The SOC 2 standard includes reporting that allows for the issuance of a SOC 2 Type 1 and/or Type 2 assessment, for which NDNB offers to businesses throughout North America and other select regions. Compliance with the SOC 2 standard requires in-depth technical knowledge and auditing expertise in today’s challenging and complex business arena. All the more reason to trust the experts at NDNB for all your SOC 2 reporting needs.
So out with the old and in with the new – as the old saying goes, as the AICPA SOC framework has successfully replaced the well-aged, one size fits all SAS 70 auditing standard for reporting periods on or after June 15, 2011. And now the SSAE 16 standard has been replaced with the SSAE 18 standard for May 1, 2018. It’s a new world of regulatory compliance, one filled with heavy mandates for annual audits, for which you’ll need to know the following regarding the SOC 2 standard:
SOC 2 Standard – Type 1 and Type 2 Reports – What you Need to Know and Why
SOC 1 vs. SOC 2: Many service organizations shifted from SAS 70 immediately to SSAE 16 SOC 1 reporting, and now to SSAE 18 SOC 1 reporting – but not so fast – as the SOC 1 framework is actually geared towards companies providing services that could impact their clients’ actual financial reporting. SOC 2, on the other hand, is heavily weighted towards today’s tech companies, such as cloud computing vendors, data analytics, SaaS models, data centers, managed services providers, and more. There is a big difference between SOC 1 and SOC 2 – differences you need to be aware of before embarking on either one of these audits.
Trust Services Principles and Criteria: SOC 2 assessments require testing against the following five (5) AICPA Trust Services Principles and Criteria (TSPC): (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy. As to which one of the five (5) TSPC to test against, that depends on a number of factors, such as client expectations, market demands, and more. While every SOC 2 candidate tests against the baseline “Security” TSPC, after that, there’s much discussion to be had as to the remaining four (4) TSP’s.
Audit Scope and Business Process: A critical element for ensuring your SOC 2 assessment is successful is identifying the relevant business processes to be included within the audit itself. Is the entire enterprise-wide operations included, or just a subset of the service organization’s businesses. Are you clients expecting – and demanding – that certain processes be included, or are they requesting a SOC 2 audit with no real specifics? These are questions that need to be addressed, and answered.
Remediation is Key: Correcting and enhancing operational, security, and infrastructure deficiencies is critical for ensuring a successful SOC 2 audit, and every service organization will have some type of remediation to undertake – trust on this one. From inadequate processes to missing security controls – and more – remediation is a large part of the SOC 2 landscape, and it’s also the main reason why businesses undertake a SOC 2 readiness assessment for helping identify internal control weaknesses.
Operational controls are Critical: A successful SOC 2 assessment – one that allows a service organization to obtain a clean, “unqualified opinion” simply doesn’t happen without having formalized processes and procedures in place. Developing formalized processes can be incredibly time-consuming and expensive, and it’s why NDNB offers extensive services and solutions for helping businesses become SOC 2 compliant. Businesses don’t have hundreds of hours to allot to time-consuming process development – we get it – so turn to the experts today at NDNB.
I.T. Controls are Critical: Remember that the actual SOC 2 assessment framework – which includes the Trust Services Principles Criteria (TSPC) – is an ideal assessment process for technology oriented service organizations, which means one’s I.T. controls will be thoroughly assessed during the actual audit process. This means that all information security related elements – formalized procedures, and processes – must be well documented and functioning and designed. This often requires remediation in a number of areas, most notably regarding system configuration changes, such as enhancing firewall rulesets, strengthening access controls, developing formalized incident response procedures, and much more. NDNB can assist in providing hands-on expertise as needed for ensuring the safety and security of one’s I.T. infrastructure.
- SOC 2 audit reports are an important element of the AICPA Service Organization Control (SOC) reporting framework.
- Organizations can opt for a SOC 2 Type 1 or a SOC 2 Type 2 report.
- SOC 2 reports are different from SOC 1 reports.
- SOC 2 audit reports are geared towards many of today’s technology oriented companies.