Posts

The SOC Audit Process: Tackling Type I and Type II Reports

So you’ve decided whether you need a SOC 1 or a SOC 2 audit…what’s next? You need to decide where you’ll begin the SOC audit process. With a gap analysis? What are the SOC report types? A Type I? A Type II? Let’s discuss KirkpatrickPrice’s method for completing Type I and Type II audits.

SOC Report Types: Type I and Type II FAQs

No matter the SOC report types needed (SOC 1 or SOC 2), there are a few common questions we receive from service organizations going through the SOC audit process for the first time, and they involve deciding between SOC report types.

Do I need a Type I or a Type II report?

The key difference between a Type I and Type II report is the attestation on the operating effectiveness of controls. A Type I report is an attestation about controls at a service organization at a specific point in time, and a Type II report is an attestation about controls at a service organization over a period of time. Observing controls over a period of time allows for verification that controls are suitably designed and operating effectively – whereas a Type I report attests that controls are suitably designed and implemented.

Many questions about the SOC report types depend on what your client is asking for. If they are satisfied with a Type I report, you may elect to undergo that audit and stop there. If you’re undergoing these audits to be proactive, we recommend getting a Type II report – but this doesn’t always mean you skip the Type I.

Do I have to go through a Type I audit before a Type II audit?

It is not a requirement to go through a Type I audit before you go through a Type II audit – but it is our recommendation. Gaining a Type II attestation on your very first audit will be a difficult process for your team – you have to be prepared to show your policies, controls, objectives, and commitment to compliance, all while establishing that your controls have been operating effectively for at least six months. Going through a Type I audit first gives you the opportunity to learn how the SOC audit process works, establish your control objectives, learn where your areas of weakness are, and discover what you need to improve before the Type II audit. We have found that when a service organization rushes to get a Type II report, the final result isn’t as valuable as it would be if they had prepared better for the audit.

Want to hear from a client that received both SOC report types within a year? Read about Sigstr’s SOC 2 journey here.

Do I need to go through a gap analysis before the Type I? What about the Type II?

Whenever any organization goes through any audit for the first time, we strongly recommend starting with a gap analysis. By starting the SOC audit process with a gap analysis, our auditors can identify any operational, reporting, and compliance gaps in your organization and advise you on strategies for remediation. Gap analyses compare what you’re doing to what regulations require of you. Once you receive the results of the gap analysis, your organization can remediate any identified gaps before the audit begins.

For a first time SOC audit, a basic audit map may be: a gap analysis first, then the Type I audit, then the Type II audit. If you elect to skip the Type I, you can still choose to go through a gap analysis before the Type II audit. In some cases, organizations have thought they should skip the Type I audit, but after receiving their gap analysis results, they thought it would be wise to undergo the Type I before the Type II.

What happens if I fail the Type I?

SOC audits do not work on a pass/fail system. The purpose of a SOC report is to provide user entities with reasonable assurance that their controls are suitably designed and operating effectively. Instead of passing or failing your organization, an auditor will issue a qualified or unqualified opinion. Understanding reasonable assurance changes your pass/fail mindset to considering how an auditor would assess specific controls. Would an auditor see that these controls are suitably designed? Would we achieve reasonable assurance? If an auditor determines that a control was not in place or effective, then a qualified opinion would be issued. This would sound something like, “Except for Control X, reasonable assurance is there. The controls have been suitably designed and operating effectively.” An unqualified opinion means there are no qualifications or significant exceptions being issued and reasonable assurance has been determined.

KirkpatrickPrice’s Type I and Type II Process

Because so many service organizations are completing a SOC audit at the request of a client, many are on a strict timeline for the SOC audit process. That is why, at KirkpatrickPrice, we’ve developed a streamlined SOC audit process to get service organizations through a gap analysis, Type I, and Type II audit in a faster way, but without losing quality. By electing to undergo both a Type I and Type II audit, we actually give you more resources to help your team make SOC audit process more valuable. No one should have to begin a Type II audit unprepared because of timelines.

Contact us today and let’s talk about how we can partner together to get you through the SOC audit process and achieve your compliance goals.

More Type I and Type II Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

SOC 1 or SOC 2: Which SOC Report Do I Need?

