Posts

Combining SOC 2 and PCI Audits

We get a lot of questions about SOC 2 and PCI audits. Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 2 and PCI audit.

What are SOC 2 and PCI Audits?

Before we discuss how to go through a combined SOC 2 and PCI audit, let’s review what each of these types of audits are.

A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.

Why a Combined SOC 2 and PCI Audit?

Why would a company pursue a combined SOC 2 and PCI audit? Depending on your services, both could be valuable for your organization. PCI compliance may not actually be an option for you – rather, it’s a requirement. There are a couple different scenarios of why you would pursue a SOC 2 attestation along with your PCI RoC. You could have clients that appreciate your PCI compliance, but also specifically ask for a SOC 2 report from you. Or, in other circumstances, your clients may not know the value of your PCI RoC, so they require a SOC 2 report. Even when you’re not required to undergo a SOC 2 audit, though, you could consider doing a combined SOC 2 and PCI audit to get ahead of the competition on either or both types of compliance.

Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 2 and PCI audit is an option.

Using the Online Audit Manager

Our goal is to make SOC 2 and PCI reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 2 and PCI audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 2 and PCI audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 2 and PCI Resources

4 Reasons to Start a PCI Audit Right Now

Using the Online Audit Manager to Complete Multiple Audits

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

SOC 2 Academy: What’s New with SOC 2?

New Elements of SOC 2

In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.

Updates to the COSO Internal Control Framework

The COSO Internal Control Framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. While the five basic components of the COSO Internal Control Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – have not changed, the 17 principles of principles of internal control that are aligned with each of the five basic components. Additionally, there are now 81 points of focus across these 17 principles.

What are the 17 Principles of Internal Control?

The introduction of these 17 principles of internal control allow for organizations to have an explicit understanding of what each of the five basic COSO components requires, making it easier for organizations to apply them. Every organization pursuing a SOC 2 report, regardless of size, must demonstrate that each of the 17 principles of internal control are present, functioning, and operating in an integrated manner. An organization’s ability to satisfy each of the five components and their subsequent principles demonstrates that they have an effective system of internal controls. The 17 principles of internal control include:

What are the 17 Principles of Internal Control?

The 17 internal control principles do not map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

The AICPA issued new SOC 2 Trust Services Criteria in 2017. These criteria must be used for any reports issued after December 15, 2018. Until that date, you have the option of using the 2016 criteria or the 2017 criteria.

One of the big things that is new in the 2017 criteria is the inclusion of the 17 principles from the COSO Internal Control Framework. These 17 principles have to do with things dealing with governance of the organization, how you communicate issues to the employees within your organization, how you perform risk assessments, or how you monitor your controls.

You can reference some of our other materials on the COSO Internal Control Framework and also visit our web portal, where you can find resources on this topic.

SOC 2 Report Criteria and FAQs

SOC 2 FAQs

When a client pursues a SOC 2 audit for the first-time, they normally ask: What are the requirements of a SOC 2 audit? How are we going to be judged? What can I do to prepare? Which Trust Services Criteria should I select? KirkpatrickPrice strives to be your audit partner and will work with your organization to answer each of these SOC 2 FAQs.

Preparing for a SOC 2 Audit

One of the most common SOC 2 FAQs is: How should I be preparing for a SOC 2 audit? One of the best things to do when preparing for a SOC 2 audit is review the purpose of the final component of a SOC 2 audit report, which describes the controls in place to meet the Trust Services Criteria and describes the auditor’s test of controls to determine the effectiveness of the controls. Each category of the Trust Services Criteria has standards that you must meet to demonstrate your compliance. When preparing for a SOC 2 audit, your organization should go through these standards and review how you meet each one.

For example, the security principle requires that the entity, your organization, “has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” How would you organization review how you meet this standard?

The first element of this criteria is workforce conduct standards. An assessor would ask your organization questions like:

  • What are your workforce conduct standards? For many organizations, this will be a part of your employee handbook.
  • Do you have employees acknowledge the employee handbook?
  • Do you offer training to teach what your workforce conduct standards are?

The security principle criteria also specifies background screening procedures. To verify compliance with this criteria, an assessor would ask your organization questions like:

  • Do you have written policies and procedures? This may also be a part of your employee handbook.
  • Can we see evidence that background screening reports have been ordered? We want to ensure that when an organization says they’re doing background screening, they’re actually doing background screening.

The last element in this example is conducting enforcement procedures.

  • How do you enforce employee handbook standards that govern workplace conduct?
  • How do you enforce the policies and procedures relevant to background screening?
  • Do you communicate the consequences of violating these standards to your employees?

