SOC Readiness can be complex and confusing. Readi Consulting will manage the SOC Readiness engagement and work with your management team to navigate SOC attestation standards, compliance frameworks, regulatory requirements, and user needs so that your company is fully prepared for a SOC attestation engagement.
What You Need To Know About SOC Readiness And SOC Reports
Companies (Service Organizations) that provide outsourced services or provide resources and may access, capture, process, store, or transmit customer (user) data may be driven by their users, compliance reporting requirements, or the necessity to differentiate the company in the marketplace, to have a SOC report.
AICPA guidelines place a strong emphasis on Service Organization management to identify user requirements and provide a SOC report that meets their users’ needs. It is critical, therefore, that a SOC readiness be performed to properly identify user needs, document the internal control environment, and prepare for a successful SOC attestation engagement.
The type of SOC reports a Service Organization requires depends largely on the types of services or resources provided to users, along with the specific user requirements. The SOC (System and Organization Controls) report addresses the integrity of a Service Organization’s control environment and the effectiveness of the controls within the control environment. The end goal is to provide assurance to users of the report that:
- SOC 1® – Financial statement reporting assertions are met
- SOC 2® – The security, availability, confidentiality, processing integrity, and/or privacy of user data is achieved in accordance with requirements and commitments
Service Organizations that need to provide assurance to users regarding controls relevant to information they process which impacts the users’ financial statements (also referred to as ICFR or internal controls over financial reporting).
Examples of industries that fall into this category include:
- Retail, Private, and Investment Banking
- Third-Party Administrators
- Mortgage, Loan, and Title Processing
- Tax Return Processing
- Financial Transaction Processing
- Revenue Cycle Management
- Supplier Payment Review
- Real Estate Accounting Management
Security, availability, processing integrity, confidentiality, and privacy are the AICPA Trust Service Criteria (formerly Trust Service Principles). At a minimum, the SOC 2® report must address the security trust service criteria (TSC) but may also include other TSCs.
Examples of industries that fall within this category include:
- Cloud Hosting Services
- Data Centers
- Hosted Software Systems
- Managed Security
- Managed Infrastructure
- Accounting and Law Firms
- Advertising Agencies and Marketing Firms
- Call Centers
- Image Document Management
- P2P Procurement
- Healthcare Outsourcing Solutions
SOC Examiners (Auditors) provide an opinion on the Service Organization’s control environment for both a Type 1 and Type 2 SOC report. The difference between the two report types is:
- Type 1 • Opinion regarding the suitability of the design of internal controls as of a specific date.
- Type 2 • Opinion regarding the suitability of the design of the internal controls and the operating
effectiveness of the internal controls for a period of time.
SOC 2® reports may be expanded to include other guidelines or compliance frameworks such as CSA, HIPAA, HITRUST, NIST, ISO, and FedRAMP.
A System and Organization Controls 3 (SOC 3) report may be issued in conjunction with a SOC 2 report. A SOC 2 report addresses a service organization’s internal controls pertaining to the AICPA Trust Services Criteria for security, availability, processing integrity, confidentiality or privacy and may only be distributed to users who have the requisite knowledge to understand the report. A SOC 3 report provides a high-level overview of the SOC 2 report and may be distributed to the public with the option of displaying an AICPA SOC seal on the company’s website.
Due to the increasing reliance on the Internet, cloud applications, and outsourced services and resources; the frequency and impact of cyberattacks has increased exponentially. Service Organizations need a cybersecurity risk program that addresses the identification of cyber risks, the controls in place to mitigate those identified risks, the procedures in place to respond to and recover from cyberattacks, and the processes in place to ensure that the cybersecurity risk program remains relevant in the ever-changing IT environment.
In 2017, the AICPA developed the SOC for Cybersecurity which is a framework used to report on an entity’s cybersecurity risk management program and the effectiveness of their controls to detect, mitigate, respond to, and recover from security events and breaches. SOC for Cybersecurity provides assurance to executive management, board of directors, regulators, investors, and business partners that the company’s cyber risk program is being managed effectively. As with the SOC 2 Plus; the SOC for Cybersecurity may also address other compliance frameworks.
Further information regarding SOC reports is available on the AICPA website: www.aicpa.org.
A SOC 1 and SOC 2 examination (audit) is neither a certification or compliance. SOC examiners (CPA firms) perform an attestation engagement and provide an opinion on the design of a company’s internal control environment (Type 1 SOC report) and the effectiveness of internal controls (Type 2 SOC report) based on the same AICPA guidelines used for financial statement audits; Statement on Standards for Attestation Engagements (SSAE 18).
A certification is performed by a third party to determine whether a company’ processes are in accordance with a framework. The internal controls in a SOC 2 attestation examination may be mapped to the HITRUST healthcare security framework, but the HITRUST certification may only issued by the Health Information Trust Alliance.
Compliance refers to a set of guidelines that delineate what processes a company needs to maintain to be in accordance with specific regulations or legislation. Internal controls in a SOC 2 examination may also be mapped to a compliance framework, such as the HIPAA Security Rule, but as with the mapping to a certification framework; the SOC 2 remains an attestation engagement subject to AIPCA guidelines.