We often get questions about the Service Organization Controls (SOC) 2 report and the principles that structure the report. In this blog series, we will look at each principle individually and thoroughly in an effort to paint a clear picture of each of the principles in a SOC 2 report.
The AICPA defines the Trust Service Principles as “a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs.”
There are 5 principles that service organizations can include in their SOC 2 & 3 report. They are: Security, Availability, Processing Integrity, Confidentially, and Privacy. These principles ensure that the data and network of a service organization are protected and accurate. Having a secure network is vital to operations for a service organization. But what does security actually entail, and why is it critical for your service business to ensure you are compliant?
Security could be considered the foundation of the SOC 2 report. Security is defined as the protection of a service organization’s system from unauthorized access, use, or modification for both logical and physical threats to the system. A logical threat refers to the safeguards on a system, including user identification, password protection, access rights and authority levels. Physical threats like theft, vandalism, terrorism, and natural disasters are also evaluated in order to determine the level of risk of the system. It is the service organization’s responsibility to identify and document the policies, procedures, and controls in place for the audit.
The auditor conducting the audit will review the level of risk associated with the system. The auditor is responsible for evaluating the written procedures and documentation, current or new applications, infrastructure, and environmental risks associated with a service business’s system and determining whether or not the service organization is in accordance with their policy.
Limiting access to the system helps to prevent abuse of the system and possible theft. However it is also important to allow access to authorized users in order for proper use and the enable periodic updates to the system. An example of allowing authorized access is typically seen in ecommerce websites. Occasionally, an administrator will have to change a customer’s order. Having the proper documentation of user level access ensures that only proper users are able to edit customer data.
Are you new to the SOC reporting process? Auditwerx isn’t. Our standard checklists combined with our unique “hands on” preparation or readiness method limit your guesswork and help you to efficiently prepare for the SOC 2 reporting process.
Before starting the reporting process you might consider reviewing your policies and procedures and ensure that only the most up-to-date procedures are documented. Also, you should always ensure your staff changes passwords regularly, especially after employees change positions or leave your business. Remember, the objective of a SOC engagement is to evaluate the level of risk and make improvements to protect your data and network.
Our team of certified professional auditors has developed an audit report process that allows collaboration between our auditor and your service organization. Our commitment to you is to provide the highest quality audit reports in a timely and efficient manner. To speak with an auditor about our auditing report process, call us today at 866-446-4038 or contact us online.