Posts

What is a SOC 1 Audit?

What is a SOC 1 Audit and Why Do You Need One?

Often times, clients might ask you to complete a SOC 1 audit, which might leave you asking, “What is a SOC 1 audit? Why does my organization need one?” If your organization has the ability to impact your customers’ internal controls over financial reporting (ICFR), then you’re likely to be asked by those customers to undergo a SOC 1 audit. But what is a SOC 1 audit exactly? A System and Organization Controls 1 (SOC 1) audit is an audit designed to test the internal controls that a service organization has implemented to protect user entities, or their customers’, data, specifically the internal controls that could impact financial reporting. SOC 1 audits are conducted in accordance with the Statement on Standards for Attestation Engagements 18 (SSAE 18), which is used to regulate how companies conduct business and report on compliance controls.

What are the Benefits of a SOC 1 Audit?

If you’re wondering “What is a SOC 1 audit?”, you’re probably also wondering “What are the benefits of a SOC 1 audit?” too. In fact, if you’ve never engaged in a SOC 1 audit before, chances are the process seems a bit intimidating. But when you pursue SOC 1 compliance with KirkpatrickPrice, it doesn’t have to be. Whether it’s your first time undergoing an audit, or you’ve been through audits before, our streamlined approach to the audit process will leave you with the following benefits upon the completion of your SOC 1 audit:

  • Peace of mind that your organization has the proper internal controls and processes in place to deliver high-quality services to your clients
  • An in-depth evaluation of your policies and procedures
  • Assurance for your clients that the sensitive assets they’ve entrusted with you are effectively protected
  • A stronger, more robust security hygiene because a third-party verified your internal controls not just your internal audit team
  • A competitive advantage by demonstrating your commitment to security

Has your organization been asked to demonstrate SOC 1 compliance? Are you unsure where to begin? Contact us today to learn how KirkpatrickPrice can help you get started on your compliance efforts.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

Video Transcription

A SOC 1 report is a System and Organization Controls report. Most service organizations are offering services to their clients, such as managed services, application services, or any type of third-party service that’s being outsourced to them from their clients. They’re being asked to do this report as a way to prove to the client that they’re working with that their controls are mature enough and that they’ve been tested by a third-party auditor. We’ve found that a lot of people who call us the first time, they’re small- to medium-sized service providers, and they just found out that their biggest client is requiring them to do this audit that they’ve never heard of. They feel under-the-gun and pressured to do this in order to check a box because it feels like something that’s been forced upon them. But one of the really great things as to why you should do a SOC 1 audit is because it does validate your controls; it does validate what you’re doing. You might be competing against another company in your industry that has not taken the step of having an independent third-party come in and evaluate those controls. When you have an experienced auditor, like those we have here at KirkpatrickPrice, come in with years of experience and perspective and provide you with guidance and expertise on what your controls are or are not doing, it’s a very good process for you to strengthen your environment. It’s a very healthy process to go through to have that external opinion of what you’re doing. Sometimes we have our own internal environments and we have blinders on because we’ve never had a third-party come in and look at it from a different vantage point. We find our clients telling us, “In year one when we did the audit with you, we just thought it was something we were just going to have to do and get it over with, but after years two and three, we’ve started to see that this is a very healthy process, and it actually helps our business get stronger and to grow.”

The Difference Between SOC 1 Type I and SOC 1 Type II

How Do You Know the Difference Between SOC 1 Type I and SOC 1 Type II?

When you begin thinking about pursuing SOC 1 compliance, you’ll have the option of choosing a Type I or Type II audit. While both of these audits assess a service organization’s controls and processes that may impact their clients’ internal control over financial reporting (ICFR), the biggest difference between SOC 1 Type I and SOC 1 Type II is the audit period. For example, if you decide to undergo a SOC 1 Type I audit, an auditor will assess your controls and processes and their impact over user entities’ ICFR for a specific moment in time. On the other hand, if your organization pursues SOC 1 Type II compliance, an auditor will assess your controls and processes and their impact over user entities’ ICFR over a minimum six-month period.

Do I Need to Start with a SOC 1 Type I or SOC 1 Type II Audit?

Determining whether you want to begin your SOC 1 compliance journey with either a Type I or Type II audit depends on your organization’s needs and what is required of you. At KirkpatrickPrice, we generally recommend that service organizations begin with a SOC 1 Type I before moving onto a SOC 1 Type II. Why? Because we want our clients to get the most out of their audit, which means that we want to set them up for success by preparing them with the tools they need to get through an information security audit. To do this, we offer a streamlined Type I process that combines our gap analysis service with a remediation project plan, resulting in the Type I audit report being delivered within weeks of the engagement kick off. By beginning with a SOC 1 Type I using this streamlined approach, service organizations can then pursue their Type II compliance with a better understanding of the audit process and more clear expectations of how a SOC 1 audit works.

