SOC 2 assessments are provided by NDNB, North America’s leading provider of SOC 2 assessments and other specialized compliance reporting services. Service organizations can opt for either SOC 2 Type 1 and/or SOC 2 Type 2 assessments as part of the overall System and Organization Controls (SOC) reporting framework. Additionally, we provide a complimentary SOC 2 Policy Packet for each our clients for helping them develop all the necessary policies and procedures needed for today’s demanding compliance environments.
As for SOC 2 assessments, here’s what you need to know when it comes to getting up to speed on one of the world’s most recognized third-party internal control assessments.
1. SOC 1 vs. SOC 2: Call it the heavyweight slugfest of regulatory compliance, but it seems as if these two (2) reporting options are always slugging it out to see which one is considered the premier third-party internal control auditing mechanism. While the SOC 1 SSAE 16 (and now it’s SSAE 18!) standard quickly emerged in 2011 as the de facto assessment for replacing the antiquated SAS 70 standard, the SOC 2 framework was rather quiet. However, that’s dramatically changed as SOC 2 has now gained considerable acceptance and recognition throughout the world as the leading audit platform for many of today’s technology driven businesses.
You may hear one CPA firm telling you that SSAE 18 SOC 1should be the audit to perform, while the very next call may be from another CPA firming stating that SOC 2 compliance is a much better choice. Use sound judgement, understand your reporting requirements, and then pick the correct SOC audit. If it’s technology, go with SOC 2 and if your services are financially related, then go with SOC 1. Some firms even conduct both a SOC 1 and a SOC 2 annually.
2. Scoping Parameters: There are five (5) Trust Services Criteria to choose from – Security, Availability, Processing Integrity, Confidentiality, and Privacy – so which ones fall into scope for your organization? Good question, and the answer often comes down to client demands and expectations, along with marketing considerations for your business. While most service organizations by default include the “Security” TSP, after that, it’s time to consider the relevancy of the other four (4) TSP’s.
Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.
Also, remember to have in place a current list of information systems, an asset inventory list – that details all of the networking devices (i.e., firewalls, switches, routers, load balancers, etc.), servers, and other devices currently in use. Auditors will often request a list of information systems for purposes of sampling, and it’s also a best practice to document your I.T. systems. NDNB provides an asset inventory spreadsheet within our SOC 2 Policy Packet that’s given to each of our valued clients for helping them save thousands of dollars on policy creation.
3. Remediation: One of the most demanding and time-consuming aspects of SOC 2 compliance is remediation – putting in place critical documentation, correcting internal control weaknesses and deficiencies, along with other operational tasks. No company is perfect, and this means you can expect some degree of remediation – how much – that’s determined by the maturity of one’s control environment. Some service organizations end up having a tremendous amount of work to do, while others have only marginal items to correct – every business is different.
4. Documentation: We live in a world that continues to be barraged with regulatory compliance – and it’s only going to get worse – which means policies and procedures are now more important than ever. Businesses truly loathe developing policy documents – and understandably so – and it’s why NDNB offers a complimentary SOC 2 Policy Packet to our clients. The documentation is in-depth, easy-to-use, and helps save immense time – and money – on SOC 2 compliance.
5. Operational Improvements: Correcting weaknesses in policy documentation – while incredibly important – is just one piece of the puzzle. You actually have to also put in place all necessary processes and procedures, which can be time-consuming. For example, firewalls may need to be better provisioned, servers may need to be more securely hardened – just a few examples of the operational challenges businesses face with SOC 2 compliance in terms of remediation.
6. Welcome to Regulatory Compliance: That’s right, “welcome” – though maybe not the most appealing phrase for annual audits – is the new compliance world we live in. With growing cybersecurity threats continuing to threaten organizational assets, the rise in compliance audits – particularly SOC 2 assessments – is much more than just a coincidence. And with today’s ever-increasing reliance on information technology for a wide variety of basic necessities – many provided by private sector companies – SOC 2 audits are becoming mandatory for such businesses.
Important elements to know about regarding SOC 2 assessments consist of the following:
SOC 2 audit reporting is a critical component of the AICPA System and Organization Controls (SOC) reporting framework.
Organizations can opt for a SOC 2 Type 1 or SOC 2 Type 2 assessments.
SOC 2 reporting is different from SOC 1 reports.
SOC 2 assessments are geared towards many of today’s technology-oriented companies.