The Seven Components of a SOC 2 Report

You’ve partnered with a licensed CPA firm, you’ve properly scoped your environment, you’ve conducted a SOC 2 gap analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your SOC 2 audit and achieved SOC 2 compliance, and now you’re finally receiving your SOC 2 report. Congratulations! You may be wondering, what will be in my SOC 2 report? The seven components of a SOC 2 report include:

  1. Assertion – Provides a description to users on the service organization’s system controls, intended to meet Trust Services Criteria.
  2. Independent Service Auditor’s Report – Provides a description of the service auditor’s examination of the suitability and effectiveness of the controls to meet the criteria.
  3. System Overview – Provides background information on the service organization.
  4. Infrastructure – Provides a description of the software, people, procedures, and data within the organization’s environment.
  5. Relevant Aspects of Controls – Provides a description on the control environment, the risk assessment process, information communication systems, and monitoring of controls.
  6. Complementary User-Entity Controls – Provides a description on how controls are implemented at the user organization.
  7. Trust Services Criteria, Related Controls, and Tests of Controls – Outlines the controls in place and describes the tests on the effectiveness of the controls to meet the criteria.

Now that you have achieved SOC 2 compliance and received your SOC 2 report, the seven components of a SOC 2 report will provide user entities with reasonable assurance and the peace of mind that the controls at your service organization are suitably designed, in place, and appropriately protecting client data. A SOC 2 report can only be read by the user organizations that rely on your services, but a SOC 3 can be freely distributed, used in many different applications.

Reach out to us today if your service organization has been asking any of the following questions:

  • What is a SOC 2 report?
  • What will be in my SOC 2 report?
  • What are the Trust Services Criteria?
  • Why is a SOC 2 report valuable?
  • What is a SOC 3 report?
  • How can I market my SOC 2 compliance?

We frequently get the question: what will be in my SOC 2 report? The first of the seven components of a SOC 2 report is the assertion. The assertion provides a description to users on the service organization’s system controls, intended to meet Trust Services Criteria. The second section is Independent Service Auditor’s Report. The section provides a description of the service auditor’s examination of the suitability and effectiveness of the controls to meet the criteria. Next, we have system overview. The system overview provides background on the service organization. Infrastructure is next. Infrastructure provides a description on the software, people, procedures, and data. Next, we have Relevant Aspects of Controls. This section provides a description on the control environment, the risk assessment process, information communication systems, and monitoring of controls. Next, we have Complementary User-Entity Controls. This section provides a description on how controls are implemented at the user organization. Lastly, we have Trust Services Criteria, Related Controls, and Tests of Controls. This section outlines the controls in place and describes the tests on the effectiveness of the controls to meet the criteria.

If you have any questions about a SOC 2 report, or if you’re interested our SOC 2 compliance services, please reach out to us today.

Why Choose the Privacy Principle?

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Criteria you want to include in your SOC 2 audit report. Typically, service organizations that are concerned about the Privacy Principle are collecting, using, retaining, disclosing, and/or disposing of personal information to deliver their services.

A classic example is a doctor’s office. What’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, list of medications that you’re on. So, what if the office shares that personal information with some type of a marketing company to help market services or prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with.

Including the Privacy Principle in your SOC 2 audit report ensures that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon. The Privacy Principle also demonstrates that you’re handling client data in accordance with criteria issued by the AICPA, including:

  1. Management: Service organizations must define, document, and implement privacy policies and procedures, which govern how personal information is used.
  2. Notice: Service organizations must provide notice to consumers about its privacy policies and procedures, fully informing them of how personal information is used.
  3. Choice and Consent: Individuals must have the ability to choose how personal information is used and give consent for the use their personal information.
  4. Collection: Service organizations only collect personal information for the purposes described in the notice; services organizations will not use it for any another reason.
  5. Use, Retention, and Disposal: Service organizations will have privacy policies and procedures that define how personal information is used, retained, and disposed of.
  6. Access: Service organizations provide individuals with the ability to access their information for review and updating.
  7. Disclosure to Third Parties: Service organizations will only disclose personal information to third parties identified in the notice.
  8. Security: Service organizations protect personal information through physical and logical access controls.
  9. Quality: Service organizations need to have quality management procedures in order to not only protect personal information, but make to sure it’s complete and accurate in the way it’s used.
  10. Monitoring and Enforcement: Service organizations must monitor their compliance with privacy practices.

