SOC 2 criteria is often a phrase used in context when referring to Service Organization Control (SOC) 2 assessments being mandated on many of today’s technology oriented businesses. From software development companies to data centers, managed service providers – and others – SOC 2 compliance, and the understanding of what specifically is SOC 2 criteria – are front and center in today’s world of regulatory compliance. NDNB Accountants & Consultants, nationally recognized experts in SOC 2 reporting, provides the following introduction and overview to SOC 2 and the technical merits of SOC 2 criteria.
1. Understanding what SOC 2 is. SOC 2 is essentially a reporting component of the overall Service Organization Control (SOC) framework put forth by the AICPA that effectively replaced the old, antiquated, and often misused SAS 70 auditing standard. Simply stated, it’s an assessment of a service organization’s internal controls, one that focuses primarily on technology companies, such as data centers, managed service providers, Software as a Service (SaaS) entities, and many others. Because of the growth in technology, SOC 2 itself has seen tremendous visibility in recent years, and will continue to do so, perhaps even eclipsing its SOC 1 counterpart in terms of service organization reporting on controls.
The SOC 2 requirements for many businesses today include reporting on a large number of operational and information security policies, procedures, and processes within one's organization. Today's growing compliance mandates are forcing many technology oriented service organizations to become SOC 2 compliant on an annual basis. With that said, it's vitally important to learn about essential topics regarding SOC 2, such as the following five things every service organization needs to know:
1. Learn about the five (5) Trust Services Principles (TSP). What are the Trust Services Principles, they are a set of criteria based provisions that form the core of the SOC 2 requirements, and they consist of the following:
- Security: That the system is protected against unauthorized access, both physically and logically.
- Availability: That the system is available for operation and use as committed or agreed.
- Processing Integrity: That System processing is complete, accurate, timely, and authorized.
- Confidentiality: That the information held by an organization is securely protected.
- Privacy: That personal information is protected.
Simply stated, the TSP's require that organizations have in place documented information security and operational policies, procedures, and processes in place for ensuring compliance.
The SOC 2 principles consist of the following five (5) criteria based provisions for which service organizations are to adhere to for purposes of Service Organization Control (SOC) 2 reporting in accordance with the AICPA standard:
- Security: That the system is protected against unauthorized access, both physically and logically.
- Availability: That the system is available for operation and use as committed or agreed.
- Processing Integrity: That System processing is complete, accurate, timely, and authorized.
- Confidentiality: That the information held by an organization is securely protected.
- Privacy: That personal information is protected.
What’s interesting to note about the SOC 2 principles are a number of important issues and considerations when undertaking SOC 2 reporting for your organization. Specifically, it’s critical to gain a strong understanding and overall awareness of the following issues relating to the SOC 2 principles.
1. SOC 2 Differs from SOC 1. SOC 2 compliance is geared directly towards the ever-growing number of technology oriented businesses looking for a comprehensive framework for validating a large number of security controls and best practices. Initially slow to catch on, SOC 2 has gained tremendous momentum in the marketplace. As for SOC 1, which uses the SSAE 16 professional standard, its focus is on service organizations exhibiting a nexus with financial reporting, such as trust and actuarial entities, TPA’s, etc.
Gain a strong SOC 2 overview today from NDNB Accountants & Consultants, nationally recognized providers of regulatory compliance audits and assessments, including SOC 1, SOC 2, and SOC 3 compliance, along with PCI, HIPAA, FISMA, ISO, and many other industry mandates. Want to learn more about the AICPA Service Organization Control (SOC) framework, then take note of the following points regarding SOC 2 assessments.
1. SOC 1 vs. SOC 2. It’s important to understand the technical differences between SOC 1 and SOC 2. SOC 1 utilizes the AICPA SSAE 16 professional standard for issuing such reports, while SOC 2 uses the little-known AT 101 professional standard. Furthermore, SOC 1 is generally geared towards service organizations exhibiting a true “nexus” with internal controls relating to financial reporting, while SOC 2 is for technology oriented service organizations. They are quite different, no question about it, so understanding these technical differences, and many others, is crucial.
A SOC 2 readiness assessment is essential for almost any service organization new to the AICPA Service Organization Control (SOC) framework. Add to the fact of the important scope considerations and policy documentation requirements for these types of assessments, a SOC 2 readiness assessment becomes a very proactive and necessary element for auditing success. Though SOC 2 can be “technically” looked upon as being prescriptive in nature – after all – the Trust Services Principles (TSP) do lay out exactly the criteria a service organization should have in place, it’s still highly subjective as to what auditors expect to ask for.