The Difference Between SOC 1 Type I and Type II

The Difference Between SOC 2 Type I and Type II

Combining SOC 1 and SOC 2 Audits

We get a lot of questions about SOC 1 and SOC 2 audits. What’s the difference between the two? Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 1 and SOC 2 audit.

What are SOC 1 and SOC 2 Audits?

Before we discuss how to go through a combined SOC 1 and SOC 2 audit, let’s review what each of these types of audits are. What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

A SOC 2 audit is a second type of SOC assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria) – which are typically unrelated to ICFR. The Trust Services Criteria are the foundation of the SOC 2 audit, just as the SSAE 18 is the basis of a SOC 1 audit.

Why a Combined SOC 1 and SOC 2 Audit?

Why would a company pursue a combined SOC 1 and SOC 2 audit? The obvious reason is that you may have clients that are specifically asking for SOC 1 and SOC 2 reports from you. They want to know whether you are handling their data in a secure way. You could also have some asking for one audit or the other. In some circumstances, your clients may not even know which one you need, but they want you to prove your security practices are legitimate – so it’s up to you to determine whether you’ll undergo a SOC 1, SOC 2, or a combined SOC 1 and SOC 2 audit. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 1 and SOC 2 audit is an option.

Here’s what some of our clients have to say about their combined SOC 1 and SOC 2 audit with KirkpatrickPrice:

  • “Trust and transparency is a core Rhumbix value. As a leading provider of construction technology, it is important for us to provide SOC 1 and SOC 2 reporting for our customers and ensure we continue to build and architecture future Rhumbix products with the highest standards. ” – VP of Development at Rhumbix
  • “The successful completion of our SOC 1 and SOC 2 Type II examination audits provides our clients with the assurance that the controls and safeguards we employ to protect and secure their data are in line with industry standards and best practices.” – Information Security Officer at Inovatec
  • “CBOSS is committed to delivering robust, secure solutions for payment processing to all our customers. To that end, we strive to make security and reliability integral to every aspect of our operations. We appreciate the KirkpatrickPrice’s thoroughness and we are proud to have met or exceeded all the requirements they validated.” – Security and Compliance Manager for CBOSS
  • “Upholding security regulations is critical as a service provider. Completing the SOC 1 Type II and SOC 2 Type II audits provides validation to OneCloud customers that we’re committed to keeping our platform secure.  OneCloud will annually renew our SOC certification by maintaining the necessary controls and processes.” – Chief Executive Officer of OneCloud

Using the Online Audit Manager

Our goal is to make SOC 1 and SOC 2 reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 1 and SOC 2 audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 1 and SOC 2 audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 1 and SOC 2 Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

Using the Online Audit Manager to Complete Multiple Audits

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

Most Common SOC 1 Gaps

If you knew a hurricane or car accident was going to happen, wouldn’t you do your best to prepare for it? You’d want to know every detail of its likelihood so your plan of action would prevent as much damage as possible. The same principle applies to information security breaches – that’s why it’s important for your organization to be aware of and remediate common security gaps so you can avoid the vulnerabilities that hackers use to breach data systems. Each type of audit comes with different security gaps to be aware of, even if the frameworks are similar, like SOC 1 and SOC 2. No matter the audit, it’s valuable to know how to avoid unnecessary security risks by catching these common gaps in your system. Even by reading this blog post, you’re already far ahead of many organizations in securing your systems.

Most Common SOC 1 Gaps

The most common SOC 1 gaps include gaps in change management, risk assessment, application development, vulnerability testing, logical access, networking monitoring, physical security, and organization overview. Organizations that don’t place a priority on mitigating these security gaps are faced with costly breaches after hackers infiltrate their systems. You don’t want to be caught in the same situation. Let’s talk about a few of these common SOC 1 gaps by looking into some massive security breaches.

Risk Assessment – Establishing a formal risk assessment process allows organizations to do their due diligence and prioritize risk. Risk assessments often lead to an understanding the types of risks that your vendors carry into your environment. Earlier this year, FEMA exposed over two million disaster victims’ data with a vendor. Could a risk assessment have detected the 11 vulnerabilities on that vendor’s network?