Has your organization been asked to demonstrate SOC 1 compliance? Are you still unsure if you need a Type I or Type II audit? Contact us today to learn how KirkpatrickPrice can help you get started on your compliance efforts.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

 

Video Transcription

There are two types of SOC 1 reports: there’s a SOC 1 Type I report, and there’s a SOC 1 Type II report. The SOC 1 Type I report is an opinion on the fairness of the presentation of the description provided by management of the service organization, and there’s also an opinion on the suitability of the design of the controls. We also validate that the controls are in place as of a particular date. The SOC 1 Type II report has the exact same sections that I just mentioned for the Type I, but it adds on an additional section, which is testing performed by the service auditor on the operating effectiveness of the controls that are in place over a period of time. So, the Type I report cares about controls that are in place as of a particular date, whereas the Type II report cares about the operating effectiveness of those controls over a period of time. If you need help talking to an auditor about what report is right for you and what your audit period should be for your report, please contact one of our Information Security Specialists today.

5 Strategies to Keep You From Wasting Time on Security Questionnaires

If you’re a start-up trying to win new clients, the dreaded security questionnaires are coming your way. Or, let’s say you’re a midsize business who’s been in business for years that’s bidding on an enterprise-level prospect – a security questionnaire request is in your future. Even we, as an information security auditing firm, are frequently asked about the security of our Online Audit Manager.

The questions may seem irrelevant, repetitive, and unreasonable. Or – maybe you know that you don’t have good answers. For start-ups, a security questionnaire may prompt the first time they’ve truly evaluated their security practices. For a midsize business, it may be a frustrating process to constantly fill out similar, but slightly custom questionnaires for every prospect. The intention behind security questionnaires, though, is a good one. Because so much responsibility lies in the hands of vendors and business partners, an organization has to complete its due diligence to protect its reputation, operability, and financial health.

Compliance from the Start

A client recently told us, “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.” We completely agree with this sentiment. A business that is driven by security and integrity will create a quality service or product.

One of our auditors, Shannon Lane, says it best. “A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet as auditors, we know that a system built with compliance in mind isn’t usually more expensive than a faster, easier solution. A business process or IT solution is hard to change, especially once it becomes core to the enterprise and its operations. Every shortcut taken in the design process, technology solution, or internal system haunts the company forever. It’s always lurking there, waiting to interrupt just when you think you’re prepared. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.”

Security questionnaires are tedious, but they’re trying to determine whether you’re an organization that values security, availability, confidentiality, integrity, and privacy. Are you going to bring more risks into a prospect’s environment? Are you going to provide them with a secure service? Will you hinder their business objectives or facilitate more opportunities?

Saving Time on Security Questionnaires

It’s difficult to know whether the company sending you a security questionnaire will take stock in the answers and how much they will impact the outcome of the deal. Or – what if you refuse to answer the security questionnaire, and they still choose to work with your organization?

Many organizations adopt the approach of refusing to release any information about their security practices, even during an audit. They tend to think, “By not sharing information, we’ll be more secure. Just trust us.” It’s the ultimate security paradox. The truth is, the more you isolate yourself, the less secure you are. You never have the internal blinders removed to get a new perspective. You never get to hear new strategies based on your practices. Even AWS provides information on their compliance programspenetration testing practices, cloud security, and data privacy practices. AWS isn’t saying, “Just trust us.” They’re giving evidence of how they serve their customers best.

Alternative approaches to satisfy a security questionnaire request may include:

  • SOC 1 and SOC 2 reports contain an independent service auditor’s report, which states the auditor’s opinion regarding the description of a service organization’s systems, whether the systems were presented fairly, and whether the controls were suitably designed. As a result of the additional risks that vendors bring to their business partners, more and more organizations are asking for SOC 1 or SOC 2 attestations.
  • An FAQ on your organization’s internal security practices, summarizing your commitment to security and the actions you take to implement controls at your organization, could go a long way in demonstrating your “compliance from the start” attitude.
  • Allowing a potential business partner to review your breach notification policy, incident response plan, disaster recovery plan, or internal information security policy may be enough evidence to satisfy their request.
  • Formal risk assessments allow organizations to identify, assess, and prioritize organizational risk. By proactively undergoing a risk assessment, you may prove that you’ve evaluated the likelihood and impact of threats and have an effective defense mechanism against a malicious attack.
  • If your organization knows it’ll be filling out a lot of security questionnaires in the future, try filling out one of the many security questionnaire templates available online to formulate your answers and potentially see where your gaps are.

