IT Compliance
A Simple Guide to Understanding IT Compliance
Tristen Cooper
If your organization provides services to external parties, those services can have an impact on those external users in areas like financial reporting or data security. Therefore, those external parties may need a guarantee that the controls of your services are designed and operating effectively. SOC audit reports provide these essential proofs about internal controls of service organizations.
The American Institute of Certified Public Accountants (AICPA), which is the world’s largest accounting member association, currently provides a suite of SOC reports which fall under three types as SOC 1, SOC 2, and SOC 3. These types differ from each other based on what impact area of the service organizations they focus on.
SOC, which stands for System and Organization Controls (SOC), refers to control reports on services offered by different service organizations like accounting firms, cloud services, web hosting companies, and Software-as-a-service companies. These controls are a set of rules and processes such service providers should be responsible for providing to their clients. These reports provide you with invaluable information about risks associated with your outsourced services.
SOC 1 focuses on internal controls related to financial reporting in service organizations that offer financial services. For example, your company may outsource payroll activities to an external company. As the client who uses that service, it addresses your question; What measures my service provider has taken to control the risks associated with my financial data and protect them? A SOC 1 report is typically prepared by a third-party SOC Audit team, and it assures the clients of service organizations that their financial data is securely handled. Stakeholders like customers, managers, and their auditors often request SOC 1 reports.
SOC 2 is an auditing procedure that focuses on internal controls of service organizations related to their customer’s sensitive data protection. It ensures your outsourced companies will securely manage users’ data to protect them within five Trust Service Categories which are also known as Trust Services Criteria (TSC): security, reliability, confidentiality, privacy, processing integrity, and availability. Moreover, SOC 2 applies to every SaaS organization and company that uses cloud services to store its data. This includes managed IT service providers. Most MSPs are not SOC 2 certified, so if this is important to you be sure to look for the SOC 2 certification on your vendor’s website and ask them to confirm that they are.
Achieving SOC 2 compliance means establishing principles and practices to protect their users’ data within the below five Trust Services Categories.
This category focuses on defining access controls to protect the system resources from unauthorized access and any other forms of security breaches. To achieve SOC 2 compliance, organizations need security controls like two-factor authentication, multi-factor authentication, intrusion detection systems, and firewalls for information security.
There can be confidential information like intellectual property, business plans, internal business reports, and any form of financial information which are often restricted to some people in the organizations. For SOC 2 compliance, confidential information needs to be safeguarded with appropriate methods like encryption during storage, processing, and transmission.
All sensitive and Personally Identifiable Information (PII) data like name, address, and social security number needs to be protected from unauthorized access. Collection, use, disclosure, and disposal of these sensitive data needs to be done according to Generally Accepted Privacy Principles (GAPP) of AICPA and the organization.
This principle checks if the system meets its intended purpose. The data must be complete, valid, accurate, and authorized to achieve it. Data Monitoring and Quality Assurance practices help to ensure processing integrity.
To achieve SOC 2 compliance, organizations should ensure the availability of the system as defined by Service Level Agreements (SLA)s. For that, network availability monitoring, system performance monitoring, and handling security incidents are vital for the service organization.
Service Organizations that have achieved SOC 2 compliance have many security practices required for SOC 2 compliance. Specifically, they have processes for monitoring authorized and unauthorized user and system activities, detailed audit trails for an in-depth understanding of the sources of attacks, anomaly alerting for security incidents, and the ability to take corrective action in case of any breach occurs within these 5 TSCs. Such organizations satisfy the basic SOC 2 compliance checklist which includes logical and physical access controls, system operations, change management processes, and risk mitigation techniques.
A SOC 2 report is an independent assessment that demonstrates how service organization’s controls achieve information security. This report is prepared by a licensed CPA under Statement on Standard for Attestation Engagements (SSAE) No18: Attestation Standard. The AWS provides SOC2 reports are an example of a SOC 2 report which are available to specific audiences. There are two types of SOC 2 reports as below.
This report describes the design of service organization’s controls of the service organizations, their suitability, and the operational effectiveness of those controls on a specific date. It does not contain any comprehensive tests.
This report provides a more comprehensive look at the design of the service organization’s controls specified in the Type 1 report. It provides not only a description but also an evaluation of the operational effectiveness of the controls. Unlike a type 1 report, it takes more time (about several months) to prepare this report.
When choosing a third-party vendor, clients often ask if they have this report as it can take up to one year to complete a type 2 report. Having a type 2 report provides a high assurance to clients that the service provider possesses appropriate controls to secure their users’ data.
Most companies outsource certain internal processes like data hosting and processing for cost-saving. SOC 2 applies to such third-party companies including managed IT service providers that use cloud services like AWS to store their users’ data. Following are some of the industries that SOC2 applies to.
A SOC 2 assessment prepares the organization for SOC 2 compliance. It evaluates what service organization’s security controls exist before the audit process begins. This is also known as SOC 2 readiness assessment which is part of the SOC 2 certification procedure. This assessment helps to identify what kind of controls within 5 TSCs are lacking and what could fail. This enables the organization to identify security gaps that need to be remediated before the audit.
The SOC 2 certification process comprises several steps, and it can take up to 18 months. Additionally, the processing of the certification can take 2 to 3 months. The timeline depends on several factors like which SOC 2 report the client requires, project complexities, and what controls are in place.
In the planning phase, the organization and the audit CPAs decide the scope and priorities for SOC 2. The team identifies what trusted category criteria should be included in the scope and how to track the progress. The Planning phase can span from 1 to 3 weeks.
The organization may require carrying out a gap analysis in service organization’s controls in place to identify any issues that need to be solved for SOC 2 compliance. This phase can take between 1 to 8 weeks.
Then the organization must address the gaps or issues identified in the Gap analysis. The time required for this phase depends on factors like the nature of the issues and the commitment of the organization to remediate them.
After the issues are addressed, auditors can either visit the organization or work remotely to collect evidence that controls are in place for the SOC 2 report.
After completing the evidence collection, auditors will formulate the final report. Usually, this can take up to 5 weeks, depending on the complexity.
SOC 2 provides more visibility to the security controls information of a service provider. If you are a service organization, obtaining a SOC 2 report will make your clients feel a high sense of security as it ensures that your organization has standard security controls in place to protect their data. This will be a competitive advantage over organizations that do not own this report.