Which Trust Services Criteria Do I Need to Include in my SOC 2 Audit?
Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Principles (recently updated to Trust Services Criteria) you want to include in your SOC 2 audit report. SOC 2 reports can address one or more of the following categories:
- Processing integrity
Becoming familiar with these five principles should be the first step in determining the scope of your SOC 2 audit and deciding which of these principles apply to the services your organization provides.
Selecting SOC 2 Principles with Joseph Kirkpatrick
The 5 SOC 2 Trust Services Principles
In a non-privacy SOC 2 engagement, the security category must be included. Security is the common criteria that applies to all engagements, and is what the other Trust Services Criteria are based off of. The security category addresses whether the system is protected (both physically and logically) against unauthorized access.
If the services your organization offers deal with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the confidentiality category should be present in your SOC 2 audit report. The confidentiality principle addresses the agreements that you have with clients in regard to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information?
Are you ensuring that the system you provide your clients is available for operation and used as agreed? Availability addresses whether the services you provide are operating with the type of availability that your clients would expect. The availability category typically applies to companies providing colocation, data center, or hosting services to their clients.
If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, processing integrity is a category that should be included in your SOC 2 report. Are the services you provide to your clients provided in a complete, accurate, authorized, and timely manner? Are you ensuring that these things are happening?
Lastly, we have the privacy principle. The privacy category really stands on its own, as it specifically addresses how you collect and use consumers’ personal information. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA.
Should You Include All 5 Trust Services Criteria in Your SOC 2 Audit?
You aren’t necessarily required to address all five of the Trust Services Criteria in your SOC 2 audit report; however, you should select the categories that are relevant to the services you are providing to your customers. If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Principles you should include, contact us today.
More SOC 2 Resources
One of the first things that you have to do in order to prepare for a SOC 2 audit engagement is select which principles from the trust services principles will be included in your SOC 2 audit report. The principles again are: Security, Availability, Confidentiality, Processing Integrity and Privacy.
Security must be included in any non-privacy principle SOC 2 audit engagement. We refer to the security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principles involved except for privacy.
So you must include that one, but from there you will look at confidentiality. Do you have agreements with your clients about how you will use the information, who has access to it and how you will protect that, and are you abiding by those contracts that you’ve entered in to?
Processing integrity has to do with providing your services in a complete manner, in an accurate manner, in a timely manner and are you doing those things?
Availability has to do with, is your system available to your clients as agreed? The services that you provide – are you maintaining the type of availability that your clients would expect for your services to be available to them?
Then finally, Privacy really kind of stands on its own. It’s a very unique principle, it’s very different from the other four. And we usually issue that as its own type of report because it addresses how you collect and use personal information of consumers, and do they have rights to opt out of how their information is used. Do they have the ability to file a complaint and get a response from you on how information is being utilized?
So think about those five principles and what would be included in your SOC 2 audit engagement.