System and Organization Control (SOC) Audits

Embarking on the SOC audit is not for the faint of heart. It shouldn’t be approached lightly, as it requires attention to detail, good resources and time. Depending on your level of readiness and the report type, the process can take anywhere from a few months to a year or longer from start to finish for organizations new to the process. Mature organizations can expect a shorter timeline – assuming they already have the necessary controls, processes and technologies in place.

The creation of SOC audits provide three report options developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on financial controls, non-financial controls and, with SOC 3, become certified trusted system service organizations.

CPAs perform SSAE 18 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place.

• Type I audits consider the controls’ design effectiveness at a certain point in time
• Type II audits examine the controls’ design and operating effectiveness over a specific period, typically six to 12 months.

What are the types of SOC engagements?

• SOC 1—Reports on the effectiveness of a service organization’s internal controls as they relate to financial reporting.
• SOC 2—Reports on a service organization’s Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy. These criteria reference the security, availability, and processing integrity of an organization’s systems and the confidentiality and privacy of data processed by those systems. The security requirement is always included; however, the other four criteria are optional and based on your specific organization.
• SOC 3—Reports on a service organization’s Trust Services Criteria, not unlike SOC 2, but can be openly distributed.

While a SOC 3 assessment isn’t usually a contractual obligation, it provides an organization with the option to publicize its security efforts. SOC 1 and SOC 2 assessments are for an organization’s current customers to verify security, whereas a SOC 3 assessment can be distributed to anyone (and can even be publicized on a website). The preparation and completion of a SOC 3 assessment mirror that of a SOC 2 assessment, but it includes different reporting requirements. A SOC 2 assessment will include the auditor’s test of controls and results, where SOC 3 will not.

SOC 1, SOC 2 and SOC 3 engagements address today’s environment that:

• Requires greater international consistency
• Addresses newer technologies such as cloud computing, mobile, and virtualization
• Demands more widely recognized and understood reporting options

We provide SOC audits to clients across the country and maintain appropriate licensure in the states in which we provide attest work. As a result, we have in-depth industry knowledge to help service providers in a variety of industries, including healthcare and claims processing, financial services, cloud service providers, and commercial collation and hosting providers.

SOC 1 requires management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.

Executive Team for SOC 1 Audits

If you are interested in more information on SOC 1 Audits, please contact Paul and Jacob.

• Paul Demastus
• Jacob Schuetze

What is a SOC 1® Report?

A SOC 1 is a report on controls at your SO that are relevant to user entities’ internal control over financial reporting. This report is specifically intended to meet the needs of two parties:

1. The entities that use service organizations (user entities)
2. The CPAs that audit the user entities’ financial statements (user auditors)

SOC 1 helps the reader evaluate the effect of your service organization’s controls on a user entity’s financial statements.

Examples of companies that need a SOC 1 Report.

• A health insurance company that outsources the medical claims processing function
• An employee benefit plan that outsources functions to a bank to serve as custodian of assets, maintain records of account, allocate investment income and/or make payments
• Any company that utilizes packaged software applications that enables customers to process financial and operational transactions (Application service provider or “ASP”)

There are two options when it comes to the SOC 1 report – type 1 and type 2.

A Type 1 report is a point-in-time assessment that evaluates:

• The fairness of the presentation of management’s description of the service organization’s system (i.e., the accuracy of the system description)
• The suitability of the design of the controls to achieve the control objectives included in the description (as of a specified date)

A Type 2 report covers a period of time, typically 6 to 12 months, and evaluates:

• The fairness of the presentation of management’s description of the service organization’s system
• The suitability of the design of the controls to achieve the control objectives included in the description (throughout the specified period)
• The operating effectiveness of the controls to achieve the control objectives included in the description (throughout the specified period)

The service auditor issues its opinion with the SOC 1 report, which is distributed for restricted use to the management of the SO, user entities, and user auditors.

SOC 2 engagements use the TSC as well as the requirements and guidance in AT Section 101, attest engagements, of SSAEs (AICPA, professional standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.

Executive Team for SOC 2 Audits

If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.

• Drew Hendrickson
• Robyn Barton

What is a SOC 2® Report?