How would your organization prepare for a SOC 2 audit? Preparing for a SOC 2 audit requires many exercises in risk management, internal control review, and comparison with the Trust Services Criteria. To discover answers to more of your SOC 2 FAQs, contact us today.

Video Transcript

Some of the SOC 2 FAQs that we receive from clients who contact us about a SOC 2 report are: what are the requirements? What do I need to do to prepare? How are we going to be judged against the standard?

The way that a SOC 2 audit report works is we will be looking at criteria. As part of the Trust Services Principles (recently updated to the 2017 Trust Services Criteria), each principle has criteria that you must meet to demonstrate that you have placed this criteria into operation in order to meet the purpose of the principle that’s being audited.

Let me give you an example of a criteria so this idea can start to take shape and you can picture what an audit might look like when working with us during a SOC 2 engagement. In the security principle, which is also referred to as the Common Criteria for SOC 2 audit reports, there’s criteria that states, “The entity has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” When we look at that criteria, we’re going to be asking you: What are your workforce conduct standards? For a lot of people, that will be contained within an employee handbook that governs the conduct standards that you have for your employees while they’re under your employment. Do you have them acknowledge the handbook? Do you do training in order for them to understand what the standards are? Those are the types of things that we would look at in order to determine whether or not the criteria are in place.

This piece of criteria also specifies background screening procedures. So, we would expect to see a procedure on that written out, usually part of an employee handbook. We would also want to see evidence that the background screening reports have been ordered and you’re actually doing that for any employee hired. We have encountered situations where an organization says that they’re doing background checks in accordance with the criteria, but then we see that they haven’t done the background checks. We need to see that the criteria has been met.

The last piece in this example I’ve given you is that you conduct enforcement procedures in order to enable your organization to meet its commitments. In other words, if you have an employee handbook that governs workplace conduct, if you have a policy that you must perform background checks when people are hired, how do you enforce that? How do you make sure that people are actually following the rules? We would ask you how you monitor that, if you address standards in performance reviews, and do you communicate to your employees that violation of those standards or background check requirements would result in some type of discipline up to termination.

This is an example of criteria and how you’d be able to demonstrate that you meet the criteria. That’s the type of thing to prepare for in your SOC 2 audit report.

What Will Be in My SOC 2 Report?

The Seven Components of a SOC 2 Report

You’ve partnered with a licensed CPA firm, you’ve properly scoped your environment, you’ve conducted a SOC 2 gap analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your SOC 2 audit and achieved SOC 2 compliance, and now you’re finally receiving your SOC 2 report. Congratulations! You may be wondering, what will be in my SOC 2 report? The seven components of a SOC 2 report include:

  1. Assertion – Provides a description to users on the service organization’s system controls, intended to meet Trust Services Criteria.
  2. Independent Service Auditor’s Report – Provides a description of the service auditor’s examination of the suitability and effectiveness of the controls to meet the criteria.
  3. System Overview – Provides background information on the service organization.
  4. Infrastructure – Provides a description of the software, people, procedures, and data within the organization’s environment.
  5. Relevant Aspects of Controls – Provides a description on the control environment, the risk assessment process, information communication systems, and monitoring of controls.
  6. Complementary User-Entity Controls – Provides a description on how controls are implemented at the user organization.
  7. Trust Services Criteria, Related Controls, and Tests of Controls – Outlines the controls in place and describes the tests on the effectiveness of the controls to meet the criteria.

Now that you have achieved SOC 2 compliance and received your SOC 2 report, the seven components of a SOC 2 report will provide user entities with reasonable assurance and the peace of mind that the controls at your service organization are suitably designed, in place, and appropriately protecting client data. A SOC 2 report can only be read by the user organizations that rely on your services, but a SOC 3 can be freely distributed, used in many different applications.

Reach out to us today if your service organization has been asking any of the following questions:

  • What is a SOC 2 report?
  • What will be in my SOC 2 report?
  • What are the Trust Services Criteria?
  • Why is a SOC 2 report valuable?
  • What is a SOC 3 report?
  • How can I market my SOC 2 compliance?

Video Transcript

We frequently get the question: what will be in my SOC 2 report? The first of the seven components of a SOC 2 report is the assertion. The assertion provides a description to users on the service organization’s system controls, intended to meet Trust Services Criteria. The second section is Independent Service Auditor’s Report. The section provides a description of the service auditor’s examination of the suitability and effectiveness of the controls to meet the criteria. Next, we have system overview. The system overview provides background on the service organization. Infrastructure is next. Infrastructure provides a description on the software, people, procedures, and data. Next, we have Relevant Aspects of Controls. This section provides a description on the control environment, the risk assessment process, information communication systems, and monitoring of controls. Next, we have Complementary User-Entity Controls. This section provides a description on how controls are implemented at the user organization. Lastly, we have Trust Services Criteria, Related Controls, and Tests of Controls. This section outlines the controls in place and describes the tests on the effectiveness of the controls to meet the criteria.

