What is a SOC audit?
SOC (System and Organization Controls – formerly Service Organization Controls) audits are an independent assessment of the risks associated with using service organisations and other third parties.
They are essential to regulatory oversight, vendor management programmes, internal governance and risk management.
There are three levels of SOC audit for service organisations:
SOC 1 audits relate to organisations’ ICFR (internal control over financial reporting). They are conducted against the assurance standards ISAE (International Standard for Assurance Engagements) 3402 or SSAE (Statement on Standards for Attestation Engagements) 18.
SOC 2 audits assess service organisations’ security, availability, processing integrity, confidentiality and privacy controls against the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria), in accordance with SSAE 18. A SOC 2 report is generally used for existing or prospective clients.
In the UK, SOC 2 audits can also be carried out against ISAE 3000. You can learn more about using the ISAEs for SOC 2 examinations in the AICPA document Performing and reporting on a SOC 2® examination.
SOC 3 audits are like SOC 2 audits, but their reports are much more concise and designed for a general audience.
SOC 1 and SOC 2 audits are divided into two types:
- Type 1 – an audit carried out on a specified date.
- Type 2 – an audit carried out over a specified period, usually a minimum of six months.
SOC 3 audits are always Type 2.
The AICPA has also developed SOC for cybersecurity and SOC for Supply Chain.
Speak to a SOC 2 expert
If you need more information about SOC Type 2 compliance or are unsure whether your organisation needs a SOC 2 audit, our experts can help. Call us now on +44 (0)333 800 7000, or request a call using the form below.
What is a SOC 2 audit report?
A SOC 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and privacy controls, based on their compliance with the AICPA’s TSC, in accordance with SSAE 18.
- An opinion letter.
- Management assertion.
- A detailed description of the system or service.
- Details of the selected trust services categories.
- Tests of controls and the results of testing.
- Optional additional information, such as technical information or plans for new systems, details about business continuity planning, or the clarification of contextual issues.
It also specifies whether the service organisation complies with the TSC.
What are the AICPA TSC?
The TSC are industry-recognised, third-party control criteria for auditing service organisations. They are divided into 5 trust services categories – security, availability, processing integrity, confidentiality and privacy.
Criteria common to these 5 categories are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework.
The common criteria cover:
- The control environment
- Communication and information
- Risk assessment
- Monitoring of controls
- Control activities related to the design and implementation of controls
In addition to these 17 common criteria, there are supplemental criteria for four of the five trust services categories. (The security category has no supplemental criteria of its own.) These supplemental criteria can also apply to any or all of the other categories. For instance, criteria related to logical access can apply to all five categories.
The supplemental criteria cover:
- Logical and physical access controls
- System operations
- Change management
- Risk mitigation
Trust services categories
Service organisations must select which of the five trust services categories they must cover to mitigate the key risks to the service or system that they provide:
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
This is the only mandatory trust services category.
“Information and systems are available for operation and use to meet the entity’s objectives.”
3. Processing integrity
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
“Information designated as confidential is protected to meet the entity’s objectives.”
“Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.”
The full set of criteria can be found here
What is ISAE 3000?
Developed by the IAASB (International Auditing and Assurance Standards Board), the ISAEs are the international equivalents of the AICPA’s attestation standards.
ISAE 3000 (Revised): Assurance Engagements Other Than Audits Or Reviews Of Historical Financial Information is an international assurance standard for non-financial information. The UK version of the Standard is ISAE (UK) 3000.
Who are SOC 2 audits designed for?
SOC 2 audits are aimed at organisations that provide services and systems to client organisations (for example, Cloud service providers, software providers and developers, web marketing companies and financial services organisations).
A client company might ask the service organisation to provide an assurance audit report, particularly if confidential or private data is entrusted to the service organisation.
If your organisation provides Cloud services, a SOC 2 audit report will go a long way to establishing trust with customers and stakeholders. A SOC 2 audit is often a prerequisite for service organisations to partner with or provide services to tier one companies in the supply chain.
