The Service Organization Controls (SOC) framework is used to assess an organization's internal controls. These controls address security, availability, and confidentiality. The goal is to protect network infrastructure from bad actors. Compliance helps organizations win the battle against unauthorized access.
Cyberattacks on sensitive customer data damage your brand and are also costly to recover from. Consider the annual Data Breach Report compiled by the Ponemon Institute and supported by IBM Security. It looks at data breach expenses incurred by more than 500 organizations. The most recent report calculates the average cost of a data breach in the United States at $8.19 million. This figure is the highest of any country. According to the report, a data breach impacts an average of 25,575 records.
Operating in an environment of high-profile breaches impacts client perception. Now more than ever, clients want to have a high level of confidence that you will protect their sensitive data. This is the reason SOC 2 exists. In this article we will first give you the history and background of SOC 2, then we will answer the following 7 questions about SOC 2 Compliance:
SOC 2 History and Background
The SOC 2 compliance concept stems from a need for service organizations to manage risks inherent in outsourcing. At first, SAS 70 was used to demonstrate the trustworthiness of internal controls. Eventually, some organizations expanded the use of SAS 70 reports to show it was safe to work with specified vendors. However, this was not the intended use of SAS 70.
When the American Institute of Certified Public Accountants (AICPA) developed the SSAE16 standard to replace SAS 70, it became known as SOC 1. The SSAE16 standard parallels the international standard, ISAE 3402.
The AICPA put SOC 2 in place in 2009. SOC 2 was a response to the various inadequacies of SAS 70. It tests data security, availability, confidentiality, process integrity, and privacy. SOC 2 uses the Trust Services Criteria to better assess internal controls on the security of customer data. SOC 2 examinations are typically conducted at the behest of clients or prospective clients. They are designed to attest to the sufficiency of non-financial controls of service organizations.
Current SOC 2 reports must follow the latest updates. The AICPA updated the criteria in 2017. The updates went into effect on December 15, 2018. They replaced the updates from two years earlier.
While SOC 1 (SSAE16) focuses on financial reporting controls, SOC 2 focuses on non-financial controls. Still, the basic structure of a SOC 2 report is like that of a SOC 1 report. Both speak to the sufficiency of an organization’s internal security apparatus.
Those in both service organizations and user organizations have questions about SOC 2 compliance. It is important to understand SOC 2 readiness assessments and audits. It’s also important to understand the benefits of SOC 2 compliance.
7 Common Questions about SOC 2 Compliance
1. What is a SOC 2 Readiness Assessment?
A readiness assessment prepares you for a compliance audit. It helps you identify security gaps and other weak spots in your network. It describes the readiness of your internal controls. Most importantly, it identifies which controls could fail, exposing sensitive customer information in the process.
It’s only possible to identify security gaps if you are thoroughly aware of the:
- Commitments you’ve made to third-party vendors and/or clients
- Data delivery channels employed
- Kinds of data you generate, use, store and destroy
- Operating environment of your system
- Nature of all operations and technology
Some of those preparing for a SOC 2 audit for the first time find the process somewhat daunting. It is common to ask a number of questions. What is the full scope of the audit? What documentation do you need? What company resources does the audit require?
In a readiness assessment, an organization learns what it needs to do to remedy inadequacies before a SOC 2 audit.
2. Who needs to demonstrate SOC 2 compliance?
Service organizations that store, process and/or manage sensitive customer data must safeguard it. A SOC 2 report demonstrates a service organization's commitment to security and privacy. It attests to the fact that you have the proper controls in place to protect customers. A SOC 2 report helps ensure that your clients receive the secure, high-quality services they expect.
SOC 2 compliance is often a competitive advantage in the marketplace. SOC 2 compliance benefits a variety of enterprises, including:
- Data centers
- SaaS providers
- Data analytics providers
- Document production
User organizations want service organizations to confirm the effectiveness of their internal controls. SOC 2 reports are an invaluable resource in assuring clients that their sensitive data is protected. If you are a user organization looking at prospective service providers, think of SOC 2 compliance as a basic requirement.
The demand for SOC 2 reports expands as enterprises increasingly rely on cloud hosting providers and data centers. For example, Google Cloud is subject to third-party audits to ensure the compliance of its products.