If you have any questions about a SOC 2 report, or if you’re interested our SOC 2 compliance services, please reach out to us today.

What is the Purpose of the SOC 2 Privacy Principle?

Why Choose the Privacy Principle?

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Criteria you want to include in your SOC 2 audit report. Typically, service organizations that are concerned about the Privacy Principle are collecting, using, retaining, disclosing, and/or disposing of personal information to deliver their services.

A classic example is a doctor’s office. What’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, list of medications that you’re on. So, what if the office shares that personal information with some type of a marketing company to help market services or prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with.

Including the Privacy Principle in your SOC 2 audit report ensures that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon. The Privacy Principle also demonstrates that you’re handling client data in accordance with criteria issued by the AICPA, including:

  1. Management: Service organizations must define, document, and implement privacy policies and procedures, which govern how personal information is used.
  2. Notice: Service organizations must provide notice to consumers about its privacy policies and procedures, fully informing them of how personal information is used.
  3. Choice and Consent: Individuals must have the ability to choose how personal information is used and give consent for the use their personal information.
  4. Collection: Service organizations only collect personal information for the purposes described in the notice; services organizations will not use it for any another reason.
  5. Use, Retention, and Disposal: Service organizations will have privacy policies and procedures that define how personal information is used, retained, and disposed of.
  6. Access: Service organizations provide individuals with the ability to access their information for review and updating.
  7. Disclosure to Third Parties: Service organizations will only disclose personal information to third parties identified in the notice.
  8. Security: Service organizations protect personal information through physical and logical access controls.
  9. Quality: Service organizations need to have quality management procedures in order to not only protect personal information, but make to sure it’s complete and accurate in the way it’s used.
  10. Monitoring and Enforcement: Service organizations must monitor their compliance with privacy practices.

If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Criteria you should include, contact us today.

Video Transcript

When you include the Privacy Principle in your SOC 2 audit report, it’s important to understand the purpose of the Privacy Principle and the generally-accepted Privacy principles issued by the AICPA. Typically, organizations that are concerned about the Privacy Principle are collecting information directly from consumers. They are using that information in some way in the course of providing their service and you have to determine if this applies to you.

The classic example is when you walk into a doctor’s office, what happens? They ask you to sign an acknowledgement that you have been given a Privacy Notice. That’s very obvious why that applies in that situation. You’re about to see a medical provider, you’re about to provide personal information about your medical conditions, you’re going to give them your data of birth, insurance information, the medications that you’re on, and they may use that information to share with some type of a marketing company to help market services or prescriptions to you. They might share that information with a research organization who’s conducting research about treatments and experiences with your medical providers. They might share that information with other physicians who are providing services to you. They might be sharing that information with insurance companies. That Privacy Notice is supposed to disclose that and let you know what you have the option to opt out and fully inform you as a consumer.

If you, in your business, are implementing the Privacy Principle, you have to have a method for managing your privacy policies and procedures that you will put into place to govern how personal information is used. You will provide notice to consumers about how you’re going to use their information so that they’re fully informed, you’re going to give them the ability to have some choice in the matter, and you’re going to ask them to give you consent to use their information in the way that you are intending to use it. You’re only going to collect information that is for the purpose of delivering your service, you’re not going to use it for another reason that you have not notified them about. You’re going to have privacy policies and procedures about how personal information is used, how you retain it, and how you dispose of it. Do you keep that information perpetually? Do you keep it for 20 years, 10 years, 7 years? You have to have those things defined in your policies about how you will keep and then eventually dispose of that information. You have to provide consumers with the ability to access their information; they have a right to know what you have and how you’re using it. You have to have privacy policies and procedures that govern how you disclose information to third parties who might be service providers to you and help you in the delivery of your services. You have to have security procedures in place in order to protect that information while you have it within your custody. You will have to have some quality management procedures in order to not only protect the information, but make sure it’s complete and accurate in the way that you’re using it and you don’t make mistakes in sharing information that you shouldn’t or misrepresent the consumers information in some way. Finally, you have to have your own monitoring practice in order to monitor that you are in compliance with your policies and procedures and you are monitoring how personal information is used on a daily basis.

There’s a lot of things to think about with the 10 principles within the SOC 2 Privacy Principle, and please contact us if we can help you understand this any further.