Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
These reports can play an important role in: |
Intended users: |
|
Those with the requisite knowledge to understand the report, e.g.:
|
SOC 2 is an evaluation and reporting framework. It is NOT a compliance framework. This means that a SOC 2 report provides a lot of flexibility for management to identify and present the information about the system and the controls that their customers need, not what a compliance framework mandates. This is what makes a SOC 2 examination report so unique and important in the marketplace.
The SOC 2 examination report includes the following three key components:
1. Management's assertions
As with all SOC reports, an assertion is provided by management. Specifically, the assertion addresses whether
(a) the description of the system and the controls is presented in accordance with the description criteria and
(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives.
2. Practitioner's report
The second component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether
(a) the description of the system and the controls is presented in accordance with the description criteria and
(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives based on the criteria.
3. Managememt's description of the service organizations' service system
The Management description provides the detail of the system(s) being reported on and includes boundary, infrastructure, controls, commitments, and other system information. Anything that is included in this section should be able to be audited to achieve service commitments and system requirements based on the criteria.
The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report.
4. Trust Services Criteria, Controls, Auditor's Tests of Controls, and Results of Tests
Typically shows the following columns of information:
The applicable trust services criteria for the categories in scope
Controls in place at the service organization to achieve service commitments and system requirements based on the criteria
Auditor’s tests of the controls (Type 2 only)
Results of the tests (Type 2 only)
1. Management's assertions
As with all SOC reports, an assertion is provided by management. Specifically, the assertion addresses whether
(a) the description of the system and the controls is presented in accordance with the description criteria and
(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives.
2. Practitioner's report
The second component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether
(a) the description of the system and the controls is presented in accordance with the description criteria and
(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives based on the criteria.
3. Managememt's description of the service organizations' service system
The Management description provides the detail of the system(s) being reported on and includes boundary, infrastructure, controls, commitments, and other system information. Anything that is included in this section should be able to be audited to achieve service commitments and system requirements based on the criteria.
The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report.
4. Trust Services Criteria, Controls, Auditor's Tests of Controls, and Results of Tests
Typically shows the following columns of information:
The applicable trust services criteria for the categories in scope
Controls in place at the service organization to achieve service commitments and system requirements based on the criteria
Auditor’s tests of the controls (Type 2 only)
Results of the tests (Type 2 only)
There are two types of reports for SOC 2 Reports:
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Use of these reports is restricted to the management of the service organization, user entities, user auditors, and regulators.
Let’s get started today. BRC is ready to help your organization complete a SOC 2 Examination. Contact Ben Hunter III, CPA/CITP, CISA, CRISC, CDPSE, CISM at (336).294.4494 (bhunter@brccpa.com) to get started today.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]