SOC (Service Organisation Controls) reports
More and more organisations are moving essential services to third party organisations, who provide cloud and data storage, bill processing, and payroll services.
SOC reports are internal control reports based on a set of standards developed by the American Institute of Certified Public Accountants (AICPA).
Organisations are inherently exposed to risk when they use third party organisations, so it is incredibly important to verify their security measures (vendor due diligence). In the past, organisations used questionnaires and contractual clauses, but these often aren’t enough for critical vendors, leading to a need in the creation of Service Organisation Controls reports. This allows organisations to increase trust and transparency with both internal and external stakeholders.
Spritzmonkey have extensive experience in working with our clients to implement SOC 1 and 2.
Need help?
Please contact us to arrange a telephone or face-to-face appointment to discuss your needs
SOC 1
SOC 1 (also known as a SSAE No. 16, Reporting on Controls at a Service Organisation) is designed for financial transaction processing. It is used to validate controls covering the completeness and accuracy of financial transactions and financial statement reporting.
Components of a SOC 1 Report
Auditor’s opinion
Description of controls
Controls
A SOC 1 report includes details of the controls relevant to financial reporting. The main audience of a SOC 1 report are the auditors of the user entity’s financial statements, and management of the user entities and service organisation.
SOC 2
SOC 2 (Attestation Engagements) is designed to examine and certify the vendors controls within the five “trust services principles” established by the AICPA:
1. Security (also known as ‘common criteria’) - “Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
2. Availability - “Information and systems are available for operation and use to meet the entity’s objectives.”
3. Processing integrity - “Information and systems are available for operation and use to meet the entity’s objectives.”
4. Confidentiality - “Information designated as confidential is protected to meet the entity’s objectives.”
5. Privacy controls - “Personal information is collected, used, retained, disclosed and disposed [of] to meet the entity’s objectives.”
(From: Trust Services and Information Integrity - AICPA, 2017)
Service organisations are held to a standardised set of control criteria for each of the principles. SOC 2 applies to all organisations that process and store customer data.
Components of a SOC 2 Report
Auditor’s opinion
Description of controls
Applicable trust services principles and controls
SOC 2 Reports
To achieve a SOC 2 report, organisations must implement controls on:
System monitoring
Organisations must always monitor their information systems, keeping track of who is accessing sensitive information and what changes are made.
Monitoring and controlling your access control management system to ensure that employees can only view information relevant to their job.
This reduces the risk posed by malicious insiders and can also lessen the damage if a cyber criminal gains unauthorised access.
Access controls provide an extra level of security, in case weak passwords are chosen or employees succumb to a phishing scam.
Data breach alerts
No matter how sophisticated your cyber security defences are, you are likely to suffer a data breach at some point, as there are so many attackers and vulnerabilities.
When a security event occurs, you need a system that will alert you of any threat.
Audit procedures
Organisations must adopt a rigorous audit procedure to ensure they keep detailed records of how personal information and other sensitive data is used.
In the event of a data breach, you can trace the source and determine the full extent of the damage.
Forensics
Identifying the full extent of a breach will help you understand how the incident occurred and prevent further damage.
This reassures you that incidents will be handled promptly, and ensures that a bad situation doesn’t get any worse.
A SOC 2 report includes details of controls at a service organisation relevant to the trust services principles. It is available to management and others under NDA - this is not public information.
SOC controls are assessed by a Certified Public Accountant, and we are happy to work with a CPA appointed by you or help you find one.
Get In Touch
To discuss SOC or anything else please get in touch using the form below or the other contact details on our site.
Contact Us
Frequently Asked Questions
+ Why is SOC 2 compliance important?
SOC 2 compliance shows that your organisation maintains a high level of information security.
The rigorous compliance requirements ensure that sensitive information is being handled responsibly. Organisations that implement the necessary controls are therefore less likely to suffer data breaches or violate users’ privacy.
This protects you from regulatory action and reputational damage, and gives you a competitive advantage.
You can use this to prove to customers that you're committed to information security, which in turn will create new business opportunities.
That’s because the framework states that compliant organisations can only share data with other organisations that have passed the audit.
+ How are SOC 1 and SOC 2 different?
Depending on the service or system you provide, third parties might ask whether you’re SOC 1 or SOC 2 compliant.
SOC 1 is less common, and applies when you host financial information that could affect third parties’ financial reporting.
