An Empty Promise or Attainable Goal?
Today more service organizations are being asked by their clients to provide Service Organization Control (SOC) Reports.
SOC reporting, created by the American Institute of Certified Public Accountants (AICPA), is a thorough audit of an organization’s controls (systems, processes and policies).
Clients want to know that their data and confidentiality is protected from a security standpoint and that the service organization is meeting regulatory requirements when handling their information.
All organizations – service providers included – need to be more vigilant regarding their security protocols and processes. The SOC Report is designed to address these issues by providing independent assurance that a service organization has the right controls and that they are operating effectively to ensure that transactions are processed and data is secured.
However, it’s not a task to be taken lightly and the process certainly can’t be rushed. Good preparation is the key to obtaining a clean SOC report. But first you have to know which of the three SOC reports you need to complete.
SOC Report Types and Trust Services Principles
There are three SOC reports – referred to as SOC 1, SOC 2 and SOC 3.
SOC 1 is also known as Statement on Standards for Attestation Engagements (SSAE)16. It is the replacement for the SAS70.
Depending on your circumstances, one SOC report may be required over another. Understanding the differences as well as their requirements is crucial to preparing for and successfully completing the SOC audit. We have provided a chart that is helpful in determining which report is best your organization. You can also work with an audit firm experienced in SOC reporting to make this determination.
With the proliferation of technology and the desire to ensure data security, many reports are now exclusively targeting information systems controls.
SOC 2 and SOC 3 reports based on the AICPA’s Trust Services Principles (TSP) and Criteria are designed to address service provider relationships where information systems issues are of greater concern than the reliability of financial transactions.
The five TSP Principles are Security, Availability, Processing Integrity, Privacy and Confidentiality. Service organizations can choose any of the five or any combination of them. Typically, those selected are based on the services provided by the organization.
These updates include a simplification of the control structure and an increased focus on the service organization’s internal risk assessment processes. The AICPA implemented common criteria to eliminate redundancies in various principles. According to feedback from service organizations, these changes have had a positive impact – facilitating a more user-friendly experience and a better auditing process. Check with your auditor to ensure that your control set maps to this new criteria.
Compliance on All Fronts
There’s no denying that your organization will have to amass a fair amount of documentation. You will also have to examine current controls and implement ones that you’ve previously overlooked. But there is a silver lining in all this work.
Many of your current IT security controls that may be mandated by regulatory body or industry standard – such as Health Information Patient Portability Act (HIPAA), Payment Card Industry – Data Security Standards (PCI-DSS), Federal Information Security Management Act (FISMA), the Cloud Security Alliance Cloud Computing Matrix, and HITRUST – overlap with controls that will be tested by your auditor during the SOC engagement.
If you obtain a SOC report and have one or more of these compliance mandates, be sure to identify those controls that have been tested by your user auditor and crosswalk those for your customers with a concern about your compliance with other standards and regulations that are important in your industry.
Instead of viewing it as chore, consider it an essential starting point to improve your operations overall. Here are a few strategies to employ during the SOC reporting process:
- Bone up on the SOC reporting process. Understand the various report types and which is applicable to your organization, services and clients. Work with your auditor to map your controls in clear, concise language to the control objectives or SOC Criteria and be sure you understand how those controls will be tested by the audit team. It is also important to understand the time requirements that come into play depending on the type of SOC report you desire. Type 1 reports can be accomplished in a shorter span, primarily because they are considered “point-in-time” audits. As operating effectiveness is assessed over a period of at least 6 months in most Type 2 audits, there may be a build in lead time before you can have a report ready for your customers.
- Work with an experienced service auditor. They should be experienced in SOC reporting and understand your industry along with the unique concerns of your customers. Their expertise will move you through the process efficiently and successfully. Your organization should have a point person for each control as well as someone who can liaison between them and your auditor. Your liaison and auditor should work collaboratively. It will make the process smoother.
- Identify risks and plan well. Your auditor can conduct a gap assessment to pinpoint any risks or control gaps. Ideally, these issues should be considered and rectified prior to your SOC examination.
- Anticipate the needs of your SOC auditor. A good audit firm will communicate proactively about their expectations and the audit process. However, you can control to a large degree the pain involved in the audit process by being well prepared ahead of the audit with evidence related to your controls. Maintain a “paper trail” regularly – not just the week prior to the audit. Controls should be monitored and tested consistently. Detail your documentation daily, monthly, yearly. Train employees in the most up-to-date policies and procedures. Adhere to this advice and you’ll be able to execute your reporting seamlessly.
- Leverage reporting to improve overall operations. As we’ve mentioned above, many of your other frameworks can be aligned with SOC (HIPAA, HITRUST, CSA, PCI, etc.) reporting requirements. Tightening up these areas serves a dual purpose – successfully meeting compliance requirements in all areas not just SOC reporting and greatly enhancing your overall operations and security.
Audits shouldn’t be viewed as an obstacle because they actually present an opportunity to communicate the great job your company is doing as a trusted business partner. Many organizations that provided outsourced services, particularly in highly regulated environments, are burdened by having to devote resources to responding to multiple requests of different types related to the content and quality of the information security program. SOC reports, particularly ones that also present relevant information related to compliance with other regulatory mandates and industry standards allow you move much closer to the elusive goal of auditing once and reporting to a wide range of customers.
This approach will assure your clients that your environment is well controlled and their data is safe. Ultimately this will serve to improve your business operations, brand and bottom line.