If you’d like more information on how to tackle security questionnaires, contact us today. We can provide many ways for your organization to demonstrate your commitment to secure practices.

More Resources

How to Read Your Vendor’s SOC 1 and SOC 2 Report

Getting Executives on Board with Information Security Needs

The First Step in Vendor Compliance Management: Risk Assessments

How Can a SOC 2 Bring Value to Your SaaS?

How to Read Your Vendor’s SOC 1 or SOC 2 Report

Most organizations outsource some aspect of their business to vendors, whether it’s to perform a specific, integral task or replace an entire business unit. Vendors can be in roles like customer support, financial technology, record storage, software development, or claims processing. Using vendors can further an organization’s business objectives, enable them to function more effectively, and may be more cost-efficient. With all these opportunities, organizations must remain aware of the risks vendors carry with them.

As a result of the additional risks that vendors bring, more and more organizations are asking vendors to receive SOC 1 or SOC 2 attestations. But, when you do receive a SOC 1 or SOC 2 report from a carved-out vendor, do you know how to read it? Which areas do you focus on and what do the results mean? SOC 1 and SOC 2 reports are lengthy and complex, but incredibly important in understanding the risks posed to your organization. Let’s take a look at some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors.

Who Issued the SOC 1 or SOC 2 Report?

SOC 1 and SOC 2 reports follow a pattern. Each gives the vendor’s management’s assertion, the independent service auditor’s report, the vendor’s description of its system, and tests of controls. Before you begin reading, though, there’s one initial question to ask when reviewing a SOC 1 or SOC 2 report: who issued the report? As stipulated by the AICPA, SOC reports can only be issued by a CPA firm. We recommend looking to see that the firm who issued the report is a licensed CPA firm; no CPA firm license means that the firm doesn’t undergo a peer review, which is a review of its accounting and auditing practices once every three years after its initial peer review.

Who Issued the SOC 1 or SOC 2 Report?

Although CPAs and CPA firms can issue a SOC report, you should also be asking if the individual or firm has information technology or information security certifications. Let’s not forget: SOC 1 and SOC 2 audits are information security audits. These aren’t your typical financial audits that you usually get from a CPA. We recommend encouraging your vendors to engage a CPA firm that specializes in information security for SOC 1 and SOC 2 audits. Certified Information Systems Security Professional (CISSP), Certified Information System Auditor (CISA), and Certified Risk and Information Systems Control (CRISC) are rigorous certifications showing expert knowledge of information security and cybersecurity. These types of certifications are crucial to receiving a quality audit and what you should be looking for from your vendor’s licensed CPA firm.

The Auditor’s Opinion in a SOC 1 or SOC 2 Report

A SOC 1 or SOC 2 report contains an independent service auditor’s report, which states the auditor’s opinion regarding the description of the vendor’s system, whether the system was presented fairly, and whether the vendor’s controls are suitably designed. When reviewing a vendor’s SOC 1 or SOC 2 report, you will want to pay attention to the controls that impact your security. The auditor’s opinion can be presented in four possible variations:

  • Unqualified: Issued when the auditor fully supports the findings, with no modifications.
  • Qualified: Issued when the auditor cannot express an unqualified opinion, but the issues are not so severe that they need to issue an adverse opinion.
  • Adverse: Issued when the auditor believes that report users should not rely on the vendor’s systems.
  • Disclaimer: Issued when the auditor cannot express an opinion because they were unable to obtain sufficient evidence on which to base their opinion.

An unqualified opinion from your vendor’s independent auditor is what you should be looking for, because any other opinion should cause your organization to evaluate the impact of the qualifications.

What Was Audited During the SOC 1 or SOC 2 Audit?

Your vendor will decide what will or will not be in-scope for the SOC 1 or SOC 2 audit, and this will be described in your vendor’s description of its system. This provides background information on the vendor to the report user, and provides a description of the software, people, procedures, and data within the organization’s in-scope environment. Because you’re familiar with your vendor’s systems and infrastructure, you’ll be able to gauge anything they’ve chosen to exclude from the audit, which may or may not be important to the security of your system and data.

Analyze Exceptions and Non-Compliance in the SOC 1 or SOC 2 Report

For each control objective of a SOC 1 and Trust Services Criteria category for SOC 2, the report will outline whether any relevant exceptions were noted during testing. This is an incredibly important element of a SOC 1 or SOC 2 report. Which of your vendor’s controls are critical to the security of your data? You need to evaluate if they have any exceptions or non-compliant controls in those critical areas and determine how this will impact the security of your system and data.

Do you struggle with how to evaluate your vendors’ compliance efforts? Do you know how to read a SOC 1 or SOC 2 report? Contact us today to speak with an information security expert.