SOC 2 applies for all other types of sensitive information related to the third party. If you don’t host financial data, this is the only compliance audit you need to complete but if you only host financial information, you don’t need to complete SOC 2.
Organisations that host both types of data will need to complete both compliance audits.
+ What are the principles of SOC 2?
Security, availability, processing integrity, confidentiality, and privacy controls.
+ What is a SOC 2 audit?
A SOC 2 audit provides an in-depth assessment of your security, availability, processing integrity, confidentiality, and privacy controls.
SOC is broken down in various ways. There is SOC 1, 2 and 3 – which all contain slightly different requirements – but within SOC 2, there are 2 types of certification.
Type 1 involves passing the audit and proving that your policies, procedures, and technologies adhere to the framework’s requirements.
Type 2 involves ongoing compliance and a thorough audit process that tests the real-world application of your policies, processes, and technologies.
+ What does a SOC 2 report cover?
To achieve a SOC 2 report, you must implement controls on system monitoring, data breach alerts, audit procedures, and forensics.
+ What does a SOC 2 audit report contain?
SOC 2 allows plenty of room for interpretation, because every organisation will have its own requirements based on the way it operates. Because of this, the audit report should provide an opinion letter, management assertion, a detailed description of the system or service, details of the selected trust services categories, tests of controls and the results of testing, and optional additional information.
+ How long does it take to comply to SOC 2?
There are two things to consider when evaluating how much a SOC 2 report will cost and how long it will take:
- Your existing compliance posture.
- The size and complexity of your organisation. However, even if you know the answer to those questions, there’s no set cost or timescale for when you can expect to comply.
Every organisation has its own requirements, and it would be overly simplistic to suggest that there was a cost-per-day estimate.
The most well-prepared organisations might be able to complete their audit in a few weeks, whereas others could spend 18 months or more implementing the necessary controls.
+ How do you know you’re ready for a SOC 2 compliance audit?
The only way to be sure you’re ready is to review your systems. We can help you with that - one of our expert consultants can advise you on which audits are right for you, and give you all the information you need to pass.
You'll complete the Readiness Assessment, which highlights any requirements where you fall short.
This is followed by the SOC 2 Remediation Service, which explains the corrective actions your organisation must take to ensure its security controls are sufficient.
+ ISO 27001 vs SOC 2: what’s the difference?
ISO 27001 focuses on the development and maintenance of an (information security management system) ISMS, which is an overarching method of managing data protection practices.
To achieve compliance, you must conduct a risk assessment, identify and implement security controls and review their effectiveness regularly.
SOC 2, by contrast, is a lot more flexible. It comprises five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the first of those is mandatory.
Organisations can implement internal controls related to the other principles if they want, but it’s not necessary to achieve compliance. Both frameworks are recognised globally, but SOC 2 is more closely associated with North America.
If you’re based in that region, you’ll find that both SOC 2 and ISO 27001 are common. Outside of North America, ISO 27001 is much more popular.
You must complete an external audit to certify to either framework.
The only difference in this process is who conducts the audit. A recognised ISO 27001-accredited certification body must complete ISO 27001 certification. In contrast, an SOC 2 attestation report can only be performed by a licensed CPA (Certified Public Accountant).
There’s also a slight difference in what certification looks like. Organisations that pass the ISO 27001 audit receive a certificate of compliance, whereas SOC 2 compliance is documented with a formal attestation.
+ Project timeline
The process is similar for ISO 27001 and SOC 2, with three stages you must complete.
We can conduct a gap analysis to work out which areas of the framework you’re already compliant with and where you need to make improvements. As part of this process, you should also define your security objectives and which areas of your organisation will be covered. Next, we can help you identify which security controls are appropriate for your organisation and take the necessary steps to implement them. This includes documenting your practices and establishing a method to review and improve your processes. The final step is the audit. Many organisations conduct an internal audit before contacting an accreditation body, as it allows them to address any final errors that they identify. Once you’re confident in your compliance practices, you can contact a certification body and arrange an external audit.
How long this process will take depends on the amount of work you have to do to bring your practices up to scratch. Broadly speaking, it should take about two or three months to implement SOC 2, and three to six months to implement ISO 27001.
+ Which framework should you use?
SOC 2 can be less expensive to implement and maintain than ISO 27001, but it’s also less rigorous.
ISO 27001 does more to protect organisations from information security threats.
Our experts are happy to discuss which option is right for your organisation.