3. Who performs SOC 2 audits?
There are a variety of professional accounting firms capable of completing SOC 2 audits. Understand that not all SOC 2 reports are equal. It’s important to perform your due diligence when you look for a third-party auditing firm. Check the references of those you’re considering. You want a CPA firm that specializes in IT audits.
Also, don’t hesitate to request information about the specific auditors who will complete the SOC 2 report. It’s vital that auditors have the requisite skills and expertise to do the job. Ideally, consider those with CISA and/or CISSP certifications.
4. What are the Trust Services Criteria?
In a SOC 2 audit, relevant Trust Services Criteria (TSC) are used to analyze your information systems. Since they were originally called Trust Services Principles, they are sometimes referred to as TSPs. The criteria are set forth by the AICPA. In a SOC 2 audit, the auditing firm applies the criteria demonstrating that proper controls are in place to protect client data.
These pre-established criteria help to standardize the auditing process. Having predefined criteria is important for two key reasons. First, they let service organizations know what is required of them for SOC 2 compliance. Second, they also make it easier for clients reviewing a SOC 2 report to understand and assess it.
The five Trust Services Criteria are:
- Security - Protections exist against unauthorized access. Such access could compromise the organization’s ability to deliver services. This is the one TSC that must be addressed in all SOC 2 reports.
- Availability - The system is available upon demand. Availability is consistent with relevant client agreements and/or commitments.
- Processing Integrity - System processing is properly authorized, comprehensive, timely, and accurate.
- Confidentiality - Confidential information is protected by an agreement or policy.
- Privacy - Personal information handled in accordance with the organization’s privacy notice. It is also handled in accordance with AICPA’s Generally Accepted Privacy Principles. This criterion addresses how information is collected, used, retained, disclosed and ultimately disposed of.
Again, Security is the only criterion required in every SOC 2 report. Management decides which, if any, of the other four are relevant to the services the organization offers. This approach ensures SOC 2 compliance while minimizing cost. Generally, it’s acceptable to limit a SOC 2 audit to the principles relevant to whatever service is outsourced. For example, consider an organization that does not process client transactions. In that instance, auditing processing integrity is not relevant.
However, it is important to select all criteria required to mitigate risks for a user organization. For a SOC 2 report to be credible and comprehensive, it is vital to include all relevant TSCs. Ultimately, an effective SOC 2 report helps you answer common security questions asked by both clients and prospective clients.
5. What does a SOC 2 report look like?
The structure of a SOC 2 report is similar to that of a SOC 1 report. It typically includes the opinion letter, assertions by management, system description, outline of testing protocols, and the results of the testing.
Consequently, a SOC 2 report typically:
- Addresses monitoring of attempts at unauthorized access
- Confirms the existence of detailed audit trails
- Notes the presence of actionable forensics
As a part of a SOC 2 report, the selected CPA firm delivers a professional opinion on the design of controls and their effectiveness over time. It attests that the organization is meeting the selected criteria.
6. How are SOC 2 reports used?
SOC 2 reports are used in a variety of ways, including to:
- Manage internal risks
- Confirm contractual commitments are met
- Manage vendors
- Address regulatory requirements
They are only intended for a service organization and its clients. In that regard, they are different from SOC 3 reports. Those are available to the public and are often used for marketing.
7. How much does a SOC 2 report cost?
The cost of SOC 2 audits depend on a number of factors:
- Scope of services included
- Particular TSCs selected
- Organization size
- The quantity and scope of systems
Mapping to relevant existing frameworks often reduces the cost of SOC 2 compliance.
Now more than ever, SOC 2 compliance delivers real value to a service organization and its customers. A SOC 2 readiness assessment followed by a SOC 2 audit addresses the need for effective controls. Identify and resolve weaknesses before it is too late. Minimize the possibility of an expensive and reputation-altering data breach. Demonstrate to customers an appropriate level of concern regarding the security of their sensitive data.
Xplenty is SOC 2 Compliant
Xplenty’s advanced data integration platform makes it simple to design and execute data pipelines. Integrate data from more than 100 data sources and SaaS applications with intuitive drag-and-drop ease.
For prompt, professional assistance, please contact us today.