• SOC 2 Academy: SOC 2 Video Series

SOC 2 Academy

How can your organization prove that it provides a secure service? How can you build a business based on information security and cybersecurity best practices? SOC 2 audits help organizations address third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the security, availability, processing integrity, confidentiality, and privacy of a system. There’s a lot to understand about SOC 2 audits, especially when considering the ever-changing threat landscape, but KirkpatrickPrice is here to help.

In this series, Joseph Kirkpatrick will walk you through elements of SOC 2 audits and reporting by discussing the common criteria. You will learn about communication skills, the Trust Services Criteria, risk management, monitoring practices, assigning responsibilities, incident response plans, and more. Choose a video below to begin learning about SOC 2 audits.

Featured Episode:

SOC 2 Academy: Documentation of Inputs

SOC 2 Academy: Documentation of Inputs

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.5 says, “The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.” Let’s take a look at why your organization needs documentation of inputs if you’re pursuing SOC 2 compliance.

SOC 2 Academy: Complete, Accurate, and Timely Outputs

SOC 2 Academy: Complete, Accurate, and Timely Outputs

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.4 says, “The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.” Let’s discuss why it’s important for organizations to deliver complete, accurate, and timely output when pursuing SOC 2 compliance.
SOC 2 Academy: Identifying Logging Errors

SOC 2 Academy: Identifying Logging Errors

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.3 says, “The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.” Let’s discuss why identifying logging errors is crucial to complying with this criterion.
SOC 2 Academy: How is Data Put Into Your System?

SOC 2 Academy: How is Data Put Into Your System?

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.2 says, “The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations need to understand how data is put into their system.
SOC 2 Academy: Quality and Accuracy of Your Data

SOC 2 Academy: Quality and Accuracy of Your Data

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.1 says, “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why the quality and accuracy of your data is important for SOC 2 compliance.
SOC 2 Academy: How Contractual Obligations Impact Confidential Information

SOC 2 Academy: How Contractual Obligations Impact Confidential Information

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.2 says, “The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss.
SOC 2 Academy: Classifying Confidential Information

SOC 2 Academy: Classifying Confidential Information

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.1 says, “The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations should be classifying confidential information.
SOC 2 Academy: Testing Your Business Continuity Plan

SOC 2 Academy: Testing Your Business Continuity Plan

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.3 says, “The entity tests recovery plan procedures supporting system recovery to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why you need to be testing your business continuity plan.
SOC 2 Academy: Data Backup Processes

SOC 2 Academy: Data Backup Processes

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” We’ve discussed how organizations can comply with this criterion, but we believe there’s a key component that requires further discussion: data backup processes. Let’s take a look at why organizations need to have proper data backup processes and how it impacts SOC 2 compliance.
SOC 2 Academy: Designing and Implementing Environmental Protections

SOC 2 Academy: Designing and Implementing Environmental Protections

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why organizations should be designing and implementing environmental protections.
SOC 2 Academy: Preparing for Current and Future Availability Needs

SOC 2 Academy: Preparing for Current and Future Availability Needs

/
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they need to comply with the additional criteria for availability. Availability criteria 1.1 says, “The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why preparing for current and future availability needs is important.
SOC 2 Academy: Identifying Vendors as Carve-Out or Inclusive

SOC 2 Academy: Identifying Vendors as Carve-Out or Inclusive

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s discuss the difference between identifying your vendor as carve-out or inclusive and why it matters during a SOC 2 audit.
SOC 2 Academy: Managing Vendor Risk

SOC 2 Academy: Managing Vendor Risk

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.2 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s take a look at key ways organizations can manage vendor risk.
SOC 2 Academy: Mitigating Risks that Lead to Business Disruptions

SOC 2 Academy: Mitigating Risks that Lead to Business Disruptions

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” How can organizations be sure that they’re complying with this criterion? Let’s discuss why organizations need to mitigate risks that lead to business disruptions.
SOC 2 Academy: Change Management Best Practices

SOC 2 Academy: Change Management Best Practices

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 8.1 says, “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” How can organizations be sure that they’re complying with this criterion? Let’s discuss some change management best practices that organizations should be following.
SOC 2 Academy: Recovering from a Security Incident

SOC 2 Academy: Recovering from a Security Incident

/
Because security incidents are a matter of when, not if, they occur, it’s a best practice to always analyze what happened and how an organization could have prevented it. That’s why during a SOC 2 audit, an auditor will assess an organization’s compliance with the 2017 Trust Services Criteria, which includes common criteria 7.5. Common criteria 7.5 says, “The entity identifies, develops, and implements activities to recover from identified security incidents.” Let’s discuss what an auditor will look for when assessing an organization’s compliance with this criterion.
SOC 2 Academy: Testing Your Incident Response Plan