Application DevelopmentThe ICIT says that software security is national security – and a lack of software security is a national threat. First American Corporation was breached after a vulnerability in a product application was found, compromising over 885 million records because of a design defect in the application. Had First American Corporation known about that application development was an extremely common SOC 1 gap, would it have recognized the vulnerability during the development phase?

Vulnerability Testing – SOC 1 audits within AWS environments often reveal a gap in vulnerability testing. Organizations must test their S3 buckets for vulnerabilities in order to prevent a system breach. The Democratic Senatorial Campaign Committee knows this firsthand after their misconfigured s3 bucket was exposed. More than 6 million email addresses were exposed on the internet, able to be viewed by any person with a free AWS account. Testing for vulnerabilities and misconfigurations is invaluable to your information security program.

Networking Monitoring – When Timehop was breached in 2018, their engineers responded to the event within 2 hours of discovering the network intrusion. Although the hacker had access to Timehop’s cloud for about six months, when the active attack actually occurred, Timehop’s network monitoring tools reported that the service was down, and Timehop engineers worked to restart services. If not for network monitoring, how much time could’ve passed before Timehop recognized the attack?

Physical Security – In April 2018, a New Jersey man was found to have infiltrated two companies’ physical security systems to install a hardware keylogger. The breach was orchestrated for over 2 years after the man fraudulently gained access with an employee badge. He was able to breach the system and access personal information, intellectual property, and plans for new technology that each company was developing. If these companies had properly disposed of unused access badges and limited access to secure areas, they might have prevented major breaches.

Other common SOC 1 gaps to be prepared for are Change Management, Logical Access, and Organization Overview. You can remediate gaps by ensuring all company employees understand the company’s security and ethics expectations and are using MFA on company equipment. Having a structured plan of action for system changes can lead to more security when your organization implements both small-scale and large-scale adjustments.

Learning to Remediate the Gaps

The first step to avoiding common hacker tactics is to remediate your gaps. What gaps should you look for? You can start reviewing common SOC 1 gaps in areas of change management, risk assessment, application development, vulnerability testing, logical access, networking monitoring, physical security, and organization overview.

If you want to avoid fines, loss of customers, and everything else these companies have to face after a massive security breach, you need to ensure your organization is taking every precaution against hackers. Contact KirkpatrickPrice today to learn more about remediating your SOC 1 gaps and staying one step ahead of hackers.

More SOC 1 Resources

Understanding Your SOC 1 Report: What is a Gap Analysis?

7 Reasons Why You Need a Manual Penetration Test

SOC 1 Compliance Checklist

What is a SOC 1 Audit?

What is a SOC 1 Audit and Why Do You Need One?

Often times, clients might ask you to complete a SOC 1 audit, which might leave you asking, “What is a SOC 1 audit? Why does my organization need one?” If your organization has the ability to impact your customers’ internal controls over financial reporting (ICFR), then you’re likely to be asked by those customers to undergo a SOC 1 audit. But what is a SOC 1 audit exactly? A System and Organization Controls 1 (SOC 1) audit is an audit designed to test the internal controls that a service organization has implemented to protect user entities, or their customers’, data, specifically the internal controls that could impact financial reporting. SOC 1 audits are conducted in accordance with the Statement on Standards for Attestation Engagements 18 (SSAE 18), which is used to regulate how companies conduct business and report on compliance controls.

What are the Benefits of a SOC 1 Audit?

If you’re wondering “What is a SOC 1 audit?”, you’re probably also wondering “What are the benefits of a SOC 1 audit?” too. In fact, if you’ve never engaged in a SOC 1 audit before, chances are the process seems a bit intimidating. But when you pursue SOC 1 compliance with KirkpatrickPrice, it doesn’t have to be. Whether it’s your first time undergoing an audit, or you’ve been through audits before, our streamlined approach to the audit process will leave you with the following benefits upon the completion of your SOC 1 audit:

  • Peace of mind that your organization has the proper internal controls and processes in place to deliver high-quality services to your clients
  • An in-depth evaluation of your policies and procedures
  • Assurance for your clients that the sensitive assets they’ve entrusted with you are effectively protected
  • A stronger, more robust security hygiene because a third-party verified your internal controls not just your internal audit team
  • A competitive advantage by demonstrating your commitment to security

