The System and Organization Controls, or SOC (sometimes referred to as service organizations controls), are the required security control procedures set as non-mandatory, internationally-recognized standards that help businesses measure how SaaS companies and service organizations manage data and sensitive information.
Organizations or businesses that have successfully passed the SOC auditing process can attest to the quality of their security controls for regulating customer data.
Although companies cannot “fail” a SOC audit, being unprepared for the auditing process can result in a bad score, or a “modified” or “qualified” score. This means the organization or company doesn’t have adequate security controls to handle sensitive information or financial data.
SOC auditing preparations depend on the different types and levels of SOC reports and standards the business or organization adheres to. Although SOC 2 is the most widely accepted set of standards that many organizations maintain and adhere to, some companies may follow SOC 1 and SOC 3 auditing procedures.
The guide will cover how to prepare for a SOC audit and what to do if your organization is unprepared before the process.
SOC Auditing Standards
Introduced and developed in 2017 by the AICPA (American Institute of Certified Public Accountants) in the department of ASEC (Assurance Services Executive Committee), SOC represents a defined set of reports created during a SOC auditing process.
They are standards that ensure an organization and its third-party vendors have the right information security measures for safeguarding customer data and other sensitive data, as well as preventing third-party data breaches or security incidents. Companies that comply with SOC standards also focus heavily on securing third-party risks and vendor management.
The AICPA guidance materials specify three main SOC reporting standards:
- SOC 1 aims to evaluate, review, and report on the internal controls of a service organization over financial reporting. A SOC 1 can also be called ICFR (Internal Control over Financial Reporting);
- SOC 2 aims to evaluate, review, and report how organization controls and systems store information. Roughly defined as TSC (Trust Services Criteria), the SOC 2 standard focuses on IT and information security;
- SOC 3 evaluates, reviews, and reports similarly to SOC 2, but SOC 3 is intended for a general audience. SOC 3 reports are generally shorter, less detailed, and open to be distributed to the general public and serve to promote a company’s compliance and inspire trustworthiness.
There are other specialized SOC reports for cybersecurity and supply chains, but they generally fall under the same criteria: SOC 1 or 2.
As specified by SSAE 18, there are two types of SOC reports:
- Type I - Assesses a service organization’s organization controls and evaluates whether or not the specified system and controls meet relevant security criteria and principles.
- Type II — Audits the operating effectiveness of a service organization’s specified controls and systems outlined in the Type I report. A Type II report reviews whether or not the implementation is suitable for the system and controls.
A Type I report reviews how a company’s procedures and controls operated at a point in time, while a Type II report covers a 9-12 month period of time.
Differences Between SOC 1 and SOC 2 Reports
SOC 1 and SOC 2 reports are only intended for and followed by the staff members of an organization who specialize in their designated systems, namely financial reporting and data security and storage reports, respectively.
Having said that, SOC 1 and SOC 2 reports have different scopes:
- SOC 1 focuses on identifying and testing financial controls that meet the control objectives.
- SOC 2 addresses, identifies, and tests a service organization’s controls that meet the criteria relevant to their operations and compliance, as outlined by the AICPA’s Trust Services Criteria (PDF). SOC 2 focuses on the five trust service categories: privacy, security, confidentiality, availability, and processing integrity.
SOC 2 compliance ultimately means that companies can prove to clients and customers that they can be trusted with their customers’ data.
TSC (Trust Services Criteria) of the SOC Auditing Process
To achieve certification for managing and protecting customer data and properly implementing security controls, organizations undergo an external SOC 2 audit process.
In this process, auditors review, assess, and test the company’s compliance based on the service provider’s ability to meet AICPA's five Trust Services Criteria:
- Security — Addresses the company’s ability to protect system resources and data from unauthorized access and aims to prevent data breaches and other types of cyber threats. This consists of implementing other security tools that protect against cyber attacks, vulnerabilities, data leaks, and ransomware.
- Availability — Addresses the accessibility levels of the company’s system, services, and products listed or contracted in their SLA (service level agreement). The scope of availability does not address system functionality and usability, but it simply focuses on the security-related criteria that may affect availability.
