The SOC 2 standard, which is part of the AICPA Service Organization Control (SOC) reporting framework for service organizations regarding one's internal control environment, has become an increasingly well-known audit assessment. Launched to help replace the aging and often misused SAS 70 auditing standard, the SOC 2 standard is now the de facto auditing framework for technology oriented service organizations - data centers, managed services providers, software development entities, and many others. With that said, here's what you need to know about the SOC 2 standard, provided by NDNB Accountants & Consultants, a nationally recognized IR CPA firm offering fixed fee engagements.
1. SOC Framework. The SOC 2 standard is a subset of the AICPA Service Organization Control (SOC) framework, a consortium of assessments that consists of SOC 1, SOC 2, and SOC 3. It was a move by the AICPA to fundamentally restructure and change the way service organizations undertake auditing of their internal control environments. Gone is a one-size fits all approach (i.e., SAS 70), as service organizations now have three (3) options to choose from.
2. SOC 2 Standard and Technology. The vast majority of organizations undertaking SOC 2 assessments are technology oriented, those just discussed above (data centers, etc.) and that's because the SOC 2 standard – and it's supporting framework – is designed for such organizations. The SOC 2 Standard utilizes what's known as the "Trust Services Principles" for assessing a service organization, and these TSP's are heavily weighted toward information security best practices.
3. SOC 2 and Policies and Procedures. One of the very biggest – if not biggest – challenges that service organizations often face regarding compliance with the SOC 2 standard is developing the large number of information security and operational specific policies and procedures. There's a laundry list of documentation needed, and NDNB suggests obtaining a very high-quality, yet cost-effective information security policies and procedures manual from a trusted source, such as myinformationsecuritypolicy.com, or using our industry leading SOC 2 Policy Packet, which is complimentary with every engagement performed.
4. Trust Services Principles. The basis for the SOC 2 standard is that of the Trust Services Principles – five (5) criteria based provisions that consist of the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
More simply stated, compliance with the above listed Trust Services Principles (TSP) requires documented policies, procedures, along with highly formalized security and operational processes to be in place. At NDNB, we provide a SOC 2 Policy Packet for every engagement performed. It's just another reason as to why we're considered North America's leading provider of SOC 2 assessments.
Note: The American Institute of Certified Public Accountants (AICPA) has put forth an update to the Trust Services Principles, with the new criteria being effective for reporting periods ending on or after December 15, 2014, with early adoption permitted.
Thus, the trust services principles and criteria will be restructured and essentially grouped together by criteria applicable to all four principles via the following seven categories:
- Organization and management
- Risk management and design and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations
- Change management