Soc 2 Type 2
SOC stands for service organization controls. They are standards designed to test how well an organization manages its data. The purpose of the SOC standard is to provide organizations comfort when they buy from third party vendors. It’s also meant to provide comfort for auditors and investors as well. SOC’s are meant to be examinations and are not to be referred to as certifications.
There are different types of SOC’s
There are SOC’s for service organizations
SOC’s for Cybersecurity
SOC’s for Supplychain
The SOC’s for service organizations are for service providers that want to provide services for systems of financial controls.
These SOC’s include SOC 1, SOC 2, SOC 3.
SOC 1 is SOC for service organizations: ICFR
SOC 2 is for trust services criteria
SOC 3 is for trust service criteria for general use report
What is a SOC 2 report?
A SOC 2 report is for service organizations management and certain people that are going to be working with client systems. This applies to entities that manage their systems in the cloud. Since most software applications on a large scale are managed in the cloud. This has broader implications in current times.
Soc 2 Audit
The purpose of a SOC 2 report is to provide information about the level of controls related to
Security
Availability
Processing integrity
Confidentiality
Or privacy
This report is at a systemwide level while a SOC for cybersecurity is at an entity level.The report is meant for people that will be using the system for which the report was commissioned.
What is in a SOC 2 report? In the SOC 2 report, there is a description of the service organizations system. Management of the service organization must sign off that the description is in accordance with how the system actually works. The management team must also state that the controls over the system were designed effectively and operate effectively. There is also an auditor’s soc 2 type 2 report whether or not the description is accurate and if the controls are designed and operate effectively. The soc 2 type ii audit report is generated as part of the auditor provider’s soc 2 type 2 audit.
The reason you might need a SOC 2 report is that there are a lot of users of financial systems and other systems that might impact financial statements. Those users need to be assured that controls exist over that system and that they are operating effectively.
How can you use a SOC 2 report?
You can use them to verify oversight of an organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. You have to think about all the systems that large companies use on a daily basis for inventory management, customer management, and financial records. It is important that companies can rely on service organizations to provide good and reliable systems.
If you can’t validate your inventory or it can be manipulated easily in software, then why should anyone trust that your inventory numbers are correct.
What is a SOC 2 Type 2?
The SoC 2 type 2 certification is the ultimate certification. In order to get this certification a service provider must prove that they can keep their client’s information secure. This is for cloud providers and I.T. providers. The type 2 certification also provides the details around the test controls and results of the tests
Soc 2 type ii report example:
The AICPA has some good resources for illustrative examples of all soc audits, but I wanted to provide a brief example. This is just for illustrative and explanatory purposes. A brief soc 2 type ii report example is outlined below.
A SOC 2 type 2 report should have the following sections.
Section 1 – Management of [Service Organization] Assertions regarding it’s infrastructure services system through the period January 1, 20XX, to December 31, 20XX – This section should have a description of the infrastructure, software, people, procedures and data of the system. The infrastructure of the software includes the hardware components of the system. The software is any programs or operating software of your system such as apps and utilities. The people are anyone that uses the system such as developers, user and managers. The procedures are any automated and manual procedures involved in using the system. It’s typically better from my point of view the more automated systems there are as long as they are reliable. Finally, the data is the information that is used in the system like transactions, files, databases or tables.
There are other descriptions that you can include in this section as well to provide details as to how the system controls work. You also need to discuss the timeframe covered in this section. Management must also state that the controls are designed effectively and operate effectively in this section.
Section 2 – Independent Service Auditor’s Report – this is where the auditor signs off on management’s assertion. They provide a letter to management that details the scope of their soc 2 type 2 audit report and whether they think the controls are designed and operate effectively based on their testing procedures.
Typically the auditor will say that they conducted their examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. They AICPA requires auditors to plan and perform their examination to obtain reasonable assurance about whether in all material respects (1) the description is fairly presented based on the description criteria, and (2) the controls were suitably designed and operated effectively to meet the applicable trust services criteria and CCM criteria through the timeframe established above.
The soc 2 auditor will also discuss the limitations of their report. They will discuss how the controls at a system level might not always operate effectively. This is pretty obvious because an auditor can’t test everything.
The auditor will then discuss their opinion. They will opine on whether they think the description by management of their system is accurate. Then they will state their opinion on the design of the system controls. Lastly, the soc 2 type 2 auditor should state their opinion on whether the soc 2 controls are operating effectively. The auditor should then describe their testing of the controls and the limitations upon use of the soc 2 type ii report.
Section 3 – [Service Organizations] description of its infrastructure services system throughout the period January 1, 20XX through December 31, 20XX – this is where management will describe their system. They should describe the infrastructure, software, people, procedures and data of their system. They should also describe the customer responsibilities who use the system. Management should describe how they
Section 4 – Applicable Trust Services Principles, Criteria, and CCM Criteria and Related Controls, and Results of Tests – This is where the applicable service organization should provide their controls matrix and how it applies to the trust services principles, criteria and ccm criteria. They should also discuss the results of their own testing.
Section 5 – Other Information Provided By [Service Organization] not covered by the Service Auditor’s report
SOC 2 Audit Frequency
Soc 2 audit reports and soc 2 type 2 audit reports typically last for a period of one year. Soc 2 type 2 audits should be conducted on a yearly basis.
Examples of soc 2 type 2 reports
If you look at salesforce’s website you can see all the types of soc 2 reports that they have over their various applications.They have a soc 2 report for their commerce cloud digital app and their corporate services platform.
You can also take a look at Oracle’s website and see all the reports they have over their software.