SOC 2: AT 101 Services
Auditing Internal Controls: Type 1 and 2 SOC 2 Reports
A SOC 2 is best utilized when a company seeks to provide assurance of their controls to their clients that do not affect the clients’ internal controls over financial reporting.
The SOC 2 report is used as an attestation report, which opines on an assertion from management, of the service organization’s controls that may affect their user entities’ security, availability, processing integrity, confidentiality and/or privacy, and must be issued by an independent Certified Public Accounting (CPA) firm.
Our audit teams have experience performing SOC 2 examinations for a multitude of industries and service offerings including:
- Collocation & Managed Services
- Outsourced Information Technology Services
- Cloud Services
- Data Centers
- Internet Service Providers
- Web Hosting Providers
- Application Service Providers (ASP)
- Infrastructure as a Service (IAAS) Providers
- Health Care Practice Management
A-lign is able to provide SOC 2 examinations to companies outside the U.S. that do business with companies in the U.S.
Type 1 SOC 2 Examination
A type 1 SOC 2 examination is a report that evaluates the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of controls in meeting the applicable criteria of the AICPA Trust Service Principles.
Type 2 SOC 2 Examination
A Type 2 SOC 2 examination provides a report similar to a Type 1 SOC 2 report, but also includes:
- The service auditor’s opinion on the operating effectiveness of the controls in meeting the applicable criteria of the AICPA Trust Service Principles.
- A description of the service auditor’s tests of the operating effectiveness of the controls and the results of those tests.
The completion of a SOC 2 report means that your customers can view a report, completed by a third-party CPA firm, which reviews the description of your organization’s system, the suitability of the design of your controls, and provides an opinion from the auditor, on the fairness of the presentation of the aforementioned description and suitability of control design.
Receiving an unqualified SOC 2 report signifies the validity of your controls to your customers and potential customers, providing them with the necessary assurance needed to feel confident in your company’s processes.
Service organizations must select one or more of the following AICPA Trust Service Principles to be included in their SOC 2 report:
- Security (Common Criteria): This principle refers to the protection of the system from unauthorized access (both logical and physical).
- Availability: This principle refers to the accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements.
- Processing Integrity: This principle refers to the completeness, accuracy, validity, timeliness, and authorization of system processing.
- Confidentiality: This principle refers to the system’s ability to protect the information designated as confidential, as committed or agreed.
- Privacy: This principle refers to personal information that is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles (GAPP) issued jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Each Trust Service Principle has defined criteria that comprise a framework to provide assurance on the integrity of the principle. Among the Trust Service Principles, there are Common Criteria that are applicable to the previously issued Security, Availability, Processing Integrity, and Confidentiality principles. The Common Criteria are included in and make up the entirety of the Security Trust Principle. Additional unique criteria are defined for Availability, Processing Integrity, and Confidentiality necessary to provide assurance on the integrity of each of the principles.
In addition to one or more of the AICPA Trust Services Principles, a SOC 2 report may also include criteria established by management, third parties, or other industry standards, such as ISO 27001, HIPAA, or PCI DSS. The criteria must meet the following basic characteristics:
Organizations may choose to use the criteria for SOC 3 engagements, their own privacy statement, or include compliance standards such as ISO 27002.
A detailed description of the trust service principles can be found here: AICPA’s Trust Service Principles.
A-lign can perform a SOC 2 examination that can comprise the following deliverables:
- Management’s assertion
- A-lign’s opinion on management’s assertion
- Management’s description of its system and criteria used
- A-lign’s tests of operating effectiveness and the results of those tests (Type 2 SOC 2 Reports only)
SOC 2 Criteria and Guidance Updates
The AICPA released the updated edition of the SOC 2 Trust Services Principles, Criteria, and Illustrations in February, 2014. The updated 2014 edition provides two overall significant changes, which include the following:
1) Eliminates redundancy in the Trust Services Principles (TSP) and related control criteria
2) Provides additional guidance regarding the risk assessment
The changes included the following:
A. Restructuring of the Trust Services Principles and Criteria: The Trust Services Principles and Criteria for Security, Availability, Processing Integrity, and Confidentiality were restructured into (1) one set of common criteria that are applicable to all four principles and (2) additional unique criteria applicable to the Availability, Processing integrity, and Confidentiality TSPs.
Note: The criteria related to the Privacy principle contained in the generally accepted privacy principles (GAPP) are being revised separately.
The restructuring of the TSP’s eliminates redundancy in the report between each of the Trust Principles. Previous to the change, each TSP would report on each of the criteria within each principle, regardless of redundancy of criteria between the principles. The revision established a set of Common Criteria for Security, Availability, Processing Integrity, and Confidentiality. These Common Criteria make up the entirety of the Security Trust Principle. Additional unique criteria are covered for Availability, Processing Integrity, and Confidentiality.
The Availability TSP will now include the Common Criteria (Security Trust Principle) as well as three additional criteria specific to Availability. The Processing Integrity TSP includes the Common Criteria and six additional criteria. Confidentiality now includes the Common Criteria and six additional criteria.
The 2009 edition of the SOC 2 Trust Service Principles divided each trust principle into four general areas:
All criteria for each principle were contained within one of these four areas.
With the updated 2014 edition, the common criteria are divided into seven general areas:
- Organization and management
- Risk management and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations
- Change management
While there are now seven general areas, the common criteria within those areas widely address the same criteria, risks, and controls as what was previously contained within the four general areas.
Much of the restructuring of the trust services principles and criteria will not have a large impact on the SOC 2 assessment. The more significant change relates to the risk assessment process, detailed below.
B. Risk Assessment: Additional guidance for the risk assessment and the linkage between the criteria, risks, and controls is provided.
As noted above, one of the general areas included in the updated 2014 edition is the “Risk Management and Implementation of Controls” area. Organizations are responsible for performing and periodically updating a risk assessment that specifically addresses risks related to each criterion contained within the Trust Principles being evaluated. Previously, Trust Principles required the entity to 1) identify potential threats that would impair the system commitments and 2) analyze the significance of the risks with the threats. Clients must now also 3) determine mitigation strategies for the identified risks.
A risk assessment that addresses risks related to each criterion and mapping the controls in place to mitigate the risks for each criterion will assist in creating the mitigating strategies. If current controls do not sufficiently mitigate the risks, additional controls should be evaluated to fully address any gaps between the identified risk and the controls.
Deadline for implementing changes
The adoption of the updated Trust Services Principles and Criteria will be effective for all SOC 2 assessments with reporting periods on or after December 15, 2014. However, early adoption of the updated principles and criteria is permitted.
Please call 1-888-702-5446 for further information, or contact us here.