Your company provides services to its customers? and your customers ask you for a SOC 2 type 2 report?
Your customers want this report to validate your security compliance, to reassure their customers, or perhaps because they themselves have to comply with information security standards.
A SOC (Service Organization Control) report is an independent review of your organization’s internal controls to provide your customers or suppliers with the information they need about your practices to manage the risks of having you as a partner.
Please note : There is no such thing as SOC certification or compliance. Once the audit has been completed, a report is issued, including the tests carried out by the auditor and the results of these tests, as well as a description of the system or its controls.
The auditor’s report will give an opinion on these controls – this is what your business partners want to read.
The opinion section of the report provides an account of the controls.
- Non-Qualifié(Unqualified): Means that everything seems perfect. You meet the criteria.
- Qualified: Control is good, but the auditor points out certain areas for improvement.
- Adverse opinion : Refers to the fact that controls need to be greatly improved and that they do not manage the associated risks.
- Disclamer of opinion: Your control does not exist or is not applied at all by members of the organization.
A little history
In the wake of the Enron scandal in the United States in 2001, financial results compliance standards were tightened considerably with the advent of the Sarbanes-Oxley Act (SOX). Public companies are required to comply with the Sarbanes-Oxley Act of 2002, a law on record-keeping and financial disclosure standards.
In the past, SAS 70, the Statement on Auditing Standards (SAS) number 70, was used for service organizations. It was a widely accepted auditing standard, developed by the American Institute of Certified Public Accountants (AICPA).
But it soon became necessary to implement a more comprehensive valuation system, going beyond a simple audit of the financial statements.
SSAE 16 – Statement on Standards for Attestation Engagements Number 16 – was published by the AICPA in April 2010 and came into force in May 2011.
The service auditor’s review previously performed by CPAs under SAS 70 was subsequently replaced by reports on system and organizational controls under SSAE 16.
In May 2017, the AICPA replaced SSAE 16 with SSAE 18. SSAE 18 imposes a series of improvements to enhance the quality and application of SOC reports. This superseded version also contains the principles, regulations and standards to frame SOC reporting.
By this time, SOC1 reports were frequently required by large US companies from suppliers wishing to do business with them. The financial compliance teams of U.S. companies had a great deal of power during this decade.
Since 2010, there have been a number of problematic situations from an information security point of view.
So some large American companies and the security departments of these organizations are increasingly demanding SOC2 reports from the various suppliers who want to do business with them. The big companies demand SOC2 reports from their suppliers, who in turn demand SOC2 reports from their suppliers.
These reports must be signed by an American CPA. In Quebec, at least six chartered professional accountant (CPA) firms are able to perform this type of audit, as they also have offices in the United States.
Various SOC reports
There are five main types of SOC reports:
- SOC 1 – Internal Controls over Financial Reporting (ICFR)
- SOC 2 – Criteria for fiduciary services
- SOC 3 – General usage report for trusted services criteria
- SOC for cybersecurity
- SOC for the supply chain
The SOC 1 report deals with a company’s internal control over financial reporting, which relates to the application of controls and limits. By its very definition, as prescribed by SSAE 18, the SOC 1 report is an audit of a third-party supplier’s accounting and financial controls. It is a measure of the quality of the supplier’s bookkeeping.
The SOC 2 report is the most sought-after report. SOC 2 deals with the review of a service organization’s controls over one or more of the Trusted Service Criteria (TSC) (see below).
The SOC 3 report is a summary report of the SOC 2 type 2 report. While a SOC 2 report and a SOC 3 report contain similar information about the auditor’s control tests and the results of these tests, a SOC 2 report contains more detailed information and its distribution is limited to a specific audience.
It’s much shorter and less detailed, so it’s aimed at a wider audience.
Cybersecurity SOC– A report on the effectiveness of a service organization’s cybersecurity risk management program. This type of report covers the evaluation of your existing security program.
Supply Chain SOC –a report on the effectiveness of controls relating to the security, availability or processing integrity of a system, or the confidentiality or privacy of information processed by a system that produces manufactures or distributes products.
TSC – Trust Service Criteria (TSC)
We previously indicated that a SOC2 report must be prepared in relation to a frame of reference supported by the AICPA. This frame of reference targets 5 very specific families (Principles):
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as intended or agreed.
- Processing integrity. System processing is complete, accurate, timely and authorized.
- Confidentiality: Information designated as confidential is protected in accordance with commitments made or agreed.
- Privacy: Personal information is collected, used, retained, disclosed and destroyed in accordance with the commitments made in the entity’s privacy notice and the criteria set out in the Generally Accepted Privacy Principles published by the AICPA and CICA. The TSPC of security, availability and integrity of processing are used to assess whether a system is reliable.
You must choose at least the “Safety” family when preparing your audit report, but if necessary, you can add one or more of the other criteria families.
The more principles are chosen, the longer the project takes.
For the full list of TSC click here:
Type 1 or type 2 report
For SOC1 and SOC2 ratios, there are two types, Type 1 and Type 2.
In the first year of the audit, a Type 1 report will be issued, meaning that it will be issued on a specific date (e.g. June 30, 2020) and will cover the design of the controls.
For subsequent years, a Type 2 report will be produced for a specific time period (e.g. January 1 to December 31). During this type of audit, the effectiveness of IT controls will be tested over the entire audit period. It will become imperative that IT controls are consistently applied in the same way (as described) and at all times. If not, deviations will be raised in the auditor’s report.
A six-month delay is common between a type 1 and a type 2 report.
- Type 1 – The report demonstrates that controls are effective on a specific date. For example, a firewall is in place.
- Type 2 – The audit report demonstrates that controls were in place for a complete period. For example, the firewall was in place and blocked ports correctly from January 1 to December 31.
There are several norms and standards to help companies manage information security. The SOC2 report is very popular in the USA, and is the one usually requested by American firms from their suppliers. On the other hand, this report is less recognized in Europe and elsewhere in the world.
Getting a SOC 2 report is often a three-phase process:
- Gap analysis;
- Implementing controls;
- External audit by accounting firm.
Costs for theexternal audit vary from 25,000 and upwards, depending on the size and complexity of the company.
A company should request and analyze SOC2 reports from potential suppliers. This is an invaluable piece of information for ensuring that adequate controls are in place, and that the controls are actually operating effectively.
Just having a SOC2 report doesn’t confirm that security is in place – it’s reading it and the auditors’ opinion that will confirm the company’s level of security.
