SOC Readiness Assessments – Omaha (NE)

The Statement on Auditing Standards (SASs) primarily provides guidance on reporting on an audit of financial statements, whereas the Statement on Standards for Attestation Engagements (SSAEs) primarily provides guidance on reporting on other subject matter.

In 2010, the AICPA introduced SSAE 16, which replaced SAS 70. It was designed to closely mirror international accounting standards. In 2016, the AICPA introduced SSAE 18, which replaced SSAE 16. The intent was to standardize attestation criteria. And then in 2022, SSAE 21 replaced SSAE 18.

A SOC 1 report is designed to address controls over financial reporting. Providing services that impact the financial statements of clients or customers typically results in the need for a SOC 1 report. Common examples include payroll processors and collections agencies. It’s also possible to do a SOC 1 report that simply covers IT General Controls.

A SOC 2 report is focused on a control environment built on controls that that meet the relevant SOC 2 Trust Services Criteria (security, availability, processing integrity, confidentiality and/or privacy).

To complicate things, each type of report can be completed as a Type 1 or a Type 2. A Type 1 report is controls in place at a specific point in time where the auditor opines on the design and implementation of the controls. A Type 2 report is controls in place over a period of time where the auditor opines on the operating effectiveness of the controls over that period of time in addition to design and implementation of the controls.

The SOC 3 is a derivative of the SOC 2 report. SOC 3 reports are general purpose reports that can be posted online for public consumption. It’s a summary level report that leaves out a lot of the detail from the SOC 2 report.

A SOC 1 report is built around the system description and related control objectives.

System Description – narrative component to provide users with a comprehensive understanding of the service organization’s systems, processes, and controls.

Control Objectives – The control objectives outlined in this SOC 1 report provide a clear and structured framework for assessing whether the control procedures were designed and operating effectively to achieve their intended purpose. These objectives encompass IT General Controls, which ensure the security and integrity of the system, as well as controls related to the processes of data input, processing within the system, and the exportation or reporting of data from the system

A SOC 2 report is built around the system description and related control procedures supporting the in-scope Trust Services Criteria.

System description – narrative component to provide users with a comprehensive understanding of the service organization’s systems, processes, and controls.

Trust Services Criteria – The AICPA establishes the Trust Services Criteria. The Service Organization selects the Trust Services Criteria that are in scope. This is typically driven by conversations with customers and reviews of contracts with customers.

Originally, these five attributes of a system used to be known as principles. A few years ago, the name “Trust Services Principles” was changed to “Trust Services Criteria.”

The five categories didn’t change, and the same basic framework is in place for assessing the controls. Within the five categories, there are individual criteria. They are more like requirements. The things you put in place to meet the requirements are the controls.

Control procedures – the controls identified by the Service Organization to support the Service Organization having appropriate controls to meet the selected Trust Services Criteria.

1. Security – addresses controls related to protecting the system and data from unauthorized access, damage, or theft.
2. Availability – ensures that the system and services are available as agreed upon in service level agreements.
3. Processing Integrity – ensures that system processing is accurate, complete, and timely.
4. Confidentiality – maintaining the confidentiality of sensitive data.
5. Privacy – the collection, use, retention, disclosure, and disposal of personal information to ensure alignment with data protection laws and regulations.

SOC 2 is a voluntary compliance standard for service organizations that specifies organizations should manage customer data based on the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy.

The SOC 2 is increasingly valuable in business-to-business compliance and assurance.

It continues to expand in usefulness as a tool to meet other requirement standards (e.g., GDPR, HIPAA & PCI DSS) that require detailed oversight of third-party vendors.

We’re seeing many businesses expand from a basic SOC 2 Security report to SOC 2+, which can include additional criteria or frameworks important to your customers. Expanding on the basic SOC 2 demonstrates that you’re expanding your control environment and better protecting your clients.

Learn more about SOC 2.

The AICPA provides mappings for the following frameworks:

• ISO 27001
• NIST CSF
• NIST 800-53
• GDPR
• CSA’s Cloud Controls Matrix
• ISACA Blockchain Framework

Other frameworks and mappings exist in practice, so the list above is not comprehensive. For example, Microsoft includes German C5 (Cloud Computing Compliance Controls Catalogue) in its report.

While it may take more time, resources, and judgment, it’s possible to include other frameworks in a SOC 2+ that haven’t been mapped by the AICPA.

The SOC for Cybersecurity examination provides an independent, entity-wide assessment of your organization’s cybersecurity risk management program. It’s especially useful for larger organizations that need a measurement of their own cybersecurity posture.

It also helps to quantify risk over time for board members who want to know if cybersecurity risks are being adequately mitigated. It’s a great way to measure whether very specific controls have improved from year to year.

SOC  Type 2 is a period-of-time report, but the SOC guide does not prescribe a minimum period of coverage for a SOC 2 report.

Practitioners need to use professional judgment in determining whether the report covers a sufficient period.

The SOC guide gives an example of a service organization that wishes to engage a service auditor to perform a type 2 engagement for a period of fewer than two months. In essence, it states that the service auditor should consider whether a report covering that period will be useful to users – particularly if many of the controls related to the applicable trust services criteria are performed on a monthly or quarterly basis.