SOC 2

The Service and Organization Controls (SOC) 2 Report will be performed in accordance with AT-C 205 and based upon the Trust Services Criteria, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 18). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls.
 

The Trust Service Criteria, which SOC 2 are based upon, are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the criteria have corresponding points of focus, which should be met to demonstrate adherence to the overall criteria and produce an unqualified opinion (no significant exceptions found during your audit). One benefit to the trust services criteria is that the requirements are predefined, making it easier for business owners to know what compliance needs are required of them and for users of the report to read and assess the adequacy.

Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.

There have been several major updates to SOC 2 since its initial implementation to optimize and enhance the framework’s layout, controls, flexibility, and usefulness as well as to align it with COSO to further facilitate their use in an entity-wide engagement. The most recent updates to SOC 2 occurred in 2017 and must be in place for reports issued on or after December 16, 2018.

Further, beyond attesting to the SOC 2 Criteria and Categories, there are mappings to other relevant frameworks that can be included and addressed within a SOC 2 report to make it more flexible and useful to Organizations. Click the following link to learn more about the SOC2+ Additional Subject Matter and how it can be leveraged to reduce overall compliance costs and efforts.

Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers. 

SOC 2 has been updated to meet the needs of a wider-range of Organizations, improve the overall quality and usefulness of the report, and to assist in reporting at an entity-level, rather than for a specific process or system. These updates will also bring many decisions, changes, and enhanced responsibility and accountability to Service Organizations.

Key changes to the standard include:

Services criteria updated to align with the 17 principles in the COSO framework, some include:

• Demonstrate commitment to integrity and ethical values
• Ensure that board exercises oversight responsibility
• Establish structures, reporting lines, authorities and responsibilities
• Select and develop control activities that mitigate risks
• Select and develop technology controls
• Deploy control activities through policies and procedures
• Perform ongoing or periodic evaluations of internal controls (or a combination of the two)

Ability to evaluate control effectiveness in examinations of various subject matters, in addition to, those over security, availability, processing integrity, confidentiality, or privacy of information and systems across:

• entire entity;
• at a subsidiary, division, or operating unit level;
• within a function or system; or
• information used by the entity.

The trust services principles and criteria are now referred to as the trust services criteria, and the principles are now referred to as the trust services categories, to not be confused with the COSO principles.

Information security requirements have been organized more logically and broken down into the following areas:

• Logical and physical access controls – the criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access to meet the entity’s objectives addressed by the engagement
• System operations – the criteria relevant to how an entity manages the operation of systems and detects and mitigates processing deviations, including logical and physical security deviations, to meet the entity’s objectives addressed by the engagement
• Change management – the criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made, to meet the entity’s objectives addressed by the engagement
• The trust services criteria also now address risk management, incident management, and certain other areas at a more detailed level than in the past.

Points of focus were added to all criteria to better clarify and help users apply the criteria.

The SOC 2 criteria are comprised of 5 categories (formerly the SOC 2 principles), security, availability, confidentiality, processing integrity, and privacy, with the common criteria also encompassing security.

Each category has a specific set of criteria to meet with corresponding points of focus:

• Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
• Availability. Information and systems are available for operation and use to meet the entity’s objectives.
• Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
• Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
• Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Depending on which category or categories are included in scope for the examination, which, is typically determined in consultation with Clients and your auditor, based on factors like service level or regulatory requirements, a Company must include in their report:

• The criteria common to all five of the trust service categories (common criteria) 

and

• One or many of the specific criteria related to the availability, processing integrity, confidentiality, and / or privacy categories.

There may be specific criteria which are not applicable to the system under review, however, these must be justified appropriately with your auditor and within the report, as of the latest updates.

  The AICPA recently made efforts to expand the use of SOC 2 in two significant ways – additional reporting Criteria and alignment with other significant and at times, required, IT Security regulations. This expansion increases the utility of a SOC 2 report and overall compliance costs and efforts of Businesses small, medium, and large.

The Additional Subject Matter increase the flexibility of the SOC 2 report to include coverage of significant concerns of business partners when outsourcing certain activities given the current, expanding compliance landscape. To the right is a table highlighting these changes.

Below are some use cases where these additions could come in handy:

• Description of the physical characteristics of a service organization’s facilities
• Specific sizes of rooms and spaces, or other contracted terms as it relates to a physical attribute claimed by the company to clients (data center cage size, storage/shelf space, processing floor, etc.).
• Historical data related to the availability of computing resources
• Adherence to SLA requirements at various levels (overall system availability, by client, retention duration (1 month, 6 months, 7 years), etc.).
• Compliance with a statement of privacy practices
• Beyond testing the general privacy criteria, some clients may require further coverage based on industry requirements, including third party review of a business’ compliance with their statement of privacy practices.
• Requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification 45 CFR Sections 164.308-316
• Beyond testing the general privacy criteria, some clients may require further coverage based on industry requirements, including third party review of a business’ compliance with the HIPAA 45 CFR 164.308-316 requirements.
• Criteria established by an industry group

• There is a significant overlap with many companies who require a SOC 2 and some combination of the other major standards, including, but not limited to:

• HITRUST  Common Security Framework (CSF)
• CSA Security Trust & Assurance Registry (CSA-STAR)
• ISO-27001
• NIST SP-800-53 R4
• COSO
• COBIT

The standards listed above have formal mappings in place with SOC 2 and available from the AICPA.  These changes have the potential to reduce overall compliance costs and efforts. Headaches like multiple rounds of testing per year, contracting of multiple firms to perform different audits, additional tracking of controls, and other nuances that come with multiple compliance efforts can be greatly reduced and addressed in one report (depending on your Customer’s requirements).

The one thing to keep in mind is that with the inclusion of these additional subject matter and criteria from outside standards, if they are to be included within the SOC 2 report, the controls are required to be tested with the same level of detail and sampling methodology as the AT101/SOC 2 standard calls for. This means, if the audit is required to cover compliance with a statement of privacy practices there is no spot checking in the SOC 2 Type II – it would be full sample testing with the potential to span across all patients depending upon the requirement and having the support available to back it up.

If you are ready to find out more about how to begin your first SOC 2 report,  need assistance enhancing your existing report, or would just like to ask a few questions, please click here to speak with one of our qualified professionals.