SOC 2 Academy: Testing Your Incident Response Plan

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.4 says, “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.” While we’ve already discussed why it’s important to establish incident response teams and how organizations can comply with common criteria 7.4, there’s one component of this criterion that we’d like to emphasize: the importance of testing the incident response plan.
SOC 2 Academy: Incident Response Teams

SOC 2 Academy: Incident Response Teams

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.4 says, “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.” Let’s take a look at what organizations need to do to comply with this criterion and why it's important to establish incident response teams.
SOC 2 Academy: Incident Response Best Practices

SOC 2 Academy: Incident Response Best Practices

/
When an organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.3 says, “The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with common criteria 7.3? Let’s take a look.
SOC 2 Academy: Performing Daily Log Reviews

SOC 2 Academy: Performing Daily Log Reviews

/
Common criteria 7.2 of the 2017 Trust Services Criteria says, “The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.” Let's discuss.
SOC 2 Academy: Detect and Monitor Changes in Your System Configurations

SOC 2 Academy: Detect and Monitor Changes in Your System Configurations

/
When an organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.1 says, “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.” What will an auditor look for when assessing this criterion? What do organizations need to do to demonstrate that they have processes to detect and monitor changes in their system configurations? Let’s discuss.
SOC 2 Academy: Change Control Processes

SOC 2 Academy: Change Control Processes

/
While understanding how to prevent and detect unauthorized software from being installed on your network is important, organizations pursuing SOC 2 compliance should also implement change control processes to mitigate any further risks of unauthorized software being installed. When an organization engages in a SOC 2 audit, an auditor will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.8 says, “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.” Let’s take a look at how implementing change control processes can help organizations comply with this criterion.
SOC 2 Academy: Preventing and Detecting Unauthorized Software

SOC 2 Academy: Preventing and Detecting Unauthorized Software

/
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.8. Common criteria 6.8 says, “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.” What do organizations need to do to comply with this criterion? What will an auditor be assessing? Let’s discuss.
SOC 2 Academy: Access Controls for Remote Employees

SOC 2 Academy: Access Controls for Remote Employees

/
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.7. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” While we’ve discussed ways that organizations can comply with this requirement, let’s take a look at how an organization’s environment can change the way they approach compliance with common criteria 6.7.
SOC 2 Academy: Movement of Data

SOC 2 Academy: Movement of Data

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” How does understanding the movement of data influence SOC 2 compliance? What will auditors be evaluating when assessing an organization’s compliance with common criteria 6.7? Let’s discuss.
SOC 2 Academy: Dealing with External Threats

SOC 2 Academy: Dealing with External Threats

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.6 says, “The entity implements logical access security measures to protect against threats from sources outside its system boundaries.” How can organizations be sure that they’re complying with this criterion? Let’s discuss.
SOC 2 Academy: Disposing of Physical Devices

SOC 2 Academy: Disposing of Physical Devices

/
When a service organization pursues SOC 2 compliance, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.5 says, “The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.” Let’s take a look at why disposing of physical devices is important.
SOC 2 Academy: Taking Inventory of Physical Devices

SOC 2 Academy: Taking Inventory of Physical Devices

/
One of the first steps of the SOC 2 audit process is scoping the engagement, which tells auditors what people, processes, and technologies will be included in the assessment. Because auditors will assess an organization’s compliance with the 2017 Trust Services Criteria, organizations need to demonstrate that they comply with common criteria 6.4.
SOC 2 Academy: Physical Security Controls

SOC 2 Academy: Physical Security Controls

/
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.4. Common criteria 6.4 says, “The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.” How can organizations comply with this requirement? What kind of physical security controls should organizations implement?
SOC 2 Academy: Assigning Roles and Responsibilities

SOC 2 Academy: Assigning Roles and Responsibilities

/
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.3. Common criteria 6.3 says, “The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.” How can organizations comply with this requirement? It comes down to three things: assigning roles and responsibilities, implementing the concept of least access necessary, and creating a separation of duties.
SOC 2 Academy: Registering Internal and External Users

SOC 2 Academy: Registering Internal and External Users

/
When a service organization undergoes a SOC 2 audit, auditors will validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.2 says, “Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.” What will an auditor look for when assessing how organizations go about registering internal and external users? Let’s discuss.
SOC 2 Academy: How to Perform a Thorough Inventory

SOC 2 Academy: How to Perform a Thorough Inventory

/
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” While we have discussed many points of focus that organizations should consider when complying with common criteria 6.1, there’s still one critical component to review: performing a thorough inventory of your assets. Let’s discuss.
SOC 2 Academy: Additional Points of Focus for Logical Access

