SOC 2 Audit FAQ - Part 2
In part 2 of our SOC 2 FAQ blog we cover the most frequently asked questions our clients ask Romano Security Consulting when we’re delivering SOC 2 audit consultancy.
What is a SOC 2 audit?
A SOC 2 audit or examination, is an examination of a service organisations system description and suitability of the design of the internal control framework and in the case of a type 2 audit, the auditor also tests the effectiveness of the controls.
What is a SOC 2 audit report?
A SOC 2 audit report is intended to provide report users (clients or customers) with an attestation from an independent auditor on the service organisations system or services relevant to the 5 TSC categories to enable such users to assess and address risks that arise from their relationship with the service organisation.
Who can carry out a SOC 2 audit?
A SOC 2 audit has to be carried out by a CPA audit firm who are registered with the AICPA.
Who are the AICPA and what do they do?
AICPA stands for American Institute of Certified Professional Accountants. The American Institute of CPAs is the world’s largest member association representing the accounting profession. The AICPA develops and publishes ethical standards. The Trust Services Criteria (TSC) were developed by the AICPA Assurance Services Executive Committee (ASEC). The AICPA is responsible for managing the CPA examination which is the qualification required for SOC 2 auditors.
What are the Trust Services Criteria?
The trust services criteria (TSP section 100) or TSC’s as they are commonly known are used by SOC auditors to evaluate the suitability of the design and operating effectiveness of controls relating to one or more of the TSC categories.
What are the 5 TSC categories?
Confidentiality, processing integrity, privacy, security and availability. We’ll look at these 5 TSC categories in depth in a future blog. There are an additional 27 sub criteria split across the 5 TSC categories.
What are points of focus?
The 300+ Points of focus are derived from the COSO 2013 framework and were added to each of the Trust Services Criteria. The points of focus are split across the 27 sub criteria and represent important characteristics of each of the criteria and can be used by the service organisations management as guidance for control design, selection and implementation, in a similar way that ISO 27002 can be used to help implement ISO 27001 Annex A controls.
Which TSC’s should I include in my SOC 2 audit?
The service organisations management should use their judgement and knowledge of the system and services they are providing to their clients in deciding which of the TSC are applicable to the organisation and most importantly do the selected criteria mitigate the risks to the service organisation and help the service organisation achieve their control objectives and organisational objectives.
Are any of the Trust Services Criteria mandatory?
Security (also known as common criteria) is the only mandatory TSC. Security refers to the protection of systems and information and is included to demonstrate that systems at a service organisation are protected against unauthorised access and other risks that could impact the service organisation’s ability to provide their services to their clients.
The common criteria are organised into the following 9 categories:
1. CC1 Control Environment
2. CC2 Communication and Information
3. CC3 Risk Assessment
4. CC4 Monitoring Activities
5. CC5 Control Activities
6. CC6 Logical and Physical Access Controls
7. CC7 System Operations
8. CC8 Change Management
9. CC9 Risk Mitigation
The common criteria are common to all 5 TSC categories and there are additional category specific criteria for the other 4 TSC categories - confidentiality, processing integrity, availability and privacy.
Where should I start with my SOC 2 audit reporting?
Many organisations begin their SOC 2 reporting with a SOC 2 Type 1 report (suitability and adequacy of the design of the controls) then progress to a more in depth SOC 2 Type 2 report (suitability and adequacy of the design and tests of the operational effectiveness of the controls).
What is the frequency of a SOC 2 audit?
Most organisations undergo SOC 2 audits on an annual basis or in the case of a SOC 2 type 2 audit the audit process is almost a continual cycle of auditing, in that the operational effectiveness of the service organisations controls are tested by the auditor at regular intervals throughout the yearly audit cycle.
Need Help With SOC 2?
Please click here to find out more about our SOC 2 consultancy services.