The purpose of a Service Organization Controls (SOC) engagement is to provide assurance that a service organization’s controls and processes are in line with the standards set by the AICPA (American Institute of Certified Public Accountants). A SOC 2 attestation is specific to service organizations that do not directly impact their users financial reporting. Companies that would qualify for a SOC 2 report include organizations in the information technology or data processing industry, such as hosting providers, Software-as-a-Service (SaaS) or cloud service organizations.
A SOC 2 audit quantifies the quality of the organization’s security, availability, processing integrity, confidentiality and privacy controls in accordance with the Trust Services Principles (TSP Section 100) over a given time period. It is important to note, that a service organization is not required to report on all principles. The AICPA describes the trust services principles below:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
The process of a SOC 2 audit includes several duties that management has to complete during the process. These tasks include determining the type of engagement to be performed, drafting a description of the organization’s system, writing an assertion and representations, and providing the auditor the necessary supporting documents.. By identifying these steps up front, our audit team can develop a customized readiness plan to assist management in the preparation phase of the audit. A customized checklist details the timeline of the audit to be completed.
Often times a SOC 2 is requested by a user organization that is looking to partner with a potential service organization. The report is used to evaluate the risk of a user organization’s data and information that is hosted with a service organization. Additionally, a service organization may request a SOC 2 audit of themselves for internal purposes such as improving controls and processes.
The benefits of a SOC 2 audit for an organization are numerous. Aside from having a detailed description of a service organizations adherence to the trust service principles, the report also includes the service auditor’s testing procedures. This report allows management to assess the strength of a potential provider at a detailed level.
A SOC 2 report can help an organization improve their business operations and become more efficient and provide assurance to companies when selecting vendors. The service auditor who performs the audit should have in-depth knowledge of information technology and security procedures. Auditwerx has performed hundreds of SOC 2 attestations for service organizations over the years. Our audit team recognizes the difference in reporting techniques for service organizations. Our exclusive focus on service organization audits has assisted numerous customers since 2005.
To learn how Auditwerx can improve your controls and procedures, contact us today.