Additionally, from a scope perspective, it’s also important to note that there are five (5) Trust Services Principles, thus deciding on which of the five – a few or all of them – to include for reporting is also critical. All the more reason for engaging with an experienced CPA firm for purposes of undertaking a SOC 2 readiness assessment.
The Many Benefits of a SOC 2 Readiness Assessment
Furthermore, a SOC 2 readiness assessment helps determine one of the most important reporting requirements of the Service Organization Control (SOC) framework – what formalized processes and procedures and other supporting initiatives need to be in place. That’s right, processes and procedures, from an information security and operational perspective, are a large part of SOC 2 compliance, all the more reason for undertaking a SOC 2 readiness assessment. More specifically, essentially all of the five (5) TSP’s require comprehensive processes and procedures to be in place.
NDNB, a nationally recognized CPA firm with years of regulatory compliance experience, has assissted numerous clients in putting in place information security and operational specific processes and procedures, those needed for helping ensure compliance with the SOC 2 reporting framework. Interestingly, the entire SOC framework, including SOC 1 and SOC 3, is also highly depended on having documented information security and operational processes and procedures in place – it’s a big, and often overlooked component of regulatory compliance, so please keep that in mind.
SOC 2 is Surpassing SOC 1 in Adoption and Use
SOC 2 compliance is continuing to gain immense traction as more and more technology oriented service organizations adopt it as the primary framework for reporting on controls, possibly even outpacing the much more well-known SOC 1 SSAE 18 standard. For this reason, it’s critically important gain a strong technical and operational understanding of SOC 2, which begins with a SOC 2 readiness assessment by a nationally recognized, IR CPA firm that specializes in regulatory compliance, and that’s NDNB.
With competitive fixed fees and high-quality audit services, NDNB is the right choice for any organization’s regulatory compliance needs. Call Christopher G. Nickell, CPA, today at 1-800-277-5415, ext. 706 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDNB’s SOC 2 readiness assessment fixed fee pricing, along with our competitive pricing for all your SOC reporting needs, along with PCI DSS, HIPAA and other regulatory compliance mandates.
SOC 2 Type 2 compliance reporting is becoming much more common these days, due in large part to the continued growth of technology oriented service organizations requiring regulatory audits. The old days of a one-size-fits all standard – hence SAS 70 – are long gone, so say hello to SOC 2 Type 2 compliance and the following five (5) important points you need to know about, provided by NDNB Accountants & Consultants, a nationally recognized audit and compliance CPA firm.
1. SOC 1 vs. SOC 2. SOC 1 SSAE 16 assessments are those generally conducted on service organizations with a clear nexus with financial reporting, while SOC 2 assessments are targeted more towards technology oriented service organizations. This is due to the technical and prescriptive language offered by the American Institute of Certified Public Accountants (AICPA) - developers of the SOC standards. Even with that said, you’ll find many technology companies being issued SOC 1 reports. Additionally, SOC 2 reporting is becoming quite well-known and is being received favorably in the marketplace, a clear break from its recent obscurity.
2. SOC 2 Reporting and the Trust Services Principles (TSP). SOC 2 Type 2 Compliance entails the use of what’s known as the Trust Services Principles (TSP) – a set of professional attestation and advisory services containing essential criteria based information for assessing service organizations. Unlike SOC 1 reporting, which uses control objectives, SOC 2 Type 2 reporting is thus “criteria” based. Additionally, there are five (5) Trust Services Principles which can be used for reporting, which consist of the following:
• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: The service organization’s privacy policies and practices.
3. Type 1 vs. Type 2. In the never-ending alphabet soup of regulatory compliance, it’s important to distinguish between SOC 2 Type 1 assessments and SOC 2 Type 2 assessments. For an ounce of clarity, just remember that SOC 2 Type 1 reports are issued for a specific date, such as August 27, 20xx, while SOC 2 Type 2 reports cover what’s fundamentally known as a “test period”, which is generally a minimum of six (6) months. For purposes of growing regulatory compliance mandates, most clients will request that service organizations undertake an actual SOC 2 Type 2 assessment, as it ultimately provides greater evidence of one’s internal control environment.
4. Obtain a Fixed Fee with all Supporting Documents. The key to undertaking SOC 2 Type 2 compliance in an efficient and cost-effective manner is obtaining a fixed fee from a well-skilled CPA firm, and one that also offers all necessary information security expertise. Remember, SOC 2 Type 2 compliance is heavily dependent upon validating a service organization’s procedures, and related processes. Expect SOC 2 Type 2 compliance to continue to expand and grow in the coming years as more technology-minded businesses opt for this type of reporting. Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance.