What is a SOC 2 audit?
A SOC 2 audit report provides assurance about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls based on compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria).
Until the launch of the TSC, SOC audits were conducted exclusively against the independent third-party assurance standards ISAE 3402 or SSAE 16.
SOC 2 audits are essential in regulatory oversight, vendor management programs, internal governance, and risk management.
Speak to a SOC 2 expert
Contact us to learn more about our SOC 2 service and find out if your organization needs a SOC 2 audit.
Contact us
What are the AICPA TSC (Trust Services Criteria)?
The TSC are an industry-recognized third-party assurance standard for auditing service organizations, including Cloud providers, software developers, web marketers, and financial services organizations.
There are five TSC. They are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework.
The TSC provide additional criteria to supplement COSO Principle 12, which focuses on control activities through policies and procedures.
Control activities are divided into four categories:
- Logical and physical access controls
- System operations
- Change management
- Risk mitigation
Some of these apply across all five TSC.
Trust services categories
Service organizations must select which of the five trust services categories are required to mitigate the key risks to the service or system that they provide. The five categories of TSC are:
1. Security (also known as ‘common criteria’)
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.”
This is the only mandatory trust services category.
2. Availability
“Information and systems are available for operation and use to meet the entity's objectives.”
3. Processing integrity
“Information and systems are available for operation and use to meet the entity's objectives.”
4. Confidentiality
“Information designated as confidential is protected to meet the entity’s objectives.”
5. Privacy
“Personal information is collected, used, retained, disclosed and disposed [of] to meet the entity’s objectives.”
The full set of criteria can be found here >>
Frameworks aligned with the TSC
The TSC are closely aligned with the following standards and frameworks:
What is in a SOC 2 report?
A SOC 2 audit report provides assurance that a service organization’s controls are suitable and provide effective security, availability, processing integrity, confidentiality, and privacy. The report is generally restricted to existing or prospective clients.
There are two types of SOC reports:
- Type 1 – an audit and report carried out on a specified date
- Type 2 – an audit and report carried out over a specified period, usually a minimum of six months
A SOC 2 audit report includes:
- An opinion letter
- Management assertion
- A detailed description of the system or service
- Details of the selected trust services categories
- Tests of controls and the results of testing
- Optional additional information
It also specifies whether the service organization complies with the AICPA TSC.
Who are SOC 2 audits designed for?
SOC 2 audits are targeted at organizations that provide services and systems to client companies.
The client company may ask the service organization to provide an assurance audit report, particularly if confidential or private data is entrusted to the service organization.
If your organization provides Cloud services, a SOC 2 audit report will go a long way to establishing trust with customers and stakeholders. A SOC 2 audit is often a prerequisite for service organizations to partner with or provide services to tier-one organizations in the supply chain.
Who can perform a SOC audit?
A SOC audit can only be performed by an independent CPA (Certified Public Accountant) or accountancy organization.
SOC auditors are regulated by and must adhere to specific professional standards established by the AICPA. They are also required to follow specific guidance related to planning, executing, and supervising audit procedures. AICPA members must also undergo a peer review to ensure their audits are conducted in accordance with accepted auditing standards.
CPA organizations can use non-CPA staff with IT and security skills to prepare for a SOC audit, but the final report must be issued by a CPA.
SOC 2 Audit Readiness Assessment and Remediation Service
We are well prepared to help any organization meet the SOC audit requirements.
The SOC audit process involves:
- Reviewing the audit scope
- Developing a project plan
- Testing controls for design and/or operating effectiveness
- Documenting the results
- Delivering and communicating the client report
1. Readiness assessment
We evaluate your SOC 2 preparedness based on the type of service offered, trust services categories, and security controls. Among other things, we will examine and analyze your processes and procedures, system setting configuration files, screenshots, signed memos, and organizational structure.
2. Remediation
Once the shortfalls have been identified, IT Governance can help you remediate them. We can help with audit scoping, risk assessment, control selection, control effectiveness measurements, metrics, and integrating SOC 2 requirements into an ISO 27001-compliant ISMS.
3. Testing and reporting
IT Governance has partnered with CyberGuard, a CPA audit organization registered with the AICPA and PCAOB in the US, to perform testing and reporting.
IT Governance can help with the SOC audit process from readiness assessment, remediation, testing, and reporting, in partnership with CyberGuard.
We help clients save money on audits by connecting them to our partners that charge less than the Big Four accounting firms.
Contact us for more information
Why choose IT Governance?
IT Governance specializes in providing IT governance, risk management, compliance solutions, and consultancy services, focusing on cyber resilience, data protection, cybersecurity, and business continuity.
We are committed to helping organizations protect themselves and their customers from cyber threats in a business environment that is becoming more punitive and privacy-focused. Our deep industry expertise and pragmatic approach help our clients improve their defenses and make key strategic decisions that benefit the entire organization.
IT Governance is duly recognized under the following frameworks:
- CREST-certified as ethical security testers
- Certified to Cyber Essentials Plus, the UK government-backed cybersecurity certification scheme
- Certified to ISO 27001:2013, the world’s most recognized cybersecurity standard
Speak to an expert
For more information on how IT Governance can help with your SOC 2 audit, please contact us.