SOC 2 compliance is quickly becoming a very hot topic in today’s world of regulatory compliance, particularly for cloud computing vendors – SaaS, PaaS, an IaaS – and other technology businesses. It’s therefore highly important that service organizations should take note of these nine (9) important items regarding this specific Service Organization Control (SOC) reporting framework.
1. SOC 2 compliance is part of the AICPA Service Organization Control (SOC) reporting platform. In an effort to reflect a trend towards globally accepted accounting principles, the American Institute of Certified Public Accountants (AICPA) launched the SOC reporting platform, for which there are three (3) reporting options: SOC 1, SOC 2, and SOC 3. The intent of this shift is to dramatically revamp reporting on controls at service organizations. Say goodbye to the historical, one-size fits all auditing standard known as SAS 70, and hello to SSAE 16 SOC 1, AT 101 SOC 2 and SOC 3. With three different reporting options – each unique in their own right – service organizations now have the ability to pick and choose from a platform that truly meets their reporting needs, and their client’s expectations.
3. SOC 2 compliance is conducted in accordance with AT 101. AT 101 is a less-known professional standard that has now been given the spotlight, thanks in part to the requirement that SOC 2 reports utilize this "attestation standard" for purposes of reporting.
4. Understand the differences between SOC 1, SOC 2 and SOC 3. SOC 1 compliance is generally intended for service organizations that have a nexus with the concept of ICFR, which stands for Internal Control over Financial Reporting. Meanwhile, SOC 2 compliance is designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations. SOC 3, much like SOC 2, utilizes the five (5) Trust Services Principles (TSP) as the general framework for conducting this type of engagement (SysTrust | WebTrust). And while SOC 2 permits reporting on any number of the TSPs, SOC 3 requires that all five (5) TSPs be included for issuing a report.
The five (5) TSPs are the following:
• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
5. SOC 2 requires a written statement of assertion and a description of one's "system". The written statement of assertion is required by management of the service organization, along with a description of one's "system". While the historical SAS 70 auditing standard required a description of “controls”, an organization’s description of their "system" for SOC 2 compliance (and SOC 1) is considered to be more comprehensive.
6. SOC 2 compliance is gaining traction for technology-based service organizations. After the implementation of the SOC framework, SOC 2 was generally overshadowed by SOC 1. However, as more technology and cloud computing companies begin to realize the value of SOC 2, this is certain to shift. In the future, expect many non-ICFR type service organizations to seek SOC 2 compliance reports. Interestingly, a number of service organizations are opting for both SOC 1 and SOC 2 compliance. From data centers to cloud computing – and more – any company exhibiting a true relationship with technology is going the SOC 2 route, so keep this in mind.
8. Understand that Remediation is a Must. Correcting operational deficiencies prior to the audit – such as developing missing policies and procedures, correcting processed based activities, and more – is a highly essential component of audit remediation. In fact, developing documentation is often the most time-consuming and challenging aspects of regulatory compliance, no question about it. What differentiates NDB from other providers is our ability to offer clients a SOC 1 or SOC 2 Policy Packet containing dozens of much-needed information security policies and procedures templates for helping ensure rapid and complete SOC 1 and/or SOC 2 compliance. Such operational weaknesses that must be corrected before the audit also include technical/security issues, such as weak provisioning guideline and procedures for systems, deficient password complexity rules and access control measures, and much more. Much like remediating policies and procedures, technical/security remediation efforts can take time, and it’s why you’ll need guidance from experts, such as the regulatory compliance auditors at NDB.
9. We're the SOC 2 Experts. Whatever your SOC 1 and SOC 2 reporting needs are, we can assist, offering a wide spectrum of services and solutions, from scoping & readiness assessments to policy and procedure writing, remediation services, and much more. Talk to the experts today at NDB We’ve been the unquestioned leaders in providing SOC 1 and SOC 2 audits and assessments for businesses all throughout North America, offering fixed fee pricing, superior audit services, along with a laundry list of complimentary tools for helping ensure audit success. Time is money – a concept we truly grasp at NDB – so when it comes to audit efficiencies and high-quality reports, trust the CPA’s at NDB.