For SOC 2 Compliance & Assessments, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is the official framework of a SOC 2 report. Under the new American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) framework, this is but one of three new reporting options, which include SOC 1, SOC 2, and SOC 3. The AICPA has made great strides in replacing an aging auditing standard (SAS 70) with a vastly improved and more up-to-date service organization reporting platform. So, here’s what you need to know about SOC 2 Compliance & Assessments, courtesy of NDB Accountants & Consultants, LLP, North America’s leading provider of SOC 1, SOC 2, and SOC 3 audits:
1. SOC 2 and AT Section 101. SOC 2 utilizes AT Section 101 as the professional standard for issuing SOC 2 reports. AT 101 provides a framework for performing and reporting on all attestation engagements. For the purposes of providing “attest” services to organizations, these "attestation standards" are a series of general provisions and requirements that provide overall guidance for the accounting and auditing profession, in addition to the SOC 2 framework.
Candidates for SOC 2 reports are those that report on controls aside from those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting). A few examples include:
• Cloud computing, such as Software as a Service (SaaS), PaaS, and IaaS
• Software Development Organizations
• Data Centers
• Web Hosting Providers
• Manager Services Providers
• Data Analytics
• Call Centers
2. SOC 2 and Trust Services Principles. One critical point regarding Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is that these attributes form the basis of what is known as the SysTrust | WebTrust audit and assurance service. Generally known as the Trust Services Principles (TSP), this broad set of principles and criteria was jointly put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Specifically, the TSP attributes, technically known as "principles", are defined in the following manner:
• Security. The system is protected, both logically and physically, against unauthorized access.
• Availability. The system is available for operation and use as committed or agreed to.
• Processing Integrity. System processing is complete, accurate, timely, and authorized.
• Confidentiality. Information that is designated “confidential” is protected as committed or agreed.
• Privacy. Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice, and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
3. SOC 1, SOC 2 and SOC 3 primer. It is worth noting that SOC 1 reports, which utilize the SSAE 16 professional standard for reporting, are targeted at service organizations with a true and credible link or “nexus” with the concept of ICFR (Internal Controls over Financial Reporting. SOC 2 reports, which employ AT Section 101 as its professional standard, are primarily performed for examining and reporting on non-financial controls, such as those technology and security related entities listed above. Similarly, the SOC 3 reporting standard, which also utilizes the Trust Services Principles (TSP), is a viable reporting option for reporting on today's growing technology service providers.
In addition to the aforementioned components which are critical for gaining a comprehensive understanding of the new AICPA SOC framework, don’t forget to study up on:
• SSAE 16 SOC 1 Reports
• Introduction to AT Section 101
• Understanding the AICPA SOC Framework
• Service organization requirements, such as the description of its "system" and the written statement of assertion.
4. Documentation. It’s important to note that documentation is key when it comes to SOC 2 compliance – policies, procedures, and other essential materials – they’ll be requested by auditors, so it’s important to have them ready. NDB provides an industry leading SOC 2 Policy Packet for helping clients develop all the necessary documents required for SOC 2 compliance.
5. Why a Readiness Assessment is a Must. Because you’ll need to have an objective, unbiased, third-party assess critical audit issues prior to the actual assessment beginning. More specifically, service organizations need to asses and confirm scoping boundaries, determine what gaps and deficiencies exist in terms of policy documents and technical controls, and then, provide a workable and sustainable roadmap for ensuring SOC 2 compliance is met. Without performing a SOC 2 readiness – particularly for service organizations that are new to the AICPA framework – you’re putting at risk the long-term success of the audit, so keep this in mind.
6. Compliance is an Annual Commitment. Service organizations being asked to perform an initial SOC 2 assessment – or any other compliance report, such as SSAE 16 SOC 1, SOC 3 or PCI DSS – need to be aware that this is the “new norm”. The world of regulatory compliance is here to stay, will become an annual commitment for businesses throughout North America, and will require entities to provide considerable financial and operational resources. It’s why you need to find a firm that provides scalable and highly efficient audit services, and that’s NDB, so visit ndbcpa.com today to learn more about our firm and service offerings.
7. Why Choose NDB. Because we offer a variety of services for helping businesses all throughout North America – and the globe – in becoming SOC 2 complaint. Beginning with our proven readiness assessment services, then followed by NDB’s policy writing and remediation services, and finally, performing the actual assessments themselves – NDB offers everything needed for SOC 2 compliance.
8. Where can I learn more about SOC 2? Simply visit the SSAE 16 Resource Guide, developed exclusively by North America’s regulatory compliance experts at NDB Accountants & Consultants, LLP (NDB). The website provides in-depth information on both SSAE 16 SOC 1 audits and SOC 2 audits. SOC 2 is becoming the most well-recognized and well-respected of all the compliance reporting mandates, so now’s the time to learn all you can from the SOC 2 experts at NDB. We also offer fixed-fee pricing on all of our SOC 2 reports.
9. What are the Next Steps? Call and speak with CPA Christopher Nickell today at 1-800-277-5415, ext. 706, or email him at firstname.lastname@example.org also. Chris is one of the most experienced and highly respected auditors in the world when it comes to understanding the intricate details of the AICPA Service Organization Control (SOC) framework, providing necessary guidance and expertise as needed. Chris will take the time to explain the necessary elements for ensuring your SOC 2 report is performed correctly. With years of performing regulatory compliance audits, Chris and the experts at NB are ready to assist you, so contact us today.