What is SOC 2?

Written By Ruth Romano

In this SOC 2 blog we’re hoping to dispel a few of the myths around the dark art of SOC 2 and provide some clarity on what SOC 2 is all about and what is involved in a SOC 2 audit.

Conducted against the AICPA Trust Services Criteria (TSC) a SOC 2 audit report provides a service organisation’s management, user entities and other interested parties (clients, for example) with assurance about the design and operational effectiveness of the controls that the service organisation has in place.

The Certified Public Accountant (CPA) reports on or attests to the accuracy of the service organisations system description and the suitability of the design and operational effectiveness of the controls.

The AICPA TSC is an independent, industry-recognised, third-party assurance standard that is used to audit service organisations, such as Cloud service providers, software providers and developers, web marketing companies and financial services organisations.

A SOC 2 audit can only be performed by an independent CPA or accountancy organisation. SOC auditors are regulated or licensed by the AICPA: they must adhere to specific professional standards established by the AICPA and are required to follow specific guidance related to planning, executing and supervising audit procedures. AICPA members are required to undergo a peer review to ensure their audits are conducted in accordance with generally accepted auditing standards.

SOC 2 Audit Reporting

The SOC 2 audit report provides user entities (client and other interested parties) with detailed information on the design and operating effectiveness of the service organisation’s controls. A SOC 2 report is not intended for general distribution.

A SOC 2 audit reports on controls at a Service Organisation relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, whichever is applicable to the organisation. The SOC 2 Type 1 audit report provides a detailed description of the controls the service organisation has in place and a SOC 2 Type 2 audit report also provides details of what tests the auditor has carried out on the controls and the results of these tests. 

The SOC 2 audit report includes a detailed summary of the organisations system or service description, which is effectively the scope of the audit. The system or service description is a detailed summary of the system or service that the Service Organisation is providing to their clients. 

Ultimately the TSC’s (formerly TSP’s) selected have to adequately address the risks to system or service that the service organisation is providing to their clients.

The audit report will also include a management assertion provided by the Service Organisations management, confirming that the system or service description and controls identified are an accurate representation of what the organisation has in place. 

In May 2018 the AICPA TSC controls were aligned with the 17 principles of the 2013 COSO framework.  

SOC 2 Audit Type 1 or Type 2

SOC 2 audits and reports fall into two types according to the length of observation and control testing involved:

A SOC 2 Type 1 is an audit and subsequent report carried out on a specified date or point in time and reports on management’s description of a service organisation’s system and the suitability of the design of controls.

A SOC 2 Type 2 is an audit and subsequent report carried out over a specified period of time, usually 12 months and a minimum of six months. Type 2 reports on management’s description of a service organisation’s system and the suitability of the design and operating effectiveness of controls and the reports of the tests carried out on the controls.

Some user organisations require their service providers to undergo a SOC 2 Type 2 audit for the greater level of assurance and reporting detail it provides. Many organisations begin with a Type 1 audit and then progress to a Type 2 audit. 

Romano Security Consulting SOC 2 Consultancy Services

Romano Security Consulting offer the following SOC 2 consultancy services: 

SOC 2 Readiness Assessment Service 

Our SOC 2 Readiness Assessment can help you achieve SOC 2 compliance by assessing your current level of compliance and providing you with a detailed report of any gaps identified. 

The SOC 2 Readiness Assessment covers the following areas:

  •  SOC audit scoping 

  •  Service/System Description review 

  • Applicability of the 5 TSC’s (Security, Confidentiality, Availability, Processing Integrity, Privacy)

  • Assessment against the selected TSC controls 

  • The output of the audit is a detailed audit report of the shortfalls identified during the assessment and a roadmap on how to achieve compliance. 

SOC 2 Remediation Service 

Once the shortfalls have been identified Romano Security Consulting can assist in remediating them.

We can assist clients in audit scoping, compiling or reviewing the system or service description, risk assessment, control selection, and defining control effectiveness measurements and metrics, reviewing compliance with the TSC controls, conducting pre audit assessments, audit facilitation etc.

SOC 2 Audit Service 

Romano Security Consulting have a partner who can provide an independent SOC 2 Type 1 or Type 2 audit service who are a registered CPA organisation. We can provide a full end to end SOC 2 service for our clients and also maintain our impartiality. SOC 2 audit quotes can be provided on request. 

For a bespoke quote tailored to your requirements please contact us.

T: 01625 315 021

E: enquiries@romanosecurityconsulting.com

Ruth Romano
Previous

Don’t Wait Until a Cyber Attack to Formulate an Incident Response Plan
Next

Invasion of the Techies