What is a SOC 2 Audit?

The SOC 2 report is intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization. (Note: As used here, a “service organization” is an entity to which services are outsourced.) SOC 2’s are useful to service organizations when they need to demonstrate good business practices to customers and prospects.

The report is ideal for customers and prospects that need assurance about the security, availability or processing integrity of the system (services provided and supporting information systems) that the service organization uses to process their data. The report can also be used to provide assurance regarding the confidentiality or privacy of the information processed by these systems.

The SOC 2 report is distinguished from the SOC 1 report in that the SOC 2 is not meant to address the controls that a service organization implements to prevent or detect and correct errors or omissions in information it provides to user entities relevant to internal controls over financial reporting or “ICFR.” The SOC 1 covers ICFR and is discussed more fully at this blog entry (Link).

What Does “SOC” Stand For?

The term “SOC” was defined as “Service Organization Control” until the meaning of the term was changed by the AICPA in 2017. At that time, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services practitioners may provide in connection with system-level controls of a service organization and system or entity-level controls of other organizations. For example, under this new “SOC” name, the AICPA recently introduced the SOC for Cybersecurity –an examination performed by a CPA firm of an entity’s cybersecurity risk management program and related controls.

Service Organizations That May Need a SOC 2

The types of service organizations that may need a SOC 2 report include, among others, providers of:

IT managed services such as colocation, hosting, cloud and IT department outsourcing.
Application service providers or software-as-a-service (SaaS) providers.
Business process outsourcing providers, particularly when the service organization is in possession of confidential client data.
Credit and debit card payment processing services.
Health care business associates (third party service providers with access to the covered entity’s protected health information) that need to demonstrate good security or privacy practices.
Managed security services providers.

In brief, the SOC 2 is an ideal report outsourcers can use to demonstrate to clients and prospects that they have implemented good practices in one or more of five domains: security, availability, processing integrity, confidentiality and privacy.

Trust Services Principles

The criteria for evaluating a service organization’s controls related to the aforementioned five domains are found in the AICPA’s TSP Section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (AICPA, Trust Services Principles and Criteria). The five domains include:

Security—The system is protected against unauthorized access, use or modification to meet the entity's commitments and system requirements.
Availability—The system is available for operation and use to meet the entity's commitments and system requirements.
Processing Integrity—System processing is complete, valid, accurate, timely and authorized to meet the entity's commitments and system requirements.
Confidentiality—Information designated as confidential is protected to meet the entity's commitments and system requirements.
Privacy—Personal information is collected, used, retained, disclosed and disposed to meet the entity's commitments and system requirements.

In determining the scope of a SOC 2 engagement, the Security principle is required and the remaining principles are optional.

SOC 2 “Plus” is Permitted

Most SOC 2 engagements cover only the applicable trust service criteria; however, SOC 2 guidance permits the service organization and service auditor to cover additional criteria or additional subject matter. The SOC 2 guidance examples include adding the additional subject matter and criteria for:

U.S. HHS HIPAA requirements (i.e., Privacy, Security and/or Breach Notification rules—See Link) to the scope of a SOC 2 Security and/or Privacy engagement.
Industry group requirements related to the security of a system such as the Cloud Security Alliance’s Cloud Control Matrix (Link).

The Service Organization’s Responsibilities

In the event a SOC 2 report is needed, management of the service organization will need to engage an independent auditor (service auditor) who will assist them in completing a number of key tasks. These include, among others:

Defining the scope of the service auditor’s engagement, including the system and its boundaries and the trust services principle(s) that will be included.
Determining the type of engagement to be performed (a type 1 engagement is as-of a point in time and a type 2 engagement covers a period of time).
Determining the period to be covered by the report (there is a 6 month minimum and 12 months is common) or, in the case of a type 1 report, the specified “as-of” date of the report.
Preparing the description of the service organization’s system and determining whether any subservice organizations will be included in or “carved out” of the description. (Note: A "subservice organization" is a vendor to the service organization that, generally, is relevant to the system (services) provided and whose controls are relied upon to meet some portion of the applicable trust services criteria.)
Determining the appropriate controls that are needed to achieve the applicable trust services criteria.
Providing management’s written assertion regarding the fair presentation of the description of the system and the design and operating effectiveness of the controls to meet the applicable trust services criteria.
Providing management’s written representations regarding the written assertion and certain disclosures, among other things.

Many of the key tasks bulleted above are complex and potentially time-consuming. They are explained more fully in SOC 2 guidance.

SOC 2 Guidance

SOC 2 engagements must conform to the requirements of certain AICPA attestation standards and interpretations. Such audit guidance includes:

SSAE 18—Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, (AICPA, Professional Standards). SSAE 18 recodified all previous attestation standards and took effect on May 1, 2017.
SOC 2 Audit Guide—AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2®) (AICPA, Trust Information Integrity Task Force and Cloud Computing Working Group).

SSAE 18 generally impacts service auditors, not service organizations. The relevant sections of SSAE 18 include AT-C Section 105, Concepts Common to All Attestation Engagements and AT-C Section 205, Examination Engagements (AICPA, Professional Standards).

Structure of the SOC 2 Report

SOC 2 reports prepared by klsCPA are aligned to SOC 2 guidance and generally contain the following sections:

Optionally, the SOC 2 report can include an additional section entitled “Other Information Provided by the Service Organization.” The information provided in this optional section is not subjected to audit procedures. When a SOC 2 report contains this optional section, Section I – Report of Independent Auditors is modified to exclude the section from the scope.

Distribution of the SOC 2 Report

A SOC 2 report is a restricted distribution report. The report is intended for use by service organization management, user entities (your clients or customers) and prospects. The report should not be posted online nor should it be provided to others.

Please contact us if you have questions about SOC audits, HIPAA audits or related advisory services or wish to obtain a quote.