We’ve also provided a helpful list of the following topics associated with SOC 2 reporting for helping you gain a greater understanding of the entire SOC 2 auditing process from beginning to end:
SOC 1 vs. SOC 2: There’s a “healthy” debate that always seems to surface when service organizations are deciding on which assessment to undertake – SOC 1 (which is also known as SSAE 16), or SOC 2 assessments – and it’s a good discussion to have. Just remember that SOC 1 reporting is for service organizations exhibiting a true relationship to the ICFR component, known as “Internal Controls over Financial Reporting”. SOC 2, however, is geared towards technology companies, such as SaaS vendors, data center, and others.
Get to Know the TSPs: The TSP’s are essentially the “Trust Services Principles” – the five (5) criteria based elements that form the basis for assessing and testing a service organization’s internal controls for purposes of SOC 2 reporting. They’re each unique, and they contain specific criteria relating to a service organization’s ability to validate information security, operational, and infrastructure policies, procedures, and processes. Specifically, the five (5) TSP’s are the following: (1).Security. (2).Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy.
Define the Business Process: What’s the “business process”, it’s the actual services you are providing that need to be examined for purposes of SOC 2 compliance. This ultimately brings in the issue of “scope” – specifically – what products, services are we/should be included within the boundaries of a SOC 2 Type 1 or SOC 2 Type 2 assessment? It’s a good question, so ask yourself the following:
• What are our client’s demands and expectations for SOC 2 reporting?
• What other market drivers are present that we need to be aware of?
• Are there any specific internal controls that we should be testing for as a best practice for our company
These questions – and others – help form the basis for determining the actual business process for SOC 2 audits for South Carolina businesses.
Know that Remediation is Essential: Service organizations will no doubt have some type of remediation to undertake – from developing additional policies to making system configuration changes, and more – so it’s important to plan accordingly for such activities. It means more operational man-hours will be needed for ensuring all remediation activities are successfully completed.