Has your organization been asked to demonstrate SOC 1 compliance? Are you unsure where to begin? Contact us today to learn how KirkpatrickPrice can help you get started on your compliance efforts.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

Video Transcription

A SOC 1 report is a System and Organization Controls report. Most service organizations are offering services to their clients, such as managed services, application services, or any type of third-party service that’s being outsourced to them from their clients. They’re being asked to do this report as a way to prove to the client that they’re working with that their controls are mature enough and that they’ve been tested by a third-party auditor. We’ve found that a lot of people who call us the first time, they’re small- to medium-sized service providers, and they just found out that their biggest client is requiring them to do this audit that they’ve never heard of. They feel under-the-gun and pressured to do this in order to check a box because it feels like something that’s been forced upon them. But one of the really great things as to why you should do a SOC 1 audit is because it does validate your controls; it does validate what you’re doing. You might be competing against another company in your industry that has not taken the step of having an independent third-party come in and evaluate those controls. When you have an experienced auditor, like those we have here at KirkpatrickPrice, come in with years of experience and perspective and provide you with guidance and expertise on what your controls are or are not doing, it’s a very good process for you to strengthen your environment. It’s a very healthy process to go through to have that external opinion of what you’re doing. Sometimes we have our own internal environments and we have blinders on because we’ve never had a third-party come in and look at it from a different vantage point. We find our clients telling us, “In year one when we did the audit with you, we just thought it was something we were just going to have to do and get it over with, but after years two and three, we’ve started to see that this is a very healthy process, and it actually helps our business get stronger and to grow.”

The Difference Between SOC 1 Type I and SOC 1 Type II

How Do You Know the Difference Between SOC 1 Type I and SOC 1 Type II?

When you begin thinking about pursuing SOC 1 compliance, you’ll have the option of choosing a Type I or Type II audit. While both of these audits assess a service organization’s controls and processes that may impact their clients’ internal control over financial reporting (ICFR), the biggest difference between SOC 1 Type I and SOC 1 Type II is the audit period. For example, if you decide to undergo a SOC 1 Type I audit, an auditor will assess your controls and processes and their impact over user entities’ ICFR for a specific moment in time. On the other hand, if your organization pursues SOC 1 Type II compliance, an auditor will assess your controls and processes and their impact over user entities’ ICFR over a minimum six-month period.

Do I Need to Start with a SOC 1 Type I or SOC 1 Type II Audit?

Determining whether you want to begin your SOC 1 compliance journey with either a Type I or Type II audit depends on your organization’s needs and what is required of you. At KirkpatrickPrice, we generally recommend that service organizations begin with a SOC 1 Type I before moving onto a SOC 1 Type II. Why? Because we want our clients to get the most out of their audit, which means that we want to set them up for success by preparing them with the tools they need to get through an information security audit. To do this, we offer a streamlined Type I process that combines our gap analysis service with a remediation project plan, resulting in the Type I audit report being delivered within weeks of the engagement kick off. By beginning with a SOC 1 Type I using this streamlined approach, service organizations can then pursue their Type II compliance with a better understanding of the audit process and more clear expectations of how a SOC 1 audit works.

Has your organization been asked to demonstrate SOC 1 compliance? Are you still unsure if you need a Type I or Type II audit? Contact us today to learn how KirkpatrickPrice can help you get started on your compliance efforts.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

 

Video Transcription

There are two types of SOC 1 reports: there’s a SOC 1 Type I report, and there’s a SOC 1 Type II report. The SOC 1 Type I report is an opinion on the fairness of the presentation of the description provided by management of the service organization, and there’s also an opinion on the suitability of the design of the controls. We also validate that the controls are in place as of a particular date. The SOC 1 Type II report has the exact same sections that I just mentioned for the Type I, but it adds on an additional section, which is testing performed by the service auditor on the operating effectiveness of the controls that are in place over a period of time. So, the Type I report cares about controls that are in place as of a particular date, whereas the Type II report cares about the operating effectiveness of those controls over a period of time. If you need help talking to an auditor about what report is right for you and what your audit period should be for your report, please contact one of our Information Security Specialists today.