A SOC 2 is a report on controls at a SO relevant to security, availability, processing integrity, confidentiality, and privacy in alignment with the AICPA Trust Services Criteria (TSC). While a SOC 1 report addresses a service organization’s impact on financial transactions, a SOC 2 report addresses the risks arising from interactions with service organizations and their systems.

The report is intended to meet the needs of a broad range of users that require information and assurance about the SO’s controls as they relate to:

• The security, availability, and processing integrity of the systems used by the SO to process users’ data,
• The confidentiality and privacy of the information processed by these systems.

Below are a few examples of companies that may need a SOC 2 Report:

• Providing medical providers, employers, and third-party administrators and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentially
• Managing, operating, and maintaining user entities’ IT data centers, infrastructure, and application systems and related functions that support IT activities, such as network, production, security, and environmental control activities
• Managing access to networks and computing systems for user entities (for example, granting access to a system and preventing, detecting, and mitigating, system intrusion)

As with the SOC 1 report, there are two report types for this engagement – type 1 and type 2.

Use of SOC 2 reports is generally restricted to those who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services.

How to Prepare for a SOC 2 Audit

There are four major steps you should follow to prepare for a SOC 2 audit. (You can even start the first one today.)

1. Find a reputable CPA firm.

“Wait a minute. I thought SOC 2 focused on information security. Why are you telling me to find a CPA firm?” Great question. The AICPA (American Institute of Certified Public Accountants) developed the SOC 2 framework, so your auditor will have to be a CPA firm to issue a SOC 2 report. Technically, any CPA firm can issue one. But, not any CPA firm can do it the right way. Because SOC 2 focuses specifically on security, you want a firm that understands security and the ins and outs of the AICPA guidance. So, in this case, a “reputable” CPA firm should meet as many of these qualifications as possible:

• You have a trusted relationship with them.
• They have a large information security practice.
• They demonstrate information security thought leadership by regularly creating content around relevant information security topics.
• They have the AICPA’s Cybersecurity Advisory Services Certificate.
• They have extensive experience with SOC 2 reporting.

2. Work with the firm to develop a deeper understanding of SOC 2.

Security

Official text
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”

Translation
Are information and systems appropriately secured? This requirement is included in every SOC 2 assessment and is not optional.

Availability

Official text
“Information and systems are available for operation and use to meet the entity’s objectives.”

Translation
Are information and systems appropriately available for use?

Processing Integrity

Official text
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”

Translation
Is information processed appropriately by your systems?

Confidentiality

Official text
“Information designated as confidential is protected to meet the entity’s objectives.”

Translation
Is confidential information adequately protected?

Privacy

Official text
“Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.”

Translation
Is personal information adequately protected? It is common to confuse the privacy and confidentiality criteria. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.) and confidentiality protects non-personal information and data that is still classified as “confidential.”

The most important thing to know is this: The criteria you’re assessed against should make sense according to the services you provide. At the end of the day, the CPA firm must provide an opinion on the effectiveness of the controls suited to the operational environment. So, they should verify that the criteria they’re assessing you against makes sense according to the services you provide.

3. Perform a full readiness assessment with the firm you select.

During this process, the firm will educate you on the requirements of all the framework’s criteria and help you understand any control gaps your organization has related to those criteria and points of focus. A point of focus (POF) is a supporting control that offers considerations and guidance. POFs are not requirements but rather serve as clarifications to criteria and assisting an organization as they create controls. A firm will work with you to help you understand the controls you’ll need to implement to receive a favorable report.

It’s important to know that your organization must create the controls. While the CPA firm can provide guidance around the types of controls you’ll need, they can’t create any controls for you. The end result of the readiness assessment is essentially a report that says something to the effect of: “Here are the controls that would be in your SOC 2 report. Here is how they map back to each criterion relevant to your business. And, here is where you have gaps that need remediation.”

Note: If this is your first SOC 2 assessment, you will almost definitely have a fair amount of control gaps and areas to remediate.

