiar with the Trust Services Criteria (TSP) put forth by the American Institute of Certified Public Accountants (AICPA)? The TSP’s form the very fabric of a SOC 2 audit as they consist of criteria-based controls for which service organizations are assessed for during an actual SOC 2 audit. More specifically, they consist of the following five (5) TSP’s:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
So, who determines which of the five (5) TSP’s are to be included within the scope of your SOC 2 audit? Technically speaking, you do, as you’re the service organization, but it’s really a collaborative process whereby the CPA firm performing the audit assists in this critical issue. A proven, trusted CPA firm that has years of experience performing regulatory compliance audits can assist with determining the scope of your report in terms of TSP’s.
Lastly, remember also that your clients and prospects can also help determine scope if they’ve provided you with specific mandates on the type of SOC 2 report they want performed. This does happen – not all the time – so please keep this in mind.
Is this your first SOC 2 audit being performed, if so, then a SOC 2 scoping & readiness assessment is highly essential. Why? Because you’ll want to identity, assess, and confirm a number of important measures for ultimately ensuring a successful SOC 2 audit from beginning to end. The benefits of performing such an activity include confirming audit scope in terms of business processes, personnel involved, physical locations, relevant third-party providers, and more.
One of the most common areas of remediation for SOC 2 compliance is documentation – specifically – the requirement to develop a wide-range of information security policies and procedures. Companies loathe writing security policies – and understandably so – as it’s a tedious and time-consuming endeavor, but it’s got to be done. Auditors will be on the lookout for policies and procedures – in fact – it’s often the very first set of deliverables they request for a SOC 2 audit.
Do you have a well-written set of information security policies and procedures, those that are current, accurate, and truly reflect your business? If not, it’s time to begin authoring such documents, and NDNB can assist as we offer a complimentary set of InfoSec policy templates to all of our valued clients. It’s just another example of what sets us apart from other providers.
Many times, what comes out of a SOC 2 Scoping & Readiness Assessment is not only an almost laundry list of documentation requirements, but also technical & security requirements. Common areas of technical & security remediation consist of the following:
- Password complexity rules need to be strengthened.
- Servers need to be re-hardened with the latest vendor best practices for removing default settings.
- Shared accounts need to be removed.
These are just a few examples of the many technical and security control remediation measures you’ll have to undertake prior to commencing with your SOC 2 audit. Remember something important; while the SOC framework is prescriptive in terms of testing criteria, there is quite a bit of flexibility in the types of controls used to validate the applicable criteria itself. All the more reason to work with a proven, trusted CPA firm that has the expertise and knowledge when it comes to the SOC 2 auditing framework.
Do you perform an annual risk assessment for your organization, assessing strengths, weaknesses and a plan-of-action for correcting such issues? Do you undertake annual security awareness training for employees? How about a disaster recovery/contingency plan? These are also just a few examples of possible requirements that you’ll need to have in place for SOC 2 compliance.
Auditor demand evidence for audits, it’s just that simple, so be prepared to provide the following:
- Policies and Procedures: As stated earlier, documentation is incredibly important for SOC 2 compliance, so be prepared to provide your information security policies and procedures, and other supporting documentation.
- Screenshots of System Settings: From firewall configuration files to baseline server configuration settings, anti-virus settings, and much more, be prepared to provide auditors with various screenshots of what we call “system settings”.
- Memorandums: Many times, auditors will ask you to document a process or certain activity via a memo that is placed on your company letterhead and signed by an authorized individual.
- Risk Assessment Validation: Performing a risk assessment is a strict requirement for SOC 2 compliance, so be prepared to show the auditors that you’ve actually perform such a task.
- Log Reports: Auditors will often ask for log reports from systems to inspect and confirm various controls, so get your servers up to speed and ensure log settings are in place.
Remember that long have the auditors have packed their bags and gone home, you’ll need to engage in an effort of regularly monitoring, assessing, inspecting, and making changes as necessary, to your controls. This concept is known as “Continuous Monitoring”, and it’s essential for the success of your regulatory compliance initiatives moving forward. NDNB can assist with continuous monitoring efforts, so contact us today to learn more and to also learn more about our SOC 2 implementation guide for service organizations all throughout North America.
We are one of North America’s leading providers of SOC 2 audits, so if you’re looking to learn more about SOC 2 implementation, then get to know NDNB.
Why Choose NDNB as Your SOC 2 Provider