To comply with the System and Organization Controls (SOC) 2 reporting requirements, auditors must evaluate whether controls at the service organization meet the applicable trust services criteria (TSC), which can relate to a broad range of systems. As defined by the American Institute of Certified Public Accountants (AICPA), the TSC include five categories.
Security (or common criteria) – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability – Information and systems are available for operation and use to meet the entity’s objectives.
Processing integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The AICPA requires the application of the TSC for every SOC 2 engagement. Since security is a common component of each of the five categories, a SOC 2 engagement must cover security as a minimum requirement. These security requirements are also referred to as the common criteria and are applicable to all SOC 2 examinations.
Organizations can exercise discretion regarding which of the remaining categories they apply. The application of availability, processing integrity, confidentiality, and privacy depends on:
Organization’s industry sector
Types of services it provides
Customer contracts, service level agreements, and their stipulations
Key stakeholder requirements
Types of data that the service organization maintains or stores
Criticality of operational tasks or processing activities
With certain exceptions, such as an engagement with a limited scope or the non-applicability of certain criteria, every criterion should be analyzed and included in the report. Regardless of the categories included within the scope of the examination, SOC 2 reports are restricted use reports, meaning that only the organization, its customers, and certain other parties should use them.
SOC 2 reports can help organizations:
Demonstrate a commitment to data protection and risk management
Streamline compliance with additional regulations
Establish and maintain security as a competitive advantage
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit, and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.