If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Criteria you should include, contact us today.

When you include the Privacy Principle in your SOC 2 audit report, it’s important to understand the purpose of the Privacy Principle and the generally-accepted Privacy principles issued by the AICPA. Typically, organizations that are concerned about the Privacy Principle are collecting information directly from consumers. They are using that information in some way in the course of providing their service and you have to determine if this applies to you.

The classic example is when you walk into a doctor’s office, what happens? They ask you to sign an acknowledgement that you have been given a Privacy Notice. That’s very obvious why that applies in that situation. You’re about to see a medical provider, you’re about to provide personal information about your medical conditions, you’re going to give them your data of birth, insurance information, the medications that you’re on, and they may use that information to share with some type of a marketing company to help market services or prescriptions to you. They might share that information with a research organization who’s conducting research about treatments and experiences with your medical providers. They might share that information with other physicians who are providing services to you. They might be sharing that information with insurance companies. That Privacy Notice is supposed to disclose that and let you know what you have the option to opt out and fully inform you as a consumer.

If you, in your business, are implementing the Privacy Principle, you have to have a method for managing your privacy policies and procedures that you will put into place to govern how personal information is used. You will provide notice to consumers about how you’re going to use their information so that they’re fully informed, you’re going to give them the ability to have some choice in the matter, and you’re going to ask them to give you consent to use their information in the way that you are intending to use it. You’re only going to collect information that is for the purpose of delivering your service, you’re not going to use it for another reason that you have not notified them about. You’re going to have privacy policies and procedures about how personal information is used, how you retain it, and how you dispose of it. Do you keep that information perpetually? Do you keep it for 20 years, 10 years, 7 years? You have to have those things defined in your policies about how you will keep and then eventually dispose of that information. You have to provide consumers with the ability to access their information; they have a right to know what you have and how you’re using it. You have to have privacy policies and procedures that govern how you disclose information to third parties who might be service providers to you and help you in the delivery of your services. You have to have security procedures in place in order to protect that information while you have it within your custody. You will have to have some quality management procedures in order to not only protect the information, but make sure it’s complete and accurate in the way that you’re using it and you don’t make mistakes in sharing information that you shouldn’t or misrepresent the consumers information in some way. Finally, you have to have your own monitoring practice in order to monitor that you are in compliance with your policies and procedures and you are monitoring how personal information is used on a daily basis.

There’s a lot of things to think about with the 10 principles within the SOC 2 Privacy Principle, and please contact us if we can help you understand this any further.

When it comes to SOC (System and Organization Controls) reports, there are three different SOC report types: SOC 1, SOC 2, and SOC 3. When considering which report fits your organization’s needs, you must first understand what your clients require of you and then consider the areas of internal control over financial reporting (ICFR), the Trust Services Criteria, and restricted use. Each SOC report type fulfills a different purpose, and organizations should understand which report will best meet their needs before embarking on the SOC audit process.

SOC 1 vs. SOC 2 vs. SOC 3

The System and Organization Controls were developed by the American Institute of CPAs (AICPA). In the context of SOC reports, internal controls are procedures designed to ensure compliance with policies relevant to company operations, laws and regulations, and financial reporting. Following an audit of internal controls by a licensed CPA, the auditor writes a SOC report service users can rely on to provide an accurate assessment of the auditee’s controls.

There are three different SOC report types, although, in most cases, organizations choose between a SOC 1 and SOC 2 report. Both result from an audit of internal controls, although they focus on different aspects of those controls. In a nutshell, SOC 1 focuses on internal controls relevant to a service user’s financial statements, whereas SOC 2 reports on controls relevant to various aspects of information security.

What Is a SOC 1 Report?

SOC 1 engagements are based on the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

What Is a SOC 2 Report?

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organization. The SOC 2 report was designed to determine if service organizations are compliant with the following categories: security, availability, processing integrity, confidentiality, and privacy, which are also known as the Trust Services Criteria. These principles address internal controls unrelated to ICFR.

What Is a SOC 3 Report?

A SOC 3 report, just like a SOC 2, is based on the Trust Services Criteria, but there’s a major difference between these types of reports: restricted use. A SOC 3 report can be freely distributed, whereas SOC 1 and SOC 2 reports can only be read by the user organizations that rely on your services. A SOC 3 does not give a description of the service organization’s system, but it can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as it relates to the Trust Services Criteria.

