1. Understand the reporting platform of the AICPA Service Organization Control (SOC) framework-The newly formed Service Organization Control (SOC) framework, put forth by the American Institute of Certified Public Accountants (AICPA), seeks to fundamentally reshape reporting requirements for today's complex and ever-changing service organization entities. Specifically, three (3) reporting options were adopted, resulting in SOC 1, SOC 2, and SOC 3. While SOC 1 reports are to utilize the SSAE 16 standard for reporting on controls, SOC 2 and SOC 3 reports, which are geared towards technology and cloud computing companies, are to utilize the Trust Services Principles (TSP) in accordance with the AT Section 101 professional standard.
2. Learn about the Trust Services Principles (TSP) framework-Unlike the historical SAS 70 auditing standard or the current SSAE 16 attestation standard, the framework for a Service Organization Control (SOC) 2 report is "criteria" based, whereby a practitioner is engaged to examine and report on a service organization's controls over one or more of the following five (5) Trust Services Principles (TSP):
• The security of a service organization's system.
• The availability of a service organization's system.
• The processing integrity of a service organization's system.
• The confidentiality of the information that the service organization's system processes or maintains for user entities.
• The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
And from a scope perspective, there is discretion as to which and how many of the five (5) Trust Services Principles are actually examined during and reported on during a SOC 2 engagement. In short, an "Omission of an applicable trust services criterion is appropriate if the omitted criterion is not applicable to the system that is the subject of the engagement": AICPA Audit Guide, "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy" (SOC 2), published 2011.
3. There's a SOC 2 Audit Guide Available for Purchase-The AICPA has done a commendable job in putting forth comprehensive and detailed publications for each of the new respective standards and pronouncements for which they release. Just as the SSAE 16 attest standard has newly printed material available for purchase, so does the SOC 2 reporting framework. Currently, interested parties can purchase the 148 page publication, titled "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)". Though its primarilly geared towards actual practitioners, such as CPA's and auditors alike, service organizations will find a wealth of invaluable information for helping better plan, assess, and ultimately scope a SOC 2 engagement. Its available for purchase from the AICPA cpa2biz.com website.
Author: Charles Denyer