1. Learn about the AICPA System and Organization Controls (SOC) framework. In an effort to radically reshape reporting requirements for today's complex and ever-changing service organization landscape, the American Institute of Certified Public Accountants (AICPA) developed the all-new Service Organization Control (SOC) framework in 2011. This framework allows for the issuance of three different types of reports – SOC 1, SOC 2, and SOC 3 reporting. While SOC 1 reports employ the use of the SSAE 16 (and now SSAE 18) professional standard for reporting on controls, SOC 2 and SOC 3 reports---which are highly conducive assessment frameworks for technology businesses – utilize the Trust Services Principles & Criteria (TSP) in accordance with the AT 101 professional standard. For years, the SAS 70 standard was the one-size fits all auditing standard for service organizations, but it was largely misused and antiquated, forcing the AICPA to make big changes – changes that were ultimately necessary.
2. Gain a Strong Understanding of the Trust Services Principles & Criteria (TSP) framework. Unlike the now thankfully replaced SAS 70 auditing standard or even the current SSAE 16 attestation standard (and now, SSAE 18) which replaced it, the framework for a SOC 2 report is "criteria" based, whereby a practitioner is engaged to examine and report on a service organization's controls over one or more of the following five (5) Trust Services Principles & Criteria (TSP):
The security of a service organization's system.
The availability of a service organization's system.
The processing integrity of a service organization's system.
The confidentiality of the information that the service organization's system processes or maintains for user entities.
The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
From a scope perspective, there is discretion as to which, and how many, of the TSPs are examined and reported on during a SOC 2 engagement. Therefore, it’s important to speak with a qualified CPA firm for truly understanding and assessing the scope of your SOC 2 report and which of the TSP’s need to be included. While the “Security” TSP is generally seen as the most widely used and recognized TSP’s, the remaining four (4) come down to a number of factors, such as client requirements, etc.
Remember that all five (5) of the TSP’s will require extensive documentation – information security policies and procedures – for becoming SOC 2 compliant, and its why businesses turn to NDB as we offer all clients our SOC 2 Policy Packet containing dozens of essential policies, forms, and templates for assisting with SOC 2 compliance. With that said, it’s critical to remember the profound importance of having documented policies and procedures in place for the audit. After all, auditors will request them, as they form an important component of one’s internal controls.
3. Order the SOC 2 Audit Guide from the AICPA. The AICPA does a commendable job of putting forth comprehensive and detailed publications regarding each of the new respective standards and pronouncements for which they release. Just as the SSAE 18 attestation standard has newly printed material available for purchase, so does the SOC 2 reporting framework. Interested parties can purchase the AICPA audit guide, titled "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy (SOC 2)".
Service organizations will find a wealth of invaluable information for helping to better plan, assess, and ultimately scope a SOC 2 engagement. This publication is available for purchase from cpa2biz.com. Word to the wise – it is rather technical, full of terms and phrases you may not be very familiar with – so just pick up the phone and call CPA Christopher Nickell today at 1-800-277-5415, ext. 706. Chris will take the time to discuss your SOC 2 needs, discussing essential scoping issues, while also providing you with details on NDB’s SOC 2 process from beginning to end.
View Part II and Part III of the SOC 2 Reporting Framework Essentials White Paper.