In addition to these distinctions, organizations can also choose between Type I and Type II SOC reports. We explain the distinction in greater depth in What’s the Difference Between SOC 2 Type I and SOC 2 Type II?

When trying to determine whether your service organization needs a SOC 1, SOC 2, or SOC 3 audit, keep these requirements in mind:

  • Could your service organization affect a client’s financial reporting? A SOC 1 would apply to you.
  • Does your service organization want to be evaluated on the Trust Service Criteria? SOC 2 and SOC 3 reports would work.
  • Does restricted use affect your decision? SOC 1 and SOC 2 reports can only be read by the user organizations that rely on your services. A SOC 3 report can be freely distributed and used in many different applications.

Each of these reports must be issued by a licensed CPA firm, such as KirkpatrickPrice. We offer SOC 1, SOC 2, and SOC 3 engagements. To learn more about KirkpatrickPrice’s SOC services, contact us today.

What is the difference between SOC 1, SOC 2, and SOC 3 reports? SOC reports are Service Organization Control reports.

SOC 1 reports work off of the SSAE 16 (now SSAE 18), which is about internal control over financial reporting. As a service organization, you may affect your user organization’s financial reporting. If so, a SOC 1 is the one for you.
Trust Services Principles have to do with criteria dealing with security, availability, processing integrity, confidentiality, and privacy. Those Principles work with SOC 2 and SOC 3 reports.

These reports are restricted in use when you issue a SOC 1 or a SOC 2 report. They are only to be read by the user organizations who rely upon your services, where a SOC 3 can be used in many different applications.

Finally, these 3 types of reports need to be issued by a licensed CPA firm that specializes in this particular industry and the industry that you work in. KirkpatrickPrice is a licensed CPA firm that can help you with all three types of reports – the SOC 1, SOC 2, and SOC 3.

History of the SOC 2 Trust Services Principles

The Service Organization Control 2 (SOC 2) Report focuses on non-financial controls at an organization as they relate to security, availability, processing integrity, confidentiality, and privacy. These are also known as the Trust Services Principles. In 2014, the SOC 2 Trust Services Principles were updated, and one of the major changes was to the SOC 2 security principle. This change to the Common Criteria helped to eliminate the overlap between the Trust Services Principles (TSPs). Before this update, a lot of SOC 2 reports had the same controls repeated over and over in order to address the overlapping requirements between the Trust Services Principles. Since the update in 2014, they have developed what are known as the Common Criteria that apply to all SOC 2 audit reports.

What is the SOC 2 Security Principle?

The SOC 2 Security Principle is a must, and should be included in any non-privacy principle SOC 2 engagement. The Security Principle now consists of Common Criteria to all TSPs within the audit report, and includes the following seven categories:

  • Organization and Management: How is your company structured? How do you oversee the services your organization performs?
  • Communication: How do you communicate to your internal and external users about how your system works? How do you communicate policies, procedures, and expectations to authorized users and other parties?
  • Risk Assessment and Risk Management: How are you implementing controls to manage known risks? How do you select the controls that are put in place to meet the criteria? A risk assessment must be performed in order to determine what controls are necessary to address the risks that your organization is dealing with.
  • Monitoring: Monitoring is a follow up to risk management. Once you’ve put a control in place, how are you monitoring it to know that it is operating effectively and appropriately addressing the risk? Do any changes or remediations need to be made?
  • Physical and Logical Access: How do you control access to sensitive data and systems within your organization? You should be implementing physical controls, such as a door leading to an area that contains sensitive information that is controlled by a card reader or a lock and key. You should also be implementing logical controls such as implementing passwords or requirements for identifying a user before they are authorized to access a system.
  • System Operations: This criteria deals with how your organization manages day-to-day processes and procedures. This includes what you do on a daily, weekly, and monthly basis to execute your services.
  • Change Management: Lastly, when you have to make changes to your system or services, how are these changes being documented? How are you testing those changes and addressing any new risks that may be associated with these changes? How are they approved prior to making the change in your environment?

These common criteria should be reviewed by all organizations before being audited against the SOC 2 security principle and must be in place for your auditor to review. For more information on preparing for your SOC 2 audit or help with meeting these common criteria, contact us today.

