SOC 2® – System and Organization Controls (SOC) for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
The above SOC 2® categories and the related criteria have been developed by the AICPA that form the foundation of the Trust Services framework as set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services).
These reports are prepared in accordance with Statement on Standards for Attestation Engagements No. 18 (SSAE 18), AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements.
If your company (the ‘Service Organization’) seeks to provide a customer (the ‘User Organization’) and other relevant parties with assurance about controls relevant to security, availability, processing integrity, confidentiality and/or privacy (Trust Services Categories) that do not affect your customers’ internal controls over financial reporting, a SOC 2® report is the logical choice for examining your company.
These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Management of your company specifies the Trust Services Criteria to be reviewed for the purposes of the examination. Whether it is a ‘Type 1’ or ‘Type 2’ examination, the resulting report is similar to a SOC 1® report. But unlike the SOC 1®, the primary users of SOC 2® reports generally are not User Auditors (your customer’s financial auditors) but, rather management of the Service Organization and management of the User Organizations. SOC 2® reports are intended to assist management of the User Organizations in carrying out their responsibility for monitoring the services provided by a Service Organization. For example, controls at a Service Organization that provide Internet-based storage for a User Organization backing up proprietary information and trade secrets is unlikely to be of significance to the User Organization’s financial statement auditor. However, management, internal auditors or practitioners of the User Organization that are responsible for managing controls or reporting on controls may be particular concerned about the security and confidentiality of backed-up information.
The AICPA Auditing Standards Board replaced the Statement on Auditing Standards No. 70 (SAS 70) by issuing Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization, which was then superseded by SSAE 18, AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. With the replacement of the standard, SSAE 18, AT-C Section 320 is limited to Service Organizations that perform outsourced services that are relevant to internal controls over the financial reporting of another company. Many organizations that were subject to SAS 70 , but their controls are not likely to affect their customers’ internal controls over financial reporting, are turning to a SOC 2® report to meet their contractual obligations. This allows the Service Organization to demonstrate to its customers its controls through a detailed report.
For More Information Speak to a Service Auditor at Roosa CPA, LLC (877) 410-8516
More Info
Scopes of Reports
The SOC 2® report is an attestation/examination for organizations that collect, process, transmit, store, organize, maintain or dispose of non-financial information for other entities. There are two different “Types” of examinations that can be conducted under the SOC 2® standard. The specifics of these examinations/reports are as follows:
Type 1 Report
- Internal controls report that examines management’s description of the system to determine if the presentation of the system fairly represents the design and implementation of the Service Organization’s system as of the specified date.
- The control objectives stated in management’s description of the system were suitably designed to achieve the selected trust services criteria as of the specified date.
- The change in the standard and criteria that the Service Organization will be measured by (Trust Services Criteria), going forward, the Type 1 report is the best approach for a company to successfully acclimate to the new rules even if they have previously been examined under the SAS 70 standard; this type of examination will enable the Service Organization to define their system of controls and ensure that controls were implemented as of the specified date. There is no requirement for a Service Organization to graduate to a Type 2 report from the Type 1 report; the Service Organization can obtain a Type 1 report year after year. The frequency and type of report is driven by the needs of your customers.
Type 2 Report
- Internal controls report that examines management’s description of the system to determine if the presentation of the system fairly represents the design and implementation of the Service Organization’s system throughout the specified period.
- The control objectives stated in management’s description of the system were suitably designed to achieve the selected trust services criteria throughout the specified period.
- The control objectives stated in management’s description of the system operated effectively throughout the specified period to achieve the selected trust services criteria.
- When the control objectives stated in the management’s description of the system addresses the privacy category, the service auditor will express an opinion that covers the privacy category throughout the specified period.
- Most Service Organizations obtain a SOC 2® Type 2 certification annually but the specified period that is examined is usually only the last six months. The frequency and type of report is driven by the needs of your customers.
Areas of Examination
The scope of Trust Services Criteria and related categories has been developed by the AICPA, and are used by CPA practitioners in the performance of SOC 2® engagements.
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with commitments in the organization’s privacy notice and with criteria set forth in generally accepted privacy category issued by the AICPA.
The Trust Services Criteria and related categories of Security, Availability, Processing Integrity and Confidentiality are organized in four broad areas:
- Policies – The organization has defined and documented its policies relevant to the particular category.
- Communications – The organization has communicated its defined policies to responsible parties and authorized users of the system.
- Procedures – The organization placed in operation procedures to achieve its objectives in accordance with its defined policies.
- Monitoring – The organization monitors the system and takes action to maintain compliance with its defined policies.
Time and Expense
Not every SOC 2® attestation examination has the same requirements. Each company can vary depending on the type of services they perform for their customers and the trust services criteria selected for examination. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope to ensure your customers’ needs are satisfied.
- The typical examination for the first year will require 3 to 5 weeks of resources to complete a SOC 2® examination; during that time we will be onsite for a week to conduct the site visit.
- During the examination process, you will have a dedicated Compliance Specialist available to answer questions and the owner is involved throughout the process.
- Call a Compliance Specialist at Roosa CPA, LLC (877) 410-8516 today for a free quote.