SOC 2 reports provide information about how effectively a service provider manages the security, privacy, and integrity of sensitive information, making it easier for organizations to know who they can (and can’t) trust with their data. If you’re new to SOC 2, chances are you’ve been asking one or more of the following 7 most commonly asked questions about the framework…
1. What are SOC Reports?
System and Organization Controls (SOC) reports, formerly Service Organization Control reports, are examinations provided by CPAs in connection with system-level controls of a service organization or entity-level controls at other organizations. These engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18.
2. What were SSAE NO. 16 and SAS70?
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, superseded the guidance for service auditors stated in SAS 70 and was effective for service auditors’ reports for periods ending on or after June 15, 2011. AU Section 324 Statement on Auditing Standards No. 70, Service Organizations (SAS 70) was issued in the early 1990s and contained the initial requirements and guidance for reporting on controls.
3. What are the Trust Services Criteria and Categories?
Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria is the set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity. The Trust Services Criteria are classified into the following categories (formerly referred to as “principles”)
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The Trust Services Criteria are aligned to the 17 principles presented in the 2013 COSO internal control framework. In addition to the 17 principles, the trust services criteria include additional criteria supplementing the COSO principles. The supplemental criteria cover logical and physical access controls, system operations, change management and risk mitigation.
4. What are the types of SOC reports?
- SOC 1 – SOC for Service Organizations: ICFR – reports on the controls at the service organization that impact user entities’ financial statements. Restricted use report.
- SOC 2 – SOC for Service Organizations: Trust Services Criteria – reports on the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. Restricted use report.
- SOC 2+ – SOC 2 report with additional subject matter or criteria included within the scope of the examination (e.g., PCI, HIPAA, HITRUST). Restricted use report.
- SOC for Service Organizations: SOC 2® HITRUST
- SOC for Service Organizations: SOC 2® CSA STAR Attestation
- SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report – scope is same as SOC 2, but the report does not contain a description of the auditor’s tests and results. General use report.
- SOC for Cybersecurity – reports on the effectiveness of cybersecurity risk management programs. General use report.
- SOC for Vendor Supply Chains (under development) – report for customers of manufacturers and distributors to better understand the cybersecurity risk in their supply chains.
5. What are the contents within a SOC 2 report?
There are typically five sections of a SOC 1 or SOC 2 report as detailed in the table below:
|I.||Independent Service Auditor’s Report||Service Auditor|
|II.||Management’s Assertion||Service Organization|
|III.||Description of the System||Service Organization|
|IV.||Control Objectives (or Trust Services Criteria), Related Controls and Tests of Operating Effectiveness||Service Auditor|
|V.||Other Information Provided by the Service Organization||Service Organization|
6. What are the types of SOC 2 reports?
- SOC 2 Type I – This is a report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to meet the applicable trust services criteria as of a specified date. (Point-in-Time)
- SOC 2 Type II – This is a report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria throughout the specified period.
7. What is a security control?
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Such controls protect the confidentiality, integrity and availability of information. In other words, a control is something you put in place to help avoid an unwanted event. Ex: a bicycle helmet is a control against injuring your head in an accident.