Who can perform a SOC audit?
In the US, a SOC audit can only be performed by an independent CPA (Certified Public Accountant) or accountancy organisation.
SOC auditors are regulated by, and must adhere to specific professional standards established by, the AICPA. They are also required to follow specific guidance related to planning, executing and supervising audit procedures. AICPA members are also required to undergo a peer review to ensure their audits are conducted in accordance with accepted auditing standards.
CPA organisations may employ non-CPA professionals with relevant IT and security skills to prepare for a SOC audit, but the final report must be provided and issued by a CPA. A successful SOC audit carried out by a CPA permits the service organisation to use the AICPA logo on its website.
In the UK, SOC audits can be conducted by a qualified member of the ICAEW (Institute of Chartered Accountants in England and Wales) or an equivalent organisation.
SOC 2 and ISO 27001
Certification to ISO 27001, the international standard for information security management, shows that an organisation has implemented an ISMS (information security management system) that conforms to information security best practice.
Whereas an ISO 27001 certification audit assesses an organisation’s information security controls at a given time, a SOC 2 Type 2 audit is more comprehensive, covering several months, and results in a formal attestation rather than a certificate.
It might therefore be argued that a SOC 2 Type 2 report provides greater – and more specific – assurance than ISO 27001 certification.
However, a SOC 2 audit report is the opinion of the auditor – there is no compliance framework or certification scheme. With ISO 27001 certification, an accredited certification body confirms that the organisation has implemented an ISMS that conforms to the Standard’s best practice.
Just as there are benefits to both ISO 27001 and SOC 2, there is sufficient overlap between SOC 2 and ISO 27001 to justify addressing them simultaneously and incorporating your SOC 2 compliance into your ISO 27001-compliant ISMS.
For instance, you can structure your risk assessment and risk treatment plan to account for the five SOC 2 and SOC 3 trust services categories (security, availability, processing integrity, confidentiality and privacy).
For more information about the similarities and differences between SOC 2 and ISO 27001, watch our free webinar - ISO 27001 vs SOC 2: What’s the difference?
We can help any organisation prepare for a SOC 2 audit.
We can assess your state of SOC 2 preparedness by evaluating the type of service you offer, the trust services categories applicable to that service and the security controls relevant to delivering that service. We will examine and analyse your processes and procedures, system setting configuration files, screenshots, signed memos and organisational structure.
After identifying any shortfalls, IT Governance can help you remediate them. We can help with audit scoping, compiling the system or service description, risk assessment, control selection, defining control effectiveness measurements and metrics, or integrating your SOC 2 requirements into your ISO 27001-compliant ISMS.
Testing and reporting
IT Governance has partnered with a leading AICPA- and PCAOB (Public Company Accounting Oversight Board)-registered CPA audit organisation in the US, which will perform the required testing and reporting at considerably reduced rates.
IT Governance can assist with the complete SOC audit process, from conducting a readiness assessment and advising on the necessary remediation measures to testing and reporting, by virtue of our partnership with CyberGuard.
We facilitate the audit process and put the client in contact with our partners, which can deliver the audit at a fraction of the costs demanded by the Big Four accounting firms.
The SOC audit process involves:
- Reviewing the audit scope;
- Developing a project plan;
- Testing controls for design and/or operating effectiveness;
- Documenting the results; and
- Delivering and communicating the client report.
Find out more
Why choose IT Governance?
IT Governance specialises in providing IT governance, risk management and compliance solutions and consultancy services, focusing on information security and ISO 27001, cyber security, data privacy and business continuity.
In an increasingly punitive and privacy-focused business environment, we are committed to helping organisations protect themselves and their customers from cyber threats.
Our deep industry expertise and pragmatic approach help our clients improve their defences and make critical strategic decisions that benefit the entire organisation.
IT Governance is duly recognised under the following frameworks:
Read more about our credentials