In the third part of our Trust Service Principles blog series, we will be reviewing what Availability actually means when related to a Service Organization Controls (SOC) audit. Availability is generally described as the state of being able or open to perform a task or duty. However when the AICPA refers to Availability, they are referring to a more specific definition of the term.
Availability is defined by the AICPA as “the system is available for operations and use as committed or agreed”. This can be interpreted as ensuring that your network performs to the ability that was communicated to your customers most commonly in a service level agreement. An example is ensuring that your ecommerce website processes customer’s orders correctly. The availability principle does not address system functionality or usability. Instead it refers to whether or not the system is accessible for processing, monitoring, and maintenance.
During a SOC 2 engagement covering the availability principle, the service auditor is responsible for evaluating the ability of your network to perform as described, along the written documents for systems development and acquisition. This includes procedures on identifying, documenting, and modifying authorized users of the system.
The responsibly of your service organization includes tasks like classifying your data based on sensitivity and importance, along with the proper written documentation and description of your system’s boundaries. Your organization is also responsible for preventing unauthorized access from users, assigning responsibility to employees for system availability, and assessing risks on a periodic basis. Risk assessment evaluation involves both physical and environmental threats, such as fire, flood, power failure, excessive heat, and other threats. Part of the risk assessment involves maintaining and testing any safeguards in place. An example of this is a procedure documenting steps and communication in the event of a data breach. Along with actions above, written procedures for back up, offsite storage, data restoration and disaster recovery are all vital to determining the risk level for a system’s availability.
Preparation is key to successfully navigating through the SOC audit process. As you prepare your organization for the audit, there are a few recommended actions you can implement to help ensure the process goes smoothly. Your customer service team should be monitoring customer complaints and provide feedback on improvements to the system through customers, along with periodic review of current policies and procedures. Your IT staff should be monitoring your system 24 hours a day, 7 days a week. Your organization should have the ability to review your network performance, availability, and security statistics and provide these reports to your IT staff. And of course, ensure that your IT staff meets regularly to discuss the system’s performance and implementation of new procedures to improve the system.
Auditwerx’ team of experienced IT auditors have developed a report checklist with suggested steps to take before, during, and after your internal audit. We are committed to providing our customers with the highest quality reports and recommendations to keep your on track. Contact us to speak with an auditor about your audit needs today.