4. Learn about AT Section 101. If you are a service organization seeking SOC 2 compliance, be sure to take note of the following technical aspects of AT Section 101. In short, AT 101 is the professional AICPA standard used for reporting on subject matters other than those relating to financial statement reporting for internal controls.
Additionally, any practitioner performing an engagement in accordance with AT 101 is to adhere to five (5) general standards for audit professionalism. In short, it’s about being independent, doing your job as an auditor, and performing the assessment and reporting on your findings, and that’s really all you need to know.
5. Understand the differences between SOC 1 and SOC 2. Sure, there are numerous differences between SOC 1 and SOC 2, and here are a few of the more notable points you need to know regarding SOC 1 vs. SOC 2.
- SOC 1 reporting utilizes the SSAE 18 professional standard.
- SOC 2 reporting utilizes the AT 101 professional standard and incorporates “common criteria” as it audit basis.
- SOC 1 is intended for reporting on controls that relating to Internal Control over Financial Reporting (ICFR).
- SOC 2 is intended for reporting on non-financial controls, such as the growing list of technology companies.
More and more businesses are shifting to SOC 2 – why – because in today’s world technology is permeating every industry, and the SOC 2 assessment process is becoming the best avenue for reporting on technology controls for service organizations. SSAE 18 SOC 1 is still a very viable assessment platform – and it has its rightful place – but should not be performed for technology companies. Yes, we still see the likes of data centers and other businesses “still” undergoing SSAE 18 SOC 1 compliance, but it’s not the ideal choice.
In establishing this new SOC framework, the AICPA took into account a number of pressing factors. The outdated nature of the SAS 70 auditing standard, as well as the need to embrace international accounting standards, were both taken into account. When paired with the rapidly growing number of technology and cloud computing based service organizations, a shift towards a more suitable reporting platform seemed necessary. Let’s just say that SOC 2 is on the move – in a good way – growing steadily in terms of recognition and use, as the likes of data centers to cloud providers are all performing annual SOC 2 audits.
6. Develop a description of the "system". A core requirement of SOC reporting is the description of one's "system", which is, a comprehensive narrative that describes the following:
“the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.” The description of the system can take some time to develop, but in all honesty, a large amount of the documentation is collaboratively developed by the service organization and the CPA firm performing the audit, so keep this in mind.
View Part I and Part III of the SOC 2 Reporting Framework Essentials White Paper.