SOC 2 Audit
What is SOC 2?
SOC 2 or a SOC 2 audit assesses and reports on the internal control framework of a Service Organisation.
SOC stands for service organisation control and is an information security framework designed to help organisations manage their data security and ultimately prevent data breaches.
The report provides a service organisation’s management, user entities and other interested parties (clients, customers) with assurance about the system and organisation controls the service organisation has in place relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy and enables such users to assess and address the risks that arise from their relationship with the Service Organisation.
The CPA (Certified Public Accountant) reports on and provides an attestation of the accuracy of the service organisations system description and the suitability and adequacy of the design (SOC 2 Type 1) and operational effectiveness of the controls in place within the organisation (SOC 2 Type 2).
The report includes a detailed summary of the organisations system or service description including an overview of the company, the boundaries and interfaces, the systems and services provided and the system components.
The report also includes a management assertion or attestation provided by the Service Organisations Senior Management, confirming that the system or service description and controls identified are an accurate representation of the controls the organisation actually has in place.
SOC 2 audits or reporting can only be performed by an independent CPA auditor or accountancy organisation. SOC auditors are regulated by the AICPA (American institute of certified public accountants) and CPA auditors are bound by the AICPA code of conduct. The auditor performs a SOC 2 audit or examination in accordance with the SSAE18 standard sections AT-C 105 and AT-C 205.
The report is not intended for general distribution, given the level of detail within the report and the sensitive and confidential nature of the information the report contains.
What are the 5 Trust Services Categories(TSC)?
The AICPA Trust Services Criteria (TSC) is an independent, industry-recognised, third-party assurance standard that is used to audit service organisations, such as Cloud service and hosting providers, SaaS software providers and developers, web marketing companies and financial services organisations.
The AICPA TSC’s selected have to adequately address the risks to the system or service that the service organisation is providing to their clients.
There are 5 TSC categories Security, Availability, Processing Integrity, Confidentiality and Privacy. These are split further across the 5 categories into 27 TSC criteria and 300+ points of focus. The points of focus provide details as to the features that should be included in the design, implementation, and operation of the control related to the particular criterion.
The 5 TSC categories are defined below:
1. Security or Common Criteria
Information and systems are protected against unauthorised access, unauthorised disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives. Security or common criteria is the only mandatory TSC.
2. Availability
The system is available for operation and use as committed or agreed.
3. Processing Integrity
System processing is complete, valid, accurate, timely, and authorised.
4. Confidentiality
Information designated as confidential is protected according to policy or agreement.
5. Privacy
Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.
In May 2018 the AICPA TSC controls were aligned with the 17 principles of the 2013 COSO framework which are grouped into the following five categories:
Communication and Information
Control Environment
Monitoring Activities
Risk Assessment
Control Activities
These five categories align with the first five criteria sections within the security/common criteria section.
AICPA Trust Services Criteria 2018 FREE Download
Click on the link below to Download the latest version of the AICPA Trust Services Criteria.
What’s the difference between a SOC 2 Type 1 or Type 2 Audit?
SOC 2 audits and audit reporting falls into two types SOC 2 Type 1 and SOC 2 Type 2, according to the length of observation and control testing involved:
A Type 1 audit and subsequent report, is carried out on a specified date or point in time and reports on management’s description of a service organisation’s system and the suitability of the design of controls.
A Type 2 audit and subsequent report, is carried out over a specified period of time which is defined by the service organisation and the audit typically takes place over a 12 month period but can be undertaken in a minimum of six months.
A Type 2 audit reports on the service organisations management’s description of the service organisation’s system and the suitability of the design, operating effectiveness of controls and results of the tests performed by the CPA auditor on the controls over the agreed time period.
Some user organisations require their service providers (service organisations) to undergo a Type 2 audit for the greater level of assurance and reporting detail it provides. Many organisations begin with a Type 1 audit and then progress to a Type 2 audit.
What is included in a SOC 2 Audit Report?
The audit report includes:
An auditors opinion letter;
The service organisations management assertion;
Details of the system or service description;
Details of the selected trust services criteria categories;
A description of the service organisations internal controls;
Details of the tests performed on the internal controls and the results of testing.
What SOC 2 Consultancy Services do Romano Security Consulting provide?
SOC 2 Readiness Assessment (Gap Analysis)
Our SOC 2 Readiness Assessment or Gap Analysis can help you obtain a report by assessing your organisation’s current internal control environment and current level of SOC 2 compliance against the AICPA TSC’s. We then provide you with a detailed report of the deficiencies and risks identified.
The Readiness Assessment covers the following areas:
SOC audit scoping, which determines the boundaries and interfaces, specific systems and services to be audited, risks, timeframes and type of SOC 2 audit
System description review, which examines the existing documentation available e.g. policies and procedures, org charts, network and system diagrams that would make up the system description
Applicability of the 5 TSC’s (Security, Confidentiality, Availability, Processing Integrity, Privacy), which determines which of the 5 TSC’s adequately mitigate identified risks
Control gap analysis assessment against the selected TSC controls to highlight the control deficiencies, risks and weaknesses
The output of the SOC 2 Readiness Assessment is a detailed report of the deficiencies identified during the assessment and a detailed roadmap on how to achieve compliance with the AICPA TSC and how to prepare for your SOC 2 audit.
SOC 2 Remediation
Once the internal control deficiencies have been identified Romano Security Consulting can assist you in remediating them.
We can assist you with your SOC 2 remediation in the following areas:
Compiling or reviewing your system or service description, advising on the makeup of the system description and what should be included
Risk assessment and risk management
Producing security policies and procedures
Advice on suitable TSC control design and implementation
Security awareness training
Defining control effectiveness measurements and metrics
Testing control effectiveness
Evidence selection and gathering
Conducting a SOC 2 pre audit or dry run assessment
Audit facilitation and working with the CPA auditors to ensure your audit runs smoothly and you achieve your SOC 2 audit report
SOC 2 Audits and Reporting
Romano Security Consulting have a PCAOB registered CPA SOC audit partner who can provide an independent SOC 2 Type 1 or Type 2 audit report. We can provide a full end to end impartial SOC 2 consultancy service for our clients and also maintain our impartiality. SOC 2 audit quotes can be provided from our partner on request.
SOC 2 Case Study
Below is a SOC 2 audit case study compiled by Romano Security Consulting which describes the steps we undertook to help one of our clients achieve SOC 2 compliance and that all important SOC 2 audit report. The case study provides details of the SOC 2 audit process and provides an insight into the consultancy work that we have carried out on previous SOC 2 audit project. This SOC 2 audit case study is hopefully of interest to our prospective clients.
G Cloud Approved SOC 2 Consultancy
Romano Security Consulting are approved to supply our SOC 2 consultancy services under the UK Government Crown Commercial Services G Cloud 13 Digital Market Place.
The Digital Marketplace is an online procurement service for any public sector organisations to procure services, resources and technology for digital projects, quickly and cheaply.
The G Cloud procurement process eliminates the need to go through a full tender process as suppliers have to apply to and be approved by the Crown Commercial Service via the G Cloud application process.
Please click on the button below to access our SOC 2 consultancy services on the Crown Commercial Service Digital Market Place.
SOC 2 FAQ
Romano Security Consulting have a series of SOC 2 Audit FAQ blogs on our blog page, please click on the button below to access our SOC 2 FAQ blogs.