SOC 2 Academy: Additional Points of Focus for Logical Access

/
While not requirements, points of focus are meant to serve as references to assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. When it comes to implementing logical access controls, there are some additional points of focus that will help organizations ensure that their information security systems remain secure. Let’s take a look at how these additional points of focus will help service organizations comply with common criteria 6.1 during a SOC 2 audit.
SOC 2 Academy: Protection Through Logical Access

SOC 2 Academy: Protection Through Logical Access

/
When a service organization undergoes a SOC 2 audit, auditor will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” What will an auditor look for when assessing this criterion? Let’s discuss why organizations should implement protections through logical access controls.
SOC 2 Academy: Expectations of Policies and Procedures

SOC 2 Academy: Expectations of Policies and Procedures

/
Like with many other frameworks, including PCI DSS and HIPAA, policies and procedures are an integral component of achieving SOC 2 compliance. Why? Because during a SOC 2 audit, an auditor will assess an organization’s compliance with the 2017 SOC 2 Trust Services Criteria. As part of that, an auditor will verify whether or not an organization complies with common criteria 5.3, which says, “The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.” Let’s take a loot at how organizations can demonstrate compliance with common criteria 5.3 and what auditors will be looking for.
SOC 2 Academy: Designing Processes for Your Technology

SOC 2 Academy: Designing Processes for Your Technology

/
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 5.2. Common criteria 5.2 says, “The entity also selects and develops general control activities over technology to support the achievement of objectives." This means that organizations need to design and develop processes to ensure that the technology being used is effective and helping the organization meet its business objectives. How can organizations go about designing processes for their technology? Let's discuss.
SOC 2 Academy: Implementing Internal Controls - Common Criteria 5.1

SOC 2 Academy: Implementing Internal Controls

/
When an organization undergoes a SOC 2 audit, auditors need to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 5.1 says, “The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” What will an auditor look for when assessing this criterion? What do organizations need to do to show how they are implementing internal controls? Let’s discuss.
SOC 2 Academy: Internal Control Deficiencies - Common Criteria 4.2

SOC 2 Academy: Internal Control Deficiencies

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.2 says, “The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss.
SOC 2 Academy: Who is Monitoring Internal Controls?

SOC 2 Academy: Who is Monitoring Internal Controls?

/
Establishing methods of effective monitoring is a critical component of SOC 2 compliance. During a SOC 2 audit, an auditor will not only assess whether or not an organization is effectively monitoring their internal controls but also whether or not the proper person is monitoring those internal controls. Why is that? It comes down to the need for checks and balances, so let’s discuss.
SOC 2 Academy: Evaluations of Internal Control

SOC 2 Academy: Evaluations of Internal Control

/
When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.1 (CC4.1) states, “The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Why is it so important that organizations effectively perform evaluations of internal control? Let’s find out.
SOC 2 Academy: Who Should Make Updates To Your Risk Assessment?

SOC 2 Academy: Who Should Make Updates To Your Risk Assessment?

/
During a SOC 2 audit, an auditor will assess an organization’s risk assessment processes. This includes not only assessing how the organization assesses risk, but the people involved in the risk assessment process as well. Auditors will want to see that the organization has a process in place regarding who should make updates to the risk assessment. Why is that? One of the common findings of SOC 2 audits is that organizations treats their risk assessment as something that they update without much thought from the previous year, and they often don’t involve the appropriate members from the organization to contribute to the risk assessment process. Why is teamwork important during a risk assessment? Who should make updates to the risk assessment? Let’s discuss.
SOC 2 Academy: Assessing Changes Within Your Organization

SOC 2 Academy: Assessing Changes Within Your Organization

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.4 (CC3.4) states, “The entity identifies and assesses changes that could significantly impact the system of internal control.” Let’s take a look at what organizations need to do during their SOC 2 audit to demonstrate compliance with common criteria 3.4.
SOC 2 Academy: How Fraud Can Impact Risk

SOC 2 Academy: How Fraud Can Impact Risk

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.3 (CC3.3) states, “The entity considers the potential for fraud in assessing risks to the achievement of objectives.” This means that organizations must consider how fraud can impact risk. What does an organization need to do to comply with common criteria 3.3? Let’s find out.
SOC 2 Academy: Risks from Business Partners

