Understanding the Certification Process for Service Organization Control (SOC2)

Author: TEAM AGILE

What is SOC2 Type 2 Report?

A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. SOC 2 is related to internal controls that impact system security availability, processing integrity, confidentiality, or the privacy of customer data.It is commonly used to assess the risks associated with outsourced software solutions that store customer data online.

SOC2 Type 2 Benefits:

Provides an independent assessment of security and privacy control environment. The assessment includes a description of the controls, the tests performed to assess them, the results of these tests, and an overall opinion on the design and operational effectiveness of the same.

A company that has achieved SOC 2 Type 2 certification has proven its system is designed to keep its clients’ sensitive data secure. When it comes to working with the cloud and related I.T. services, such performance and reliability is absolutely essential and increasingly required by regulators, examiners, and auditors.

Understanding the SOC 2 Certification Process

The Five Trust Services Principles of SOC 2

A SOC 2 audit can only be performed by a CPA. At their core, these audits gauge how the service delivery of a system fulfills the selected trust principles of SOC 2. 

Availability

The process, product, or service must remain available per the agreement between user and provider. Both parties either explicitly or implicitly agree on the appropriate level of availability of the service. A system need not be evaluated for efficiency or accessibility to meet the trust principle of availability. To audit availability, an auditor must consider the reliability and quality of the network, response to security incidents and site failover.

Confidentiality

If access to the data is limited to certain individuals or organizations, it must be treated as confidential. Data protected by the principle of confidentiality could include anything the user submits for the eyes of company employees only, including but not limited to business plans, internal price lists, intellectual property and other forms of financial information. An auditor will take into account data encryption, network firewalls, software firewalls and access controls.

Integrity of Storage

This principle is concerned with the delivery of the right data at the right time and at the right price— in other words, whether or not the platform performs as expected. Data processing must be complete, licensed, reliable and timely. 

IMPORTANT: Integrity of storage does not imply the integrity of the information. Information may contain errors before it is entered into the system, which the storage entity is not responsible to identify. An auditor mustlook at data processing management and quality assurance practices to ensure the reliability of the data

Privacy

The principle of privacy applies to the collection, disclosure, disposal, storage and use of personal information with regard to the generally accepted principles of privacy (GAPP) as established by the AICPA. It applies to Personal Identifiable Information (PII), information that can be used to differentiate persons, including but not limited to names, addresses, phone numbers and social security numbers. Other data, including race, gender, medical profiles, and religion are also covered by GAPP. An auditor must verify controls in place to prevent the dissemination of PII.

Security

System resources must be defended against outside access to comply with the principle of security. Access controls must adequately resist attempts at intrusion, device manipulation, unauthorized deletion, data misuse, or improper modification and release. An auditor looks at IT security tools like WAF (web application firewalls), encryption and intrusion detection in addition to administrative controls such as background checks and authorizations.

HOW:

We assist you at every step and ensure that you establish & improve your more dependable, effective SOC examination and reportsystem in just 6 steps:

1.       Scope, Walkthrough &Control Design:Understanding of activities in the business process functions

2.       Gap Assessment:Preliminary documentation to support remediation roadmap

3.       Remediation:Documentation for validation of the control environment

4.       Audit/Testing:Process documentation, audit evidence

5.       Reporting: Policies and procedures, draft feedback, response to feedback and exceptions

6.       Issuance:SOC report

Agile Group will help you to prepare for a SOC2 Audit, build the necessary controls, advise on the SOC2 type report to complete the audit process.