More SOC Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

What’s the Difference between SOC 1 Type I and SOC 1 Type II?

What’s the Difference Between SOC 2 Type I and SOC 2 Type II?

What’s the Difference Between SOC for Cybersecurity and SOC 2?

Newest Addition to the SOC Suite

The AICPA recently added a new offering to its SOC suite: SOC for Cybersecurity. The difference between SOC 1, SOC 2, and SOC 3 has always been fairly clear-cut based on factors like internal control over financial reporting, the Trust Services Criteria, and restricted report use. Now, we have a new player in the game.

What’s the Difference Between SOC for Cybersecurity and SOC 2?

How does SOC for Cybersecurity differ from the other SOC reports? Where a SOC 1 is focused on ICFR and is based on the SSAE 18 standard, SOC for Cybersecurity is completely concentrated on cybersecurity risk management programs. SOC 2 is where it goes a little more complicated. In general, SOC for Cybersecurity and SOC 2 engagements have four key differences: purpose and use, audience, report types, and subject matter.

What’s the Difference Between SOC for Cybersecurity and SOC 2?SOC 2 audits help to address any third-party risk concerns by evaluating internal controls, policies, and procedures as they relate to the security, availability, processing integrity, confidentiality, and privacy of a service organization’s systems. SOC 2 compliance is intended to give a wide range of service organizations the information security assurance that they need to address security.

What’s the Difference Between SOC for Cybersecurity and SOC 2?

A SOC for Cybersecurity examination is how a CPA can report on an organization’s cybersecurity risk management program. This program is an organization’s set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives. The AICPA’s intent was to provide organizations with a consistent language to report on their cybersecurity efforts and establish a widely-accepted approach for cybersecurity assessments.

Purpose and Use

A SOC for Cybersecurity report communicates information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users perspective and confidence in an organization’s cybersecurity risk management program. SOC for Cybersecurity reports are meant to be used during decision-making processes.

SOC 2 compliance can be a major factor in vendor management; no one wants to work with an at-risk vendor. For service organizations wanting to demonstrate their due diligence and information security efforts, a SOC 2 report will communicate how their internal controls are designed and operating.

Audience

SOC for Cybersecurity engagements may be performed for any type of organization, regardless of size or the industry in which it operates. A SOC for Cybersecurity report is for general use, specifically designed to be used by stakeholders, management, directors, analysts, investors, business partners, industry regulators, users, or anyone else whose decisions are directly impacted by the effectiveness of the organization’s cybersecurity controls.

A SOC 2 report is intended for an audience who has prior knowledge and understanding of the system, such as management of a service organization or user entity. In order to communicate the attestation in a SOC 2 report, service organizations must have a SOC 3 report. A SOC 3 does not give a description of the service organization’s system, but can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as they relate to the Trust Services Criteria.

Report Types

When undergoing a SOC 2 audit, a service organization can choose one of two types. Typically, we recommend that service organizations begin with a SOC 2 Type I. A Type I report is an attestation of controls at a service organization at a specific point in time, unlike a Type II, which is an attestation of controls over period of time. In a Type I, there is no testing of controls, but in a Type II, the auditor will report on the “suitability of the design and operating effectiveness of controls.”

Similar to a SOC 2 Type I, service organizations can choose a design-only SOC for Cybersecurity examination. Design-only examinations do not provide the audience with enough information to assess the effectiveness of cybersecurity controls, only to know the description of the cybersecurity risk management program and the suitability of the design of controls to meet cybersecurity objectives. A service organization may choose to undergo a design-only SOC for Cybersecurity examination if they have not been in operation for a sufficient length of time or if they’ve recently made significant changes to their cybersecurity risk management program.

It’s important to note that in the future, there will be three types of SOC for Cybersecurity report levels to meet all the needs of the market: entity, service provider, and supply chain. The guidance currently available all related to entity-level engagements.

Subject Matter

The contents of a SOC for Cybersecurity report and SOC 2 report have a similar structure, but different subject matter. Each report contains management’s description, management’s assertions, and the practitioner’s opinion.  In a SOC for Cybersecurity report, each of these components will be related to the entity’s cybersecurity risk management program and the effectiveness of controls to meet cybersecurity objectives. In a SOC 2 report, each of these components will be related to the service organization’s system and the effectiveness of controls as the relate to the Trust Services Criteria.

The main difference to remember between SOC for Cybersecurity and SOC 2 is the reporting on a cybersecurity risk management program versus a system and the Trust Services Criteria. Want more help deciding if a SOC for Cybersecurity engagement is right for your organization? Contact us today.

More Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

Everything You Need to Know About SOC 1 Audits

SOC 2 Compliance Checklist

Selecting SOC 2 Criteria