SOC 2 Academy: Risks from Business Partners

/
While organizations must consider the risks to their operations, finances, and reputation caused by threats inside their organization, they must also consider outside risks from business partners and third-party vendors. During a SOC 2 audit, organizations will have to demonstrate that they consider the risks from business partners and third-party vendors in order to comply with the SOC 2 common criteria 3.2, which states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Let’s take a look at the reasoning behind this, other frameworks that have vendor compliance requirements, and what can happen if an organization fails to manage the risks from business partners and third-party vendors.
SOC 2 Academy: Assessing the Significance of Risks

SOC 2 Academy: Assessing the Significance of Risks

/
During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed." When an auditor is assessing an organization’s compliance with this, they will observe how an organization is assessing the significance of risks found in their risk assessment. Let’s take a look at what organizations need to do to demonstrate compliance with common criteria 3.2.
SOC 2 Academy: How to Manage Risks

SOC 2 Academy: How to Manage Risks

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 (CC3.2) states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” We’ve discussed the different types of risks organizations can face and the importance of using the findings of a risk assessment, so let’s take a look at how to manage risks and what organizations need to do to demonstrate compliance with common criteria 3.2.
SOC 2 Academy: Using a Risk Assessment

SOC 2 Academy: Using a Risk Assessment

/
During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. When an auditor is assessing an organization’s compliance with common criteria 3.1, which states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives,” they will want to see that the entity not only conducts but uses their risk assessment. Let’s take a look at how organizations can go about using their risk assessment and why it’s so important.
SOC 2 Academy: What Types of Risks Does Your Organization Face?

SOC 2 Academy: What Types of Risks Does Your Organization Face?

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.1 (CC3.1) states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”  Why is common criteria 3.1 so critical for SOC 2 compliance? Let’s discuss.
SOC 2 Academy: Communicating with External Parties

SOC 2 Academy: Communicating with External Parties

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.3 says, “The entity communicates with external parties regarding matters affecting the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss how to organizations should be communicating with external parties.
SOC 2 Academy: Communicating with Internal Parties

SOC 2 Academy: Communicating with Internal Parties

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss communicating with internal parties during an audit.
SOC 2 Academy: The Importance of Organizational Communication

SOC 2 Academy: The Importance of Organizational Communication

/
Communication is one of the underpinnings of meeting the requirements within the SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
SOC 2 Academy: Making Informed Decisions

SOC 2 Academy: Making Informed Decisions

/
Common Criteria 2.1. When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.1 states, “The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.” Let’s discuss why it’s important that service organizations demonstrate that they are making informed decisions during their SOC 2 audit.
SOC 2 Academy: Holding Your Employees Accountable

SOC 2 Academy: Holding Your Employees Accountable

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.5 (CC1.5) states, “The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.” What do organizations need to do to demonstrate that they are holding employees accountable? Organizations can implement accountability measures through positive and punitive reinforcements, but what does that look like? Let’s discuss.
SOC 2 Academy: Attracting, Developing, and Retaining Confident Employees

SOC 2 Academy: Attracting, Developing, and Retaining Confident Employees

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.4 says that an organization must demonstrate a commitment to attracting, developing, and retaining competent employees in alignment with objectives. How can organizations do this? Let’s discuss.
SOC 2 Academy: Defining the Responsibilities of Employees

SOC 2 Academy: Defining the Responsibilities of Employees

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.3 (CC1.3) states, “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” Let’s discuss at how organizations can comply with this statement and what auditors will be looking for.
SOC 2 Academy: A Board's Independence from Management

SOC 2 Academy: A Board's Independence from Management

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria.
SOC 2 Academy: How Does an Auditor Test for Integrity?

SOC 2 Academy: How Does an Auditor Test for Integrity?

/
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that the organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. The first common criteria (CC1.1) states, “The entity demonstrates a commitment to integrity and ethical values.” So, what does an organization need to do to demonstrate this? How will the auditor test for integrity? Let’s discuss.
SOC 2 Academy: Integration with the COSO Framework

SOC 2 Academy: Integration with the COSO Framework

/
The COSO Internal Control — Integrated Framework is one of the most common models used to design, implement, maintain, and evaluate internal controls and is split into five components: control environment, risk assessment, information and communication, monitoring activities, and existing control activities. A common way to remember these five components that are used to evaluate the effectiveness of internal controls is the acronym CRIME.
SOC 2 Academy: Trust Services Criteria

SOC 2 Academy: Trust Services Criteria

/
In the AICPA’s recent updates to SOC 2 reporting, many will notice that there are quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria will now be strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.
SOC 2 Academy: Points of Focus

SOC 2 Academy: Points of Focus

/
What is a Point of Focus? In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria.
SOC 2 Academy: What's New with SOC 2?

SOC 2 Academy: What's New with SOC 2?

/
In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.

Never miss a beat. Get KirkpatrickPrice video updates.