In 2014, the SOC 2 Trust Services Principles were updated and one of the major modifications is the Security Principle, which is really referred to now as having the common criteria for all of the Trust Services Principles within the SOC 2 Audit Report. What that means is that everything was condensed, all of the redundancies were taken out of the process, so that we could focus on this common criteria that applies to any of the Principles, so that a Service Organization would not have to repeat themselves over and over again throughout the report. The Security Principle is a “must” to have in your SOC 2 Audit Report because of that common criteria. It has to be included in a non-Privacy Principle SOC 2 audit engagement.

There are 7 categories within the Security Principle. There is Organization and Management – how is your company structured? How do you oversee the services that you perform? Communication – how do you communicate to internal and external users about how your system works? How do you communicate about policies and procedures and expectations? Risk Assessment and Management of Risk through the implementation of controls – how does your organization select the controls that you put in place to meet the criteria? It has to be done through some type of Risk Assessment in order to determine what kind of controls are necessary to address the risk that you are dealing with. The thing that follows up to that is the Monitoring of Controls – once you put a control in place, how do you monitor it to make sure that it’s effective and that you don’t need any changes or remediation if the control becomes ineffective? That’s done through Monitoring. There’s also Logical Access and Physical Access to sensitive information and systems – how do you control access like entering from a door into a sensitive area that may be controlled by some type of a card reader or lock and key?  And also Logical Access – are there passwords? Are there requirements for identifying the user before they access the system? And then also, we’ve got System Operations, which has to do with your day-to-day processing – what are your procedures? What do you do on a daily, weekly, and monthly schedule in the execution of your services? And lastly, we’ll be looking at Change Management, which is when you have to make changes to your system or your service that you’re providing, how do you document those changes? How do you test them? How do you evaluate the risk? How do you prove them in order to make sure that those changes are well-documented and approved prior to making the change in the environment?

So these are some areas to think about as you prepare to be audited against the Security Principle, because that criteria will be very important to have in place for your auditor to review.

Wondering how to prepare for a SOC 2 Audit? Here are the 5 things you need to pass your SOC 2 Audit.

The pressure is on as more and more service providers and service organizations are being asked by clients for a SOC 2 audit report. Are you prepared to demonstrate your commitment to security and privacy to your clients and prospects? KirkpatrickPrice is here to help get you started.

Not all SOC 2 Audit training was created equal. Here are 5 things you need to pass your SOC 2 audit.

1. Annual Risk Assessment

Three questions you should ask yourself at least once a year are, have I identified potential threats to my organization? Have I analyzed the significance of the risks associated with each threat? What are my mitigation strategies for addressing these risks? In answering these questions, you will have performed a Risk Assessment, the foundation for any successful information security program. After all, how can you protect your organization from threats if you don’t know what those threats are?

Utilizing a Risk Assessment Guide can help get you started with the process if this is your first time.

2. Annual Policy and Procedure Review

Annual policy and procedure review is the best way to make sure that there are no gaps in your security posture in preparation for your SOC 2 audit. It also helps when determining that you’ve properly documented everything you say you’re doing and that it is being communicated to any, and all, relevant personnel.

As far as your auditor is concerned, if it isn’t documented, it’s not happening.

Annually reviewing your policies and procedures is a good way to continuously mature your environment while ensuring due diligence in preparation for your SOC 2 audit.

3. Fully Developed Security Awareness Employee Training Program

Did you know you’re only as strong as your weakest link? Annual security awareness training programs are important to make sure all personnel, from IT to operations, have knowledge of security awareness and are taking steps to protect your organizational assets from the breach. Security awareness training is an important aspect of SOC 2 compliance and a necessary component for any information security management program.

4. Vendor Management Procedures

Vendor management is a must when it comes to ensuring that your vendors are complying with information security best practices and standards. Vendors present risk to every organization, so in order to properly prepare for your SOC 2 compliance audit, you must regularly and thoroughly vet your vendors, and document the procedures for managing your vendors.

5. Incident Response and BCDRP

Lastly, any organization preparing for their SOC 2 audit must develop and test their Incident Response Plan and Business Continuity Disaster Recovery Plan.

Has it been mapped? Planned? Tested?

The purpose of incident response planning is to know how to react and the steps you must take in the event of a breach in order to minimize damage and risk to your organization and business operations. Once your organization has accomplished these things, you’re ready to begin your SOC 2 audit process.

Get Help Preparing for Your SOC 2 Audit

If you’ve successfully prepared these things, and you’re ready to engage a third-party auditing firm in your SOC 2 audit, Contact Us Today!