Let’s start with what a Systems and Organization Controls 2 (SOC 2) examination is NOT. It is NOT a compliance engagement as an organization can NOT be SOC 2 “certified”. This is often a major misconception about SOC 2 reports.
A SOC 2 examination IS an attestation governed by the American Institute of Certified Public Accountants (AICPA). This means that it is an engagement to provide assurances over specific risks a service provider poses to their customers rather than a certification. In the case of a SOC 2, management of the service provider asserts that its system and organizational controls are designed and operating effectively to mitigate the risks to achieving the organization’s principle service commitments and requirements. Then a Certified Public Accountant performs auditing procedures and provides an opinion on whether or not management has designed controls to mitigate its risks to customers and if those controls are operating effectively.
In simpler terms, a SOC 2 report communicates to the customer that controls are in place and operating effectively to provide reasonable assurance that an organization is living up to its legal and regulatory requirements, contractual requirements, and service commitments.
The benefit of this being an attestation engagement, and not compliance, is that an organization issuing a SOC 2 report gets to define the scope (boundaries) of the system and services being reported on rather than aligning with an inflexible list of requirements. For instance, an organization may have multiple applications they manage and provide to customers, but the SOC 2 report may only have to cover one of the applications. This situation can arise because that application supports a specific industry with sensitive data or high availability requirements. In addition, the SOC 2 does not require a minimum or maximum number of controls. Instead, the breadth and depth of controls is dependent on the specific risks an organization poses to customers. This allows an organization to define its own scope and create a more customized, applicable, and effective report for its customers’ needs.
The SOC 2 is based on the Trust Services Criteria issued by the AICPA. The Trust Services Criteria are broken down into five categories; Security, Availability, Confidentiality, Processing Integrity, and Privacy. The Security category is often called the Common Criteria because security principles affect the entire organization, and is the only required category when preparing a SOC 2 report. Including the other categories is dependent on what services you provide and what your customers are concerned with.
Preparing for and completing a SOC 2 examination can be a daunting and stressful experience due to the complexity and breadth of the requirements and ensuring the scope is appropriate for the customer’s needs. To help understand the process, here is a SOC 2 checklist of things an organization should consider in preparation for a SOC 2.
1. Determine your SOC 2 report scope
2. Select your Trust Services Criteria – this is based on the scope of the SOC 2 report
3. Perform a readiness assessment yourself or seek assistance from a provider like Asureti. This can be done internally or with the help of a trusted expert
4. Remediate any control or documentation gaps identified
5. Perform implementation and operational testing of remediated gaps after confirmation that new controls or documentation is in place
6. Select a quality CPA Firm to conduct the examination