BackgroundInternal controls play a vital role in guaranteeing an organization’s operational, strategic, and compliance goals are met. As a result, many of these organizations that outsource processes and practices to service organizations are now asking for evidence of the service organizations soundness and effectiveness of their internal controls. This has increased the need for service organizations to provide trust, assurance, and transparency over their controls.
In 1992 service organizations used the Statement on Auditing Standards(SAS 70) report to help share their opinions on the effectiveness of internal controls to their customers and users of their services.Importantly, auditors could not provide assessment of company compliance with a myriad of regulations and laws introduced to protect customer privacy and shareholder interests.
The introduction of Statement on Standards for Attestation Engagement No. 16 (SSAE 16) in 2010 was the first attempt to provide more comprehensive and descriptive assessment of controls. Replacing SAS 70 with the SSAE 16 also allowed user companies with tools to assess the reliability of controls. A further revision in May 2017 has now clarified standards, as well as simplified and streamlined the review process. SSAE 18 also recognizes the critical role of the IT professional in the company auditing process.
What is a SOC Audit?
System and Organization Controls (SOC) audit reports are a series of comprehensive internal controls that organizations use to evaluate risks to their financial and operational access to systems and data. The information included in this report is advantageous to nurture trust, provide transparency, and give users—both clients and their auditors—peace of mind.
To support its risk assessments, an organization may request a SOC report from an outsourced service organization. SOC reports assess and address the risks associated with a service organization, its services, and system used to provide the services to organizations.Some specific users of a SOC report may be accountable for procurement and contract negotiation, vendor management, independent auditors of user entities and regulators.
Which SOC Audit Services do you need?
Before we get started, SOC 2 and 3 Audits are American Institute of Certified Public Accountants (AICPA) standards. The AICPA Assurance Services Executive Committee (ASEC) has developed a set of criteria (trust services criteria) to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity. In addition, the trust services criteria may be used when evaluating the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of a particular type of information processed by one or more of an entity's system(s) or one or more systems used to support a particular function within the entity. This document presents the trust services criteria.
As in any system of internal control, an entity faces risks that threaten its ability to meet the trust services criteria. Such risks arise because of factors such as the following:
- The nature of the entity's operations
- The environment in which it operates
- The types of information generated, used, or stored by the entity
- The types of commitments made to customers and other third parties
- Responsibilities entailed in operating and maintaining the entity's systems and processes
- The technologies, connection types, and delivery channels used by the entity
Trust Service Categories
- Security- Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.
- Availability- Information and systems are available for operation and use to meet the entity's objectives. Availability refers to the accessibility of information used by the entity's systems, as well as the products or services provided to its customers.
- Process Integrity- System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing.
- Confidentiality- - Information designated as confidential is protected to meet the entity's objectives. Confidentiality addresses the entity's ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity's control in accordance with management's objectives.
- Privacy- Personal information is collected, used, retained, disclosed, and disposed to meet the entity's objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information
System and Organization Controls 2 Audit (SOC 2)
The SOC 2 audit is a detailed, restricted-to-use report. Itgives shareholders a thorough understanding of the service organization, the service being provided, and internal controls relating to that service. It also includes an auditor’s opinion that encourages shareholders to evaluate their service organization, allowing them to maintain better control of the organizations they already do business with. The objectives in a SOC 2 engagement relate to meeting its commitments to customers and system requirements. Commitments are the declarations made by management to customers regarding the performance of one or more of the entity's systems. Such commitments generally are included in written contracts, service level agreements, or public statements (for example, a privacy notice). Some commitments are applicable to all customers (baseline commitments), whereas others are designed to meet individual customer needs and result in the implementation of processes or controls, in addition to those required to meet the baseline commitments. System requirements refer to how the system should function to meet the entity's commitments to customers, relevant laws and regulations, or guidelines of industry groups, such as trade or business associations.
Components of a SOC 2
- Auditor’s opinion
- Description of controls (narrative)
- Applicable Trust Services Criteria
System and Organization Controls 3 Audit (SOC 3)
The SOC 3 audit, on the other hand, is a general-use, summary report that follows the same overall process as SOC 2. It provides the highest level of certification and declaration of operational excellence that a data center can receive. This report consists of only an auditor’s opinion, management assertion, and a brief narrative providing background on the service organization.
It determines whether the service organization maintains effective controls over its systems and is typically intended for users who do not require a more thorough report,which includes a detailed description of the design of controls or tests performed by the service auditor.
Components of a SOC 3
- Auditor’s opinion
- Limited details on the tests performed
- Applicable Trust Services Criteria
SOC Audits are beneficial to all companies in the service industries, which includes, but are not limited to:
- Banking/ Financial Service Providers
- ACH Processors
- Insurance Companies
- Technology Service Providers (TSPs)
- Application Service Providers (ASPs)
- Cloud Hosting Service Providers
- Software-as-a-Service (SaaS)
- Payroll Providers
- Managed Service Providers
- Health Care Claims Processors
- Collection Companies
- Third-Party Administrators
- Data Centers
What will You gain from a SOC Audit?
- Better understanding of how risks are addressed in similar organizations in the same industry.
- Enhanced organizational reputation and overall reduction of risk as a result of ability to correcting weaknesses and gaps identified in the report.
- Savings in time and money – taking away the hassle of dealing with auditors and non-core activities.
- Improved customer confidence in your organization’s Trust Service Criteria (security, availability, processing, integrity, confidentiality, privacy).
- Increased shareholder confidence in designed controls to effectively mitigate risks.
- In an increasingly competitive environment, a SOC Audit can strengthen your position in the market.
Let us partner with you to keep your organization and your clients assured of the integrity of your services.
Wilson Consulting Group (WCG) is a leader and innovator in the global cyber security industry. We provide assurances about your organization’s controls and a collaborative and effective SOC while performing a thorough assessment.Your organization benefits from this service by:
- Strengthening your brand by identifying and rectifying risks and gaps
- Helping you understand the health of the controlled environment within your organization
- Providing recommendations for improvement
- Inspiring confidence with your stakeholders and clients
Get Started Now