SOC (Service Organization Controls) audit: preparation and reporting for SOC 1, 2 and 3 audits
Conducted against the audit standards SSAE 16 or ISAE 3402, a SOC audit results in a SOC report, the main objective of which is to provide a service organisation’s management, user entities and other interested parties (clients, for example) with information about the controls the service organisation has in place.
It also includes the opinion of a certified public accountant (CPA) about whether the service organisation complies with SSAE 16 or ISAE 3402.
SSAE 16 and ISAE 3402 are independent, industry-recognised, third-party assurance standards that are used to audit service organisations, such as Cloud service providers, software providers and developers, web marketing companies and financial services organisations.
The American Institute of Certified Public Accountants (AICPA) oversees the SOC reporting structure.
A SOC audit is often a prerequisite for service organisations to partner with or provide services to tier-one organisations in the supply chain.
Who can perform a SOC audit?
A SOC audit can only be performed by an independent CPA or accountancy organisation. SOC auditors are regulated by the AICPA: they must adhere to specific professional standards established by the AICPA and are required to follow specific guidance related to planning, executing and supervising audit procedures. In addition, AICPA members are required to undergo a peer review to ensure their audits are conducted in accordance with generally accepted auditing standards.
CPA organisations may employ non-CPA professionals with relevant information technology and security skills to participate in preparing for a SOC audit, but the final report must be provided and issued by a CPA.
Which SOC audit do you need?
The AICPA has defined three kinds of SOC audits and subsequent reports.
Each has been designed to help service organisations meet specific user needs.
SOC 1 audit
SOC 1 audits report on a service organisation’s services and controls that are relevant to user entities’ internal control over financial reporting.
Organisations that have undergone a SAS 70 audit in the past will now require a SOC 1 audit.
Use of a SOC 1 report is restricted to existing clients and is not intended for marketing purposes.
A SOC 1 audit report includes an opinion letter, management assertion, detailed description of the system or service, control objectives and controls, tests of controls and results of testing, and optional additional information.
SOC 2 audit
SOC 2 audit reports provide detailed information on a service organisation’s services and controls that are relevant to security, availability, processing integrity, confidentiality and/or privacy.
Service organisations have to select which of the five Trust Services Principles criteria and controls are required to mitigate the key risks to the service or system that the organisation provides to its clients:
Security – The system is protected against unauthorised access (both physical and logical).
Availability – The system is available for operational use as committed or agreed.
Processing integrity – System processing is complete, accurate, timely and authorised.
Confidentiality – Information designated as confidential is protected as committed or agreed.
Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the service organisation’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.
The Trust Services Principles and criteria are closely aligned with the following standards and frameworks:
ISO 27001 and ISO 27002
The PCI DSS
HIPAA Security Standards
NIST SP 800-53 and SP 800-66
SOC 2 audit reports include an opinion letter, management assertion, detailed description of the system or service, details of the Trust Services Principles criteria and controls selected, tests of controls and results of testing, and optional additional information.
A SOC 2 report is generally a restricted-use report for existing or prospective clients.
SOC 3 audit
SOC 3 audit reports provide relevant parties with summary information on the design and operating effectiveness of the service organisation’s controls based on the five Trust Services Principles and criteria relating to security, availability, processing, integrity, confidentiality and/or privacy.
A SOC 3 audit is carried out on a particular date and provides a snapshot of the service organisation and its controls when the audit is conducted.
A SOC 3 audit report includes an opinion letter and management assertion.
A SOC 3 report is a general-use report.
SOC audits and reports fall into two types according to the length of observation involved:
Type I is an audit and report carried out on a specified date.
Type II is an audit and report carried out over a specified period of time, usually a minimum of six months.
Some user organisations require their service providers to undergo a SOC Type II audit for the greater level of assurance and reporting detail it provides.
A successful SOC audit carried out by a certified CPA permits the service organisation to use the AICPA logo on its website.
How can IT Governance help?
IT Governance can provide assistance throughout the entire SOC preparation, remediation, testing and reporting process.
Our expert cyber security consultants are experienced in helping organisations prepare for audit.
IT Governance will identify and advise on the SOC audit best suited to your organisation.
The readiness assessment results in a detailed report that identifies any shortfalls and provides a roadmap for compliance.
The SOC readiness assessment includes advice on a suitable audit scope and content of the service or system description, and identifying which of the Trust Services Principles controls and criteria mitigate your key risks.
Once the shortfalls have been identified, IT Governance can assist you in remediating them.
We can assist in audit scoping, compiling the system or service description , risk assessment, control selection, and defining control effectiveness measurements and metrics.
Testing and reporting
IT Governance has partnered with a leading AICPA and PCAOB-registered CPA audit organisation based in the USA that will apply a proven methodology to perform the required testing and reporting.
IT Governance can facilitate the audit process and put the client in contact with our partners, who can then deliver the audit at a fraction of the costs demanded by the Big Four accounting firms.
The SOC audit process involves:
Reviewing the audit scope
Developing a project plan
Testing controls for design and/or operating effectiveness
Documenting the results
Delivering and communicating the client report
Get end-to-end SOC audit support
IT Governance can assist with the full SOC audit process, from conducting a readiness assessment and advising on the necessary remediation measures through to testing and reporting, by virtue of its partnership with a leading AICPA- and PCAOB-registered CPA audit organisation.
Contact us for a quote by emailing email@example.com or calling +44 (0)845 070 1750.