4. Engage the CPA firm for a complete SOC 2 audit.

Remember how there are multiple types of SOC audits? Well, to further complicate things, there are also multiple types of SOC 2 audits. Here they are:

• SOC 2, Type I: This type of SOC 2 reports on the design effectiveness of controls at a specific point in time.
• SOC 2, Type II: This type of SOC 2 reports on both the design and operating effectiveness of a controlled environment over a period of time (minimum of 6 months and usually up to 9 months to a full year). A Type I audit is generally used as a stepping-stone to a Type II audit. So, what does the audit process actually look like? It varies by firm, but there are a few things you can count on.

There’s going to be an on-site visit. Someone from the CPA firm (the assessor) will visit your facility to review evidence for the controls you’ve implemented to meet the requirements of the trust services criteria applicable to your organization. This generally occurs toward the end of the assessment period. So, if your assessment period ends in December, the on-site visit will likely occur during November and/or December. The assessing firm will perform testing that covers the entirety of the reporting period to ensure your controls have been operating effectively the whole time. So, while they may only be on-site toward the end of the audit period, their testing will cover the entire audit period (if you’re receiving a SOC 2, Type II report). During this on-site visit, their goal is to test the controls you have defined and make sure they effectively address the requirements and criteria of the SOC 2 framework.

Management will need to present an accurate description of controls. Remember—the CPA firm is not responsible for helping you implement controls—only assessing them. Therefore, in the report, your company’s management is responsible for presenting an accurate description of the control environment.

The CPA firm will issue a report after your report period’s end date. This is important. Regardless of when your assessment is completed, you won’t receive your report until after the assessment period’s end date (generally 45 – 60 days). In this report, the CPA firm issues its opinion on the design (SOC 2, Type I) or design and operating effectiveness (SOC 2, Type II) of your organization’s control environment.

SOC 3 engagements use the predefined criteria in trust services criteria that are used in SOC 2 engagements. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results).  It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy).

Executive Team for SOC 3 Audits

If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.

• Drew Hendrickson
• Robyn Barton

What is a SOC 3® Report

Similar to the SOC 2, the SOC 3 report is a report on the controls at a SO which are relevant to the SO’s ability to maintain the security, availability, processing, integrity, confidentiality, and privacy of a user entity’s data for  which it is responsible. The assessment entails the same Trust Services Criteria, controls, and evaluation of controls addressed in a SOC 2 report.

The key distinction is that the SOC 3 is intended for general use as opposed to restricted use. This means that the SOC 3 report is a public-facing document that gives a high-level overview of information that would be contained in a SOC 2 report. While a SOC 2 report contains sensitive information about business systems and controls at a level that would not be appropriate for public distribution, a SOC 3 report does not and is used as a front-facing report, often for the purposes of sales and marketing.

Examples include:

• A SO may choose to display a SOC 3 seal on its website if it meets the criteria, and link to the SOC 3 report.
• Sales team may use the report to provide prospects and clients to assure them that SO is protecting their data and private information. Clients can easily verify best practices are being followed to guard against security breaches and corrupted data.

Another benefit of a SOC 3 report is there are no additional audit procedures necessary if you’ve already been issued a SOC 2 report.

The SOC for Cybersecurity examination is designed to provide report users with information to help them understand management’s process for handling enterprise-wide cyber risks. It can be performed for any type of organization regardless of size or industry, and report users aren’t necessarily current customers or customer auditors.

SOC for Cybersecurity provides the following:

• A standard, consistent, way to report on an entity’s cybersecurity risk management program (CRMP).
• An effective way to communicate cybersecurity control effectiveness to stakeholders, boards, committees, customers, and partners through a comprehensive cybersecurity audit.

Differing from SOC 2 reports, SOC for Cybersecurity reports address the following:

• The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria for management’s description of the entity’s cybersecurity risk management program.
• An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria, but may also use another generally accepted security framework when designing or assessing its control requirements.
• SOC for Cybersecurity reports are general use reports, and the objectives of the report are often determined by company management. These reports are meant for a broader audience than SOC 2 reports and may be shared with anyone inside or outside an organization.
• In a SOC for Cybersecurity, the controls matrix will not be included in the report.

The LBMC SOC audit team was instrumental in working with the AICPA to create and release this assessment to help you achieve compliance and provide the insights you need to make better business decisions.