Internal controls play a vital role in guaranteeing an organization’s operational, strategic, and compliance goals are met. As a result, many of these organizations that outsource processes and practices to service organizations are now asking for evidence of the service organizations soundness and effectiveness of their internal controls. This has increased the need for service organizations to provide trust, assurance, and transparency over their controls.
In 1992 service organizations used the Statement on Auditing Standards(SAS 70) report to help share their opinions on the effectiveness of internal controls to their customers and users of their services.Importantly, auditors could not provide assessment of company compliance with a myriad of regulations and laws introduced to protect customer privacy and shareholder interests.
The introduction of Statement on Standards for Attestation Engagement No. 16 (SSAE 16) in 2010 was the first attempt to provide more comprehensive and descriptive assessment of controls. Replacing SAS 70 with the SSAE 16 also allowed user companies with tools to assess the reliability of controls. A further revision in May 2017 has now clarified standards, as well as simplified and streamlined the review process. SSAE 18 also recognizes the critical role of the IT professional in the company auditing process.
System and Organization Controls (SOC) audit reports are a series of comprehensive internal controls that organizations use to evaluate risks to their financial and operational access to systems and data. The information included in this report is advantageous to nurture trust, provide transparency, and give users—both clients and their auditors—peace of mind.
To support its risk assessments, an organization may request a SOC report from an outsourced service organization. SOC reports assess and address the risks associated with a service organization, its services, and system used to provide the services to organizations.Some specific users of a SOC report may be accountable for procurement and contract negotiation, vendor management, independent auditors of user entities and regulators.
Before we get started, SOC 2 and 3 Audits are American Institute of Certified Public Accountants (AICPA) standards. The AICPA Assurance Services Executive Committee (ASEC) has developed a set of criteria (trust services criteria) to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity. In addition, the trust services criteria may be used when evaluating the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of a particular type of information processed by one or more of an entity's system(s) or one or more systems used to support a particular function within the entity. This document presents the trust services criteria.
As in any system of internal control, an entity faces risks that threaten its ability to meet the trust services criteria. Such risks arise because of factors such as the following:
Trust Service Categories
System and Organization Controls 2 Audit (SOC 2)
The SOC 2 audit is a detailed, restricted-to-use report. It gives shareholders a thorough understanding of the service organization, the service being provided, and internal controls relating to that service. It also includes an auditor’s opinion that encourages shareholders to evaluate their service organization, allowing them to maintain better control of the organizations they already do business with. The objectives in a SOC 2 engagement relate to meeting its commitments to customers and system requirements. Commitments are the declarations made by management to customers regarding the performance of one or more of the entity's systems. Such commitments generally are included in written contracts, service level agreements, or public statements (for example, a privacy notice). Some commitments are applicable to all customers (baseline commitments), whereas others are designed to meet individual customer needs and result in the implementation of processes or controls, in addition to those required to meet the baseline commitments. System requirements refer to how the system should function to meet the entity's commitments to customers, relevant laws and regulations, or guidelines of industry groups, such as trade or business associations.
Components of a SOC 2
System and Organization Controls 3 Audit (SOC 3)
The SOC 3 audit, on the other hand, is a general-use, summary report that follows the same overall process as SOC 2. It provides the highest level of certification and declaration of operational excellence that a data center can receive. This report consists of only an auditor’s opinion, management assertion, and a brief narrative providing background on the service organization.
It determines whether the service organization maintains effective controls over its systems and is typically intended for users who do not require a more thorough report,which includes a detailed description of the design of controls or tests performed by the service auditor.
Components of a SOC 3
SOC Audits are beneficial to all companies in the service industries, which includes, but are not limited to:
Let us partner with you to keep your organization and your clients assured of the integrity of your services.
Wilson Consulting Group (WCG) is a leader and innovator in the global cyber security industry. We provide assurances about your organization’s controls and a collaborative and effective SOC while performing a thorough assessment.Your organization benefits from this service by:
WCG assists these institutions in determining their level of compliance within the GLBA by ...
WCG goal is to ensure that our clients are compliant, secure, and protected so that their customers ...
WCG provides experienced consultants to assist federal agencies to improve their security posture ...
WCG assists organizations to assess and determine their compliance with the HIPAA regulation ...
WCG focuses on privacy threats and breaches that affect organizations and helps them ...
WCG has been a reliable partner for service organizations struggling to ensure compliance ...