For many service organizations, the ability to show that their systems are secure is essential, if not required through their supply chain, contracts, or regulations. There are a variety of ways (reports) that organizations can show compliance or their security posture. One of the most common is through a SOC 2 attestation report. In this article, we’ll define SOC 2, discuss what the purpose of it is, how it’s used in business today, and provide a few tips on how to get started on the path for a successful SOC 2 report.
SOC 2 is a report on a service organization’s controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. SOC 2 reports are intended to inform users of detailed information and assurance about the controls at the service organization. These reports are provided by qualified CPAs, who form an opinion about the service organization’s system and the control environment.
First and foremost, SOC 2 is a report, and therefore you should think of it as a reporting framework, rather than the common misconception of it as a compliance framework. Think about it this way, SOC 2 is a way for a service organization to show its customers (through a system description) how they meet certain criteria prescribed from the AICPA that are relevant to the in-scope categories (security, availability, etc.).
The auditor’s job is to verify the information in the description provided by the service organization, as well as identify the specific controls from the description that meet the criteria. In the case of a type 2 report (period of time), the auditor will also determine if those controls operate effectively during that period of time. More on the differences between report “types” in this post.
Let’s use the security category as an example. The system description will describe the service organization’s system in accordance with certain AICPA defined criteria. One of those criteria is the control environment of the organization, which, at a high level, will describe the security controls the organization has related to things like onboarding, risk management, system operations, change management, logical access, etc.
Those controls will then be shown in more detail in another section of the report (typically “section 4”) according to how they meet each of the criteria related to the security category (for example, logical access criteria will have all of the controls related to logical access under it). In the case of a type 2 report, section 4 will also include the auditor’s testing of those controls as well as the results of tests over a period of time.
Depending on if the controls are designed appropriately to meet the prescribed criteria, as well as (in type 2) if those controls operated effectively, the auditor then forms an opinion for the report on that design and operational effectiveness.
The report itself is provided by the service organization to its customers so that those customers can have comfort in knowing that the system and its controls are designed appropriately and operating as described.
SOC 2 reports are becoming more prevalent in the market and more companies are asking for them in order to meet contractual obligations, supply chain management, due diligence, or other requirements. For the service organization, the report becomes not just a means to deliver on these obligations, but also a way of showcasing your security posture, as well as improving it through making sure your controls will operate properly.
Don’t just take our word for it. According to the AICPA:
“These reports can play an important role in:
Oversight of the organization
Vendor management programs
Internal corporate governance and risk management processes
And because SOC 2 is more of a reporting framework as opposed to a compliance framework, it allows for more flexibility in how you can report on how you meet criteria, whereas in other frameworks, you’re just showing yes or no when determining if you meet their requirements.
With the involvement of CPAs, SOC 2 has the element of trust, as CPAs are held to a high standard of quality and integrity in how they produce opinions and reports. You can be assured that a qualified, highly skilled CPA will not only make sure the appropriate person(s) are testing your environment but that the report itself is structured to meet all the AICPA requirements.
To see how SOC 2 is relevant for service organizations, look no further than the biggest cloud service providers. Microsoft, AWS, and Google Cloud all have SOC 2 for their offerings. The links below will bring you to their landing pages for their SOC 2 reports, but to obtain a copy, you will have to request it from your representative or through their respective sites.
NOTE – SOC 2 is not limited to cloud service providers, but can be applied to many different types of organizations.
Remember that SOC 2 is a reporting framework. As a service organization, you are showing (reporting) what you have in place to meet certain criteria, and a CPA is reporting on if what you have is adequate and operating effectively.
Always use a qualified, peer-reviewed CPA firm to assist with SOC 2 efforts. Determination of a CPA firm’s peer review can be done through their home state’s board of accountancy, or through the AICPA. Make sure they understand IT auditing and SOC 2!
Get to know the description criteria and (for your organization) relevant trust service category criteria as you are pursuing SOC 2. Understanding the criteria for both before you start will help with readiness assessments and overall development of your control environment.
This blog post was to provide you with a basic understanding of SOC 2. There is a lot more nuanced and detail that goes into determining what your SOC 2 path will be and what needs to be included (or excluded) from your report. Be sure to look at ByteChek’s other SOC resources to answer your other questions, boost your understanding of SOC 2, and help you determine what is going to make the most sense for your organization.