SOC 2®— SOC for Service Organizations: Trust Services Criteria

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

 

These reports can play an important role in:

Intended users:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight
Those with the requisite knowledge to understand the report, e.g.:

  • Management of the service organization
  • User entities
  • User auditors
  • Regulators

 

SOC 2 is an evaluation and reporting framework.  It is NOT a compliance framework.  This means that a SOC 2 report provides a lot of flexibility for management to identify and present the information about the system and the controls that their customers need, not what a compliance framework mandates.  This is what makes a SOC 2 examination report so unique and important in the marketplace.

 

The SOC 2 examination report includes the following three key components:

1. Management's assertions

As with all SOC reports, an assertion is provided by management. Specifically, the assertion addresses whether

(a) the description of the system and the controls is presented in accordance with the description criteria and

(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives.

2. Practitioner's report

The second component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether

(a) the description of the system and the controls is presented in accordance with the description criteria and

(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives based on the criteria.

3. Managememt's description of the service organizations' service system

The Management description provides the detail of the system(s) being reported on and includes boundary, infrastructure, controls, commitments, and other system information. Anything that is included in this section should be able to be audited to achieve service commitments and system requirements based on the criteria.

The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report.

4. Trust Services Criteria, Controls, Auditor's Tests of Controls, and Results of Tests

Typically shows the following columns of information:

The applicable trust services criteria for the categories in scope
Controls in place at the service organization to achieve service commitments and system requirements based on the criteria
Auditor’s tests of the controls (Type 2 only)
Results of the tests (Type 2 only)

 

There are two types of reports for SOC 2 Reports:

  • Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Use of these reports is restricted to the management of the service organization, user entities, user auditors, and regulators.

 

Let’s get started today.  BRC is ready to help your organization complete a SOC 2 Examination.  Contact Ben Hunter III, CPA/CITP, CISA, CRISC, CDPSE, CISM at (336).294.4494 (bhunter@themayfliesusa.com) to get started today.

 

Ben Hunter

Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM

Ben is the Chief Information Security Officer for BRC and is a Senior Manager in our firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit […]