SOC 2 compliance is a component of the American Institute of Chartered Public Accountants (AICPA)’s Service Organization Control suite of services. Its goal is to make sure that Service Providers’ systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 compliance is a minimum requirement for many US-based listed companies when considering a third party service provider, particularly for providers of Cloud-based application.
Compliance is assessed through audit by specialist external IT auditors, initially through a Type 1 audit of the description and design of controls, followed by regular Type 2 audit of control effectiveness, resulting in a formal SOC 2 audit report. To prepare for the audit, the service provider must document an accurate description of the system and its controls against the requirements of selected Trust Service Criteria, in line with the requirements set out in AICPA’s DC-200 Description Criteria. For the Type 2 audit, the service provider must be able to
demonstrate that controls operated effectively over the 6 to 12 months period prior to the audit.
Through our background in SOC 2, IT and security audit, our consultants understand the level of rigour required for a service provider to prepare for and pass SOC 2 Type 1 and Type 2 audits. Our team leverages this understanding to develop and support a programme of activities for Service Providers to help them achieve audit readiness. This includes support for defining the system scope, documenting the Service Description and controls, and identifying control deficiencies that need to be addressed before the audit takes place.
SOC 2 IMPLEMENTATION PROGRAMME
|Management: Sponsorship/Oversight, Key Decisions, Owner of Controls|
|Advisor: Execution of Steps 1 through 5, Faciliate SOC 2 Audit Process, Maintain Alignment with the Service|
SOC 2 AUDITING
Our specialist team works with your organisation to undertake the desired SOC 2 audit, in accordance with your system description and the attestation requirements established by the AICPA.
The objectives of the audit will be to form an opinion about whether:
A. the description of the service organisation’s system as of a point in time is presented in accordance with the description criteria and;
B. For a Type 1 report, the controls stated in the description were suitably designed as of a point in time to provide reasonable assurance that the organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.
c. For a Type 2 report, the controls stated in the description operated effectively throughout the period of time, based on the results of testing of controls.
The output of the engagement will be an Auditor’s SOC 2 Report which will include:
- The Independent Service Auditor’s report;
- Management’s assertion regarding its system; and
- The description of the your Network and/or Cloud system.
- Trust Services Category, Criteria, Related Controls, and Tests of Controls (Type 2 Report only).