The SOC 2 report, along with SOC 1 and SOC 3 reports, was developed by the American Institute of Certified Public Accountants (AICPA) to assist service organizations that operate information systems and provide information system services to other entities, build trust, and confidence in their service delivery processes and controls.
What is the difference between SOC 1, SOC 2, and SOC 3 reports?
A SOC 1 report is based on the SSAE 18 standard. It reports on the effectiveness of internal controls at a service organization relevant to the client's internal control over financial reporting (ICFR).
A SOC 2 report evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organization. The SOC 2 report was designed based on 5 Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.
Like SOC 2, the SOC 3 report has been developed based on AICPA's 5 Trust Service Criteria. It is a public report of internal controls over security, availability, processing integrity, and confidentiality.
What is SOC 2 report?
SOC 2 report ensures service providers securely manage customers' data. It was developed by the American Institute of Certified Public Accountants (AICPA) based on 5 Trust Service Criteria (TSC) - security, availability, processing integrity, confidentiality, and privacy. The service organization selects one or more TSCs to demonstrate they have controls in place to mitigate risks to the service they provide.
Of the 5 TSCs, all the SOC 2 reports must include security trust service, while the other 4 are optional - added to the examination at the discretion of management.
Types of SOC 2 reports
There are 2 types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2
SOC 2 Type 1 reports address the organization's security design at a specific time, enabling the potential customer and partners to assess if the organization can meet specific trust principles.
SOC 2 Type 2 report is a Type I report on steroids, i.e., it has all the stuff covered under a Type I report and more. The Type 2 audit report also provides a clear description of the evidence for the efficacy of the organization's policies and controls and opinions with respect to the effectiveness and consistency of these controls.
The Type 2 audit report gives a higher level of assurance on the service organization's data security and control systems. This report is based on the company's chosen Trust Service Criteria (TSC), and it examines the internal control practices and policies over 6 to 12 months.
What are SOC 2 Trust Service Criteria (TSC)?
To achieve SOC 2 certification and meet the latest SOC 2 report framework standards, organizations must implement Trust Service Criteria (TSC). TSC is a framework for designing, implementing, and evaluating information system controls.
The security trust criteria help in protecting information throughout its lifecycle in an organization. It protects the data from unauthorized access and unauthorized disclosure.
The availability trust criteria determine whether the organization's employees, clients, and partners can rely on its systems to do their work.
The processing integrity trust criteria is focused on data accuracy and the completeness of the end-to-end process of ensuring that applications function without delay, error, omission, or accidental data manipulation.
The confidentiality trust criteria evaluate how organizations protect confidential information – limit access, storage, and use. It ensures that only authorized individuals can view sensitive information like legal documents or Personally Identifiable Information (PII).
The privacy trust service criteria evaluate how organizations protect customers' personal information like name, address, email, other identification info, and purchase history.
Which report do you need: SOC 2 Type 1 or SOC 2 Type 2?
If you are new to SOC 2 controls, and the primary purpose is to build compliance as a capability, or you have significant time and budget restrictions, it is ideal to start with a SOC 2 Type I audit. This will help you get familiarised with the controls and identify information security gaps that you can address over the next 6-12 months. During this period, you can build the necessary processes against the failed controls and collect evidence to show the operating effectiveness of your controls and procedures, which will accelerate the timelines for a SOC 2 Type 2 audit.
However, oftentimes the SOC 2 report is a critical requirement of a vendor assessment of the organization you are trying to serve. And more often than not, this mandates a SOC 2 Type 2 report rather than a SOC 2 Type I report. In such cases, it is worth spending the additional time and effort to get audited for SOC 2 Type 2 because it will lend fortified credibility to your infosec practices and builds instant trust with the customers.
What does a SOC 2 report include?
SOC 2 report provides all the details of a service organization's internal controls. A SOC 2 report typically includes:
1. Report from an auditor
The SOC 2 final report briefly summarizes the entire SOC 2 examination, the time taken, and the auditor's opinion on how effectively the organization's controls are mapped with the chosen Trust Service Criteria (TSC). The report describes the details on system design, service organization responsibilities, auditor's responsibilities, inherent limitations, and auditor opinion.
Here are the terms auditors use to describe their opinion:
An unqualified opinion is issued when an organization clears the audit. That means the controls your auditor tested were designed and operating as they should be.
A qualified opinion is issued when an organization clears a SOC 2 audit, but some areas require attention. That means the controls your auditor tested weren't designed or operating as needed.
An adverse opinion is issued when an organization fails at SOC 2 audit. That means the clients cannot rely on the organization's systems.
A disclaimer opinion is when the auditor doesn't have the necessary evidence to establish an official opinion.
3. Management assertion
It's a declaration by the service organization about the system designs and operations to accomplish their business objectives. It includes whether system designs and controls comply with the AICPA's 5 Trust Service Criteria (TSC), timeframe, and audit scope.
Management assertion acts as a legal document between the organization and the auditor.
The AICPA board has identified three functions to determine where a service organization stands. It ensures:
If the description of the service organization system is presented as per the description criteria.
If the controls stated in the description are suitably designed and operate effectively.
4. System description
System description gives a high-level overview of the technologies used like virtualization software, networking hardware, database types, back configuration, and system redundancy.
It also provides information about system scope and requirements, control frameworks, system incidents, system components, and complementary information.
5. Auditors' Test of controls
Test of controls describes how every test is performed during the audit. It provides information about the operating effectiveness of controls and details about the controls that may affect the organization's operations while delivering products to its customers or providing services.
Most of the SOC 2 test of controls reports include Common Criteria (CC), Trust Services Criteria (TSC), Control number, Control description from the company, the auditor's test description, and test results on operating effectiveness.
6. Other information
Sometimes a service organization provides additional information on a business continuity program, incident response program, or any practices an organization wants to know
Who checks a SOC 2 report?
Existing and prospective customers want to know how you handle sensitive information.
Business partners want to know what internal controls an organization takes care of to protect data from data breaches.
Potential investors who want to check for the credibility and reliability of an organization's infosec posture.
Regulators check to ensure your organization's controls and systems comply with SOC 2 laws.
Start your compliance process with us!
Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.