Gain a strong SOC 2 overview today from NDNB Accountants & Consultants, nationally recognized providers of regulatory compliance audits and assessments, including SOC 1, SOC 2, and SOC 3 compliance, along with PCI, HIPAA, FISMA, ISO, and many other industry mandates. Want to learn more about the AICPA Service Organization Control (SOC) framework, then take note of the following points regarding SOC 2 assessments.
1. SOC 1 vs. SOC 2. It’s important to understand the technical differences between SOC 1 and SOC 2. SOC 1 utilizes the AICPA SSAE 16 professional standard for issuing such reports, while SOC 2 uses the little-known AT 101 professional standard. Furthermore, SOC 1 is generally geared towards service organizations exhibiting a true “nexus” with internal controls relating to financial reporting, while SOC 2 is for technology oriented service organizations. They are quite different, no question about it, so understanding these technical differences, and many others, is crucial.
2. Understand what the Trust Services Principles (TSP) are. The TSP’s are a set of broad-based criteria illustrated within the five (5) specific principles of Security, Availability, Processing Integrity, Confidentiality, and Privacy. They each serve a unique purpose for SOC 2 reporting, thus it’s critical that service organizations understand what they are – and just as important – which of these TSPs will be included within the scope of a SOC 2 assessment. Some service organizations report on just one (1) TSP, some a few, and some all five (5), but again, this depends on the scope of the assessment, client reporting demands, and other relevant issues.
3. Policies and Procedures are Essential. A critical component of SOC 2 reporting is the ability for service organizations to have numerous documented information security, operational, and other supporting policies and procedures in place. A challenging task for many organizations, as policy development is not usually high on the list, but it must be for SOC 2 reporting. NDNB provides high-quality, industry leading SOC 2 information security policy templates as part of every engagement we provide.
4. Be prepared to Collect Audit Evidence. From providing essential information security and operational specific policies and procedures, to screenshots, log reports, configuration files – and many other types of documents – SOC 2 reporting is all about giving auditors copious amounts of information. It can be a challenging and time-consuming task – no question about it – but if properly planned, it becomes very manageable indeed.
5. Consider a SOC 2 Readiness Assessment. Crawling before you walk is a good thing in life, so why not start out with a SOC 2 Readiness Assessment for essentially unearthing the “who, what, when, where, and why” of one’s control environment. When done in a correct manner, a SOC 2 Readiness Assessment assesses audit scope, remediation items, timing, policy and procedure development, and many other important activities.