4. Learn about AT Section 101-If you are a service organization embarking on SOC 2 compliance, then you'll need to take a few moments and understand the technical aspects of AT Section 101. In short, AT Section 101 is the professional AICPA standard used for allowing a practitioner to report on subject matter other than financial statements, such as that of issuing a SOC 2 report. And lastly, a practitioner performing an engagement in accordance with AT Section 101 is to adhere to the following five (5) general standards: (1). The practitioner must have adequate technical training and proficiency to perform the attestation engagement. (2). The practitioner must have adequate knowledge of the subject matter. (3). The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.(4). The practitioner must maintain independence in mental attitude in all matters relating to the engagement.(5). The practitioner must exercise due professional care in the planning and performance of the engagement and the preparation of the report.
5. Understand the true technical differences between SOC 1 and SOC 2 and the core reasons for the development of SOC 2-While there are many differences between SOC 1 and SOC 2, the notable points worth mentioning and remembering are the following:
• SOC 1 reporting utilizes the SSAE 16 professional standard while employing control objectives for reporting (Type 1) and testing (Type 2) on the suitability, design, and operating effectiveness of the controls.
• SOC 2 reporting utilizes the AT Section 101 professional standard and employs a "criteria" based framework centered on the five Trust Services Principles (TSP).
• SOC 1 is for reporting on controls that have a true, credible relationship or nexus to the internal control over financial reporting (ICFR) concept.
• SOC 2 is for reporting on non-financial controls, such as the growing list of service organizations that are within the technology arena (i.e., SaaS, managed services providers, data centers, etc.).
As for the development of the SOC 2 framework, the AICPA was witnessing first-hand the many changes in service organization reporting, such as the move toward international accounting standards, along with the need to provide a more suitable reporting platform for today's ever changing service organizations. Add to the mix of an outdated, misused auditing standard (SAS 70) along with the sheer growth and continued adoption of technology for service organizations, it was clear that changes had to be made. Thus, in with the new SOC framework, a multi-faceted reporting platform for all types of service organizations, and out with the historical SAS 70 auditing standard.
6. Develop a Description of the "System"-A core requirement for SOC 2 reporting is that of developing a description of one's "system", that is, a detailed and comprehensive narrative that describes the following:
the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
Keep in mind that the description of the "system" is considered to be a more in-depth and detailed illustration when compared to the historical SAS 70 audit's description of one's "controls". Thus, if you have undertaken a SAS 70 in prior years and are moving towards SOC 2 (or even SOC 1 compliance, for that matter), your description of your "system" is not merely a cut and paste from your previous SAS 70 audit.