SOC 2 Reporting Framework and the Top 10 Items You Need to Know About | Part III
7. Provide a Written Statement of Assertion-Yet another requirement for SOC 2 compliance is providing the service auditor (i.e., the CPA performing the SOC 2 engagement) with a written statement of assertion. This assertion, which was never a requirement for SAS 70, is essentially a document whereby management (of the service organization) is essentially "asserting" to a number of different provisions regarding their overall control environment.
8. SOC 2 is Criteria based, not control objective based-What this means is that unlike SOC 1 (SSAE 16) reports, which list control objectives for reporting and, ultimately, testing on, SOC 2 reporting is "criteria" based and requires a practitioner to use one of (or all) of the five Trust Service Principles (TSP) for the scope of the engagement. Thus, for illustrative purpose, you should not find language such as "controls provide reasonable assurance that...." in a SOC 2 report, rather, a listing of the "criteria" and a description of what is in place for meeting the applicable criteria for each of the defined Trust Services Principles.
9. The adoption of SOC 2 is moving slower than expected-One would think that the SOC 2 framework, which is geared towards technology focused service organizations, would be widely embraced and immediately adopted. Not so as many of these entities have simply opted for SOC 1 SSAE 16 compliance. The reasons are many, but one would think that the rather rigid set of requirements within the TSP framework along with the possibility of thus receiving an adverse opinion are shying service organizations away from SOC 2. Hopefully this will change in the near future as the AICPA invested significant resources into developing a much-needed and fully capable technology based assessment framework.
10. SOC 2 and SOC 3 are similar in a number of regards-Both SOC 2 and SOC 3 utilize the Trust Services Principles (TSP) for their respective framework, thus allowing a service organization to effectively choose between the two. SOC 2 results in an a service organization receiving an actual report, whereby SOC 3 results in the issuance of a seal, which can be displayed on the service organization's website.
NDBYour Trusted Provider for SSAE 16 Compliance
- Vast Experience Across Numerous Industries and Sectors
- Fixed Fee Engagements for SSAE 16 Reports
- Nationally Recognized PCAOB CPA Firm