How to Prepare for a SOC 2 Report
If your organization has recently decided to undergo a SOC 2 examination, you may be wondering “What’s next?” After searching online, you may feel even more confused. We’re here to help!
To prepare for a SOC 2 examination, the first step is to determine the scope of the report.
Determine the Boundaries of the System
With the help of your trusted SOC service auditor, proper scoping procedures focus the examination on relevant infrastructure, software, people, policies, procedures, data and critical third-party providers that support your organization’s objectives and meet customer expectations. These elements are often referred to as “the boundaries of the system.” Properly defined boundaries ensure that the report covers what the readers care about while mitigating the risk of “over scoping” your examination.
Identify your Organization’s “Principal” Service Commitments and System Requirements
The cornerstone of SOC 2 examinations is management’s identification of its principal service commitments and system requirements, with the key term being “principal.” According to AICPA guidance, service commitments are disclosures made by management to its customers about the system used to provide the service, and useful to a broad range of SOC 2 report users. In other words, it’s not a list of every item stated in a contractual agreement, but principal commitments relating specifically to security, availability, processing integrity, confidentiality and/or privacy, as applicable. For example, if your organization commits to system security, a principal service commitment may be that your organization maintains technical safeguards to prevent unauthorized use or access to the system.
System requirements specify how the system should function to meet the service commitments. Requirements are often specified in system policies and procedures, system design documentation, contracts with customers and government regulations. Management should define specific requirements to meet its principal service commitments instead of stating a general all-encompassing reference to policies, procedures and contracts with customers. This approach prevents potentially bringing everything stated in those documents into scope and avoids misleading report users. For example, regarding the security commitment to prevent unauthorized access, a corresponding system requirement might be the implementation of multi-factor authentication technologies using facial recognition and SMS push notifications.
Complete a Risk Assessment
If the cornerstone of a SOC 2 examination is service commitments and system requirements, the foundation of the examination is management’s risk assessment. Management must identify the risks that could affect the achievement of its service commitments and system requirements. Additionally, they must access the controls in place to mitigate those risks, based on the applicable trust services criteria.
Understand the AICPA Trust Services Criteria
From the cornerstone to the foundation and now to the framework of a SOC 2 examination, the AICPA’s Trust Services Criteria is used for evaluating whether your organization’s controls are appropriately designed, implemented and operating effectively to mitigate risks to the achievement of your service commitments and system requirements. The Trust Services Criteria are organized into five categories: Security, Availability, Processing Integrity, Confidentiality and Privacy. The relevance of these five categories depends largely on the commitments made to your customers. For example, if you commit to 99% uptime of your system to users, then Availability would likely be in scope. If the data you collect from your customers includes PHI, Privacy may be relevant. Your service auditor should explain the categories and their applicability based on the services your organization provides, the commitments made to customers and the types of data your organization collects, retains, uses and discloses.
Determine if SOC 2 “Readiness” is Right for You
Partnering with a trusted SOC service auditor is crucial for defining, planning and scoping the boundaries of your system. They can also help management identify potential gaps within the control environment that may need remediation prior to beginning a SOC examination process. For example, if your organization commits to certain recovery times and plans to include the Availability category within the scope of the examination, but does not currently perform any business continuity or disaster recovery plan testing, this could cause issues with having controls appropriately designed and implemented to meet certain Availability criteria including A1.3 which states, “The entity tests recovery plan procedures supporting system recovery to meet its objectives.”
Readiness can also help your organization avoid many of the common pitfalls of SOC 2 scoping, such as:
- Including services outside the scope of your examination (e.g., ancillary offerings like consulting or other add-ons that are not directly tied to your service commitments) or including marketing language like “world’s greatest SaaS provider,” which is not “auditable” or objective.
- Overcommitting within your service commitments (e.g., 24/7 uptime)
- Misrepresenting the technology stack (i.e., servers, storage devices, software applications, middleware, cloud services, etc.)
- Misclassifying subservice organizations – this happens more than you think!
From readiness, you and your service auditor can evaluate the best “type” of SOC 2 examination for your organization to complete: SOC 2 – Type 1 or SOC 2 – Type 2.
Building Blocks of SOC 2 Success
Just like building a house, there are several critical components needed to complete a SOC 2 examination in accordance with AICPA attestation standards and implementation guidance. Proper scoping, a thorough risk assessment, identification of controls, identification of the applicable Trust Services Criteria, a clearly defined system boundaries and principal service commitments and system requirements support the completion of a SOC 2 examination. It is critical to note that scoping for every organization is different; it requires a flexible approach and skilled service auditors who come equipped to consider other potential factors that should be evaluated as part of your examination, like specific industry regulatory requirements (i.e. HIPAA, NIST, GDPR, NYDFS) or other frameworks (i.e. HITRUST, PCI, ISO).
Frazier & Deeter has been performing SOC examination services for nearly 20 years. Our team of experts has over 100 years of combined experience and includes the author and instructor for the AICPA SOC school, who teaches SOC practitioners nationally and internationally. We have a mature methodology supported by Fieldguide technology that allows us to execute your examination from start to finish in a single environment, based on a customized timeline to suit your SOC reporting requirements and objectives. To learn more about our SOC services, please visit our website here.
Explore related insights
-
Frazier & Deeter Names Jeremy Jones as Incoming Managing Partner
Read more: Frazier & Deeter Names Jeremy Jones as Incoming Managing Partner -
Complying with the Corporate Transparency Act: What You Need to Know
Read more: Complying with the Corporate Transparency Act: What You Need to Know