SOC 2 Audit: What is it?
SOC 2 (Service Organization Control) audit reports provide detailed information on a service organisation’s services and controls that are relevant to security, availability, processing integrity, confidentiality and/or privacy. The reporting structure is overseen by the American Institute of Certified Public Accountants (AICPA).
Trust Services Principles (TSP)
A SOC 2 audit is conducted against the AICPA TSP. This is an industry-recognised, third-party assurance standard for auditing service organisations such as Cloud service providers, software providers and developers, web marketing companies and financial services organisations.
Service organisations have to select which of the TSP are required to mitigate the key risks to the service or system that the organisation provides:
1. Security: The system is protected against unauthorised access (both physical and logical).
2. Availability: The system is available for operational use as committed or agreed.
3. Processing integrity: System processing is complete, accurate, timely and authorised.
4. Confidentiality: Information designated as confidential is protected as committed or agreed.
5. Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the service organisation’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.
The TSP are closely aligned with the following standards and frameworks:
- 1. ISO 27001 and ISO 27002 (information security management)
- 2. Payment Card Industry Data Security Standard (PCI DSS)
- 3. HIPAA security standards
- 4. NIST SP 800-53 (Security and Privacy Controls) and SP 800-66 (Implementing HIPAA Security Rule)
- 5. DoD 8500.2 (Information Assurance Implementation)
- 6. NERC-CIP (Critical Infrastructure Protection)
What to expect of a SOC 2 audit report?
The SOC 2 audit report provides assurance about the suitability of the design and effectiveness of the service organisation’s controls to its clients, management and user entities. The report is generally restricted-use for existing or prospective clients.
SOC audits and reports fall into two types according to the length of observation involved:
- Type I - an audit and report carried out on a specified date.
- Type II - an audit and report carried out over a specified period of time, usually a minimum of six months.
A SOC 2 audit report includes:
- An opinion letter;
- Management assertion;
- A detailed description of the system or service;
- Details of the TSP selected;
- Tests of controls and the results of testing; and
- Optional additional information.
It also specifies whether the service organisation complies with the AICPA TSP. Some organisations require their service providers to undergo a SOC Type II audit for the greater level of assurance and reporting detail it provides.
Who are SOC 2 audits designed for?
SOC 2 audits are targeted at any organisation (Cloud computing, SaaS, PaaS, etc.) that provides services and systems to client organisations. The client company may ask the service organisation to provide an assurance audit report, particularly if confidential or private data is being entrusted to the service organisation.
Many organisations offer a wide range of Cloud-based services and systems that include private financial and medical information. If your organisation provides Cloud services, a SOC 2 audit report will go a long way to establishing trust with customers and stakeholders. A SOC 2 audit is often a prerequisite for service organisations to partner with or provide services to tier-one organisations in the supply chain.
Who can perform a SOC audit?
A SOC audit can only be performed by an independent Certified Public Accountant (CPA) or accountancy organisation. SOC auditors are regulated by the AICPA; they must adhere to specific professional standards established by the AICPA. They are also required to follow specific guidance related to planning, executing and supervising audit procedures. AICPA members are also required to undergo a peer review to ensure their audits are conducted in accordance with generally accepted auditing standards.
CPA organisations may employ non-CPA professionals with relevant information technology and security skills to participate in preparing for a SOC audit, but the final report must be provided and issued by a CPA. A successful SOC audit carried out by a certified CPA permits the service organisation to use the AICPA logo on its website.
How does IT Governance help?
Our accreditation as UK Government Crown Commercial Service Supplier, means that we are well prepared to help any organisation prepare for a SOC 2 audit.
1. Readiness assessment
We assess your state of SOC 2 preparedness by evaluating the type of service you offer, the type of TSP applicable to that service and the security controls relevant to the delivery of the service. Among other things, processes and procedures, system setting configuration files, screenshots, signed memos, and organisational structure are examined and analysed.
Once the shortfalls have been identified, IT Governance can help you remediate them. We can help with audit scoping, compiling the system or service description, risk assessment, control selection, and defining control effectiveness measurements and metrics.
3. Testing and reporting
IT Governance has partnered with a leading AICPA- and PCAOB-registered CPA audit organisation based in the US, which will apply a proven methodology to perform the required testing and reporting.
IT Governance can assist with the full SOC audit process, from conducting a readiness assessment and advising on the necessary remediation measures through to testing and reporting, by virtue of its partnership with a leading AICPA- and PCAOB-registered CPA audit organisation.
We facilitate the audit process and put the client in contact with our partners, which can then deliver the audit at a fraction of the costs demanded by the Big Four accounting firms. The SOC audit process involves:
- Reviewing the audit scope;
- Developing a project plan;
- Testing controls for design and/or operating effectiveness;
- Documenting the results as well as delivering and communicating the client report.
Why choose IT Governace?
IT Governance specialises in providing IT governance, risk management, compliance solutions and consultancy services, with a special focus on cyber resilience, data protection, cyber security and business continuity.
In an increasingly punitive and privacy-focused business environment, we are committed to helping organisations protect themselves and their customers from the perpetually evolving range of cyber threats. Our deep industry expertise and pragmatic approach help our clients improve their defences and make key strategic decisions that benefit the entire organisation.
IT Governance is duly recognised under the following frameworks:
- CREST certified as ethical security testers
- Certified to Cyber Essentials Plus, the UK government-backed cyber security certification scheme
- Certified to ISO 27001:2013, the world’s most recognised cyber security standard
Speak to an expert
For more information on how IT Governance can help with your SOC 2 Audit, please contact us by using the methods below.