SOC

What is SOC 2 Audit

What is SOC 2 Audit

The Service organization control (SOC) 2 Audit is an auditing procedure focuses on non-financial reporting controls which rely on five trust services criteria- Security, Confidentiality, Availability, Privacy and Processing Integrity. A SOC 2 report designed to ensure the user entity that that the non-financial reporting controls at the service organizations are adequately designed and operating effectively so that they can protect the crucial and sensitive client and customer data. For many businesses and user entity organizations, compliance to this auditing procedure is a utmost important or prerequisite in looking for a service provider. So, like SOC 1 Audit, the SOC 2 Audit is also performed and attested by a certified public accountant (CPA).

Likewise, SOC 1, SOC 2 reports is also of two types which is generally known as SOC 2 Type I report and SOC 2 Type II report. The description of Type I and Type II reports is:

 

SOC 2 Type I Report

 

SOC 2 Type I report generally require when a user entity management requires a report on the fairness and presentation of the service organization’s system and the suitability and adequacy of the design of controls at a specified date. Also, when the service organization first time go for the implementation of system’s controls or during the readiness of the system’s controls then they may start with a SOC 2 Type I report. The SOC 2 Type I report describe the suitability of the design of control at the service organization’s system. The SOC 2 Type I report is referred to as point in time reports (or as of a particular date) and the report talks about reporting on management’s description of the controls which are in placed into service organization’s operations and systems. The key difference between type I and Type II report is ‘as of’ date i.e. it deals with the specifics of a system within a particular point of time.

 

SOC 2 Type I report is now important and crucial to ensure the user entity that they (service organization) can handle customer date like healthcare firms, data centre service companies and financial organizations adequately. The service organization can prove their reliance on any (or all) of the trust service criteria which are security, availability, confidentiality, privacy and process integrity. The service organizations need to design and implement the controls keeping in mind the trust service criteria and related security controls to ensure the compliance during processing of sensitive data.

 

The Type I report details with the Auditor’s opinion about the service organization controls and scoped trust service criteria which constitute Section I of the report, then Section 2 of the reports present the Service organization Management assertion which is provided by the service organization’s management by stating that the description of the business system is fairly presents and the control objectives and controls were suitably designed during the Audit period of time. Therefore, the Section 3 of the report details about the description of the system followed by the Section 4 of the report which details out the description of test of controls and procedure of testing of the controls with result/outcome of testing. The last

section ‘V’ provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.      

 

SOC 2 Type II report

 

SOC 2 Type II report gives higher assurance in comparison to SOC 2 Type I report as it gives reliance on design and operating effectiveness of controls on third party service provider i.e. about service organization to user entity. Therefore, in order to provide assurance on the fairness and presentation of the service organization’s system and the suitability and adequacy of the design and implementation of controls during a specified audit period, the user entity requires Type II report. This audit period can range from six months to 12 months period time.

 

The Type II Audit is performed on a particular audit period duration and the report talks about reporting on management’s description of the controls which are in placed into service organization’s operations and systems and with Type 2 report, a service organization is able to send a strong message to exiting or potential prospect clients that they have applied the best practices on data security and control of the systems. Likewise Type I report, SOC 2 Type II report deals with any (or all) of the five trust service criteria or principles of data processing and storage. The five Trust Service Criteria (TSC) are security, confidentiality, availability, processing integrity and privacy.

 

Since the main difference between Type I and Type II reports is of specified date and audit period duration respectively. So, the Type II report includes the Auditor’s opinion about the service organization controls and scoped trust service criteria which mention in Section I of the report, then Section 2 of the reports present the Service organization Management assertion which is provided by the service organization’s management by stating that the description of the business system is fairly presents and the control objectives were suitably designed and operating effectively during the Audit period. The Section 3 of the report talks about the description of the system followed by the Section 4 of the report which represents the description of test of controls and procedure of testing of the IT and security controls with result or outcome of testing. The last section ‘V’ provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.