- Processing Integrity — Addresses the criteria in which a company’s system achieves its main goals in an authorized, valid, accurate, and timely manner.
- Confidentiality — Addresses how the company restricts sensitive data from their staff or organizations. To protect the confidentiality, organizations must focus on domain hijacking, email spoofing, and phishing awareness training for their staff. Moreover, they need to acquire SSL certificates, implement data encryption and DNSSEC and prevent man-in-the-middle attacks is also necessary.
- Privacy — addresses how an organization collects, uses, stores, discloses, and disposes of PII, which is based on AICPA's GAPP (Generally Accepted Privacy Principles). While the confidentiality principle applies to various types of sensitive data like intellectual property and trade secrets, the privacy principle is only applicable to the protection of PII data like names, social security numbers, and phone numbers.
SOC 2 Attestation
An organization’s main goal during SOC auditing is to receive a SOC 2 attestation or SOC certification, in which the organization provides their regulators, suppliers, business partners, and customers with relevant information on how they manage and protect sensitive data and personal information.
Additionally, a SOC 2 attestation also assesses how a third-party vendor complies with the five trust principles, which are based on the service organization's controls. A SOC 2 audit is performed by an independent CPA firm (certified public accountant firm) that evaluates the company’s safeguarding procedures.
After a successful SOC 2 audit, the CPA firm issues the attestation to the company and a SOC 2 report that contains an opinion letter, management assertion, system description, tests and results regarding security controls, and other relevant information that comprises the attestation.
What To Do If You’re Unprepared For a SOC Audit
What makes SOC 2 auditing a difficult process is the fact that all SOC reports are unique to each and every organization.
Financial security standards like PCI DSS or health-related standards like HIPAA are stricter but follow a general framework. In SOC auditing, a company’s organizational controls are designed and suited to its specific business practices.
The company doesn’t necessarily need to comply with all five trust service principles but should strive to meet at least the minimum recommended for its business goals, capabilities, and compliance requirements.
The main goal of this checklist is to ensure audit readiness for every organization that requires SOC compliance. Periodic reviews on a monthly or weekly basis are highly recommended before SOC auditing begins.
How to Prepare for a SOC Audit (SOC Audit Checklist)
If your organization is unprepared for a SOC audit, follow this simple checklist to get started.
1. Define the Objectives of the SOC Audit
When preparing for a SOC audit, businesses must define their objectives, parameters, and operating goals. Companies need to base their decision on their available resources, and they should first assess what the auditors are most likely to want to know about the business and security controls.
Organizations must learn whether their objectives conflict with other business objectives, which may lead to duplication of work, inefficient workflow, or downtime.
2. Decide on the Type of SOC Report
For companies going through a SOC audit for the first time, a SOC 2 Type 1 report is recommended.
Since newer companies do not have prior reports or compliance records, they can establish a new, operational SOC 2 policy to initiate regular assessments based on their performance.
After undergoing a SOC audit for the first time, the second audit should be SOC 2 Type 2 because it holds more value to stakeholders and is much more comprehensible, as it includes relevant information gathered from the Type I report.
3. Define the Audit Scope of the SOC Report
Defining the scope of the SOC audit means determining which controls should be evaluated based on the chosen TSC principles. The scope typically addresses risk management, process monitoring, software, data, infrastructure, procedures, encryption, and people involved. Any TSC a company adds further increases the scope of the audit.
All of these issues can be related to your customers, so you can find out how they feel about you managing their data. In turn, companies can decide which trust principles of the TSC should be included by figuring out which TSC requirements are more likely to concern customers or business partners.
Organizations can also focus on the legal and contractual obligations they might have in managing data or customer information. However, if a business already adheres to other strict regulations like CCPA, GDPR, or HIPAA, it may already be following privacy trust protocols that ensure privacy.
4. Determine SOC-Compliance Procedures and Policies
The fourth step is to begin collecting all relevant operational documents and internal assessment documents, as well as checking privacy policies, control policies, and security policies. This is important for companies that seek to do a gap analysis to identify areas for improvement before the involvement of CPAs.
Once a company successfully completes the gap analysis and improves selected areas, it must check and evaluate whether or not they work as intended. After that, they may also schedule an on-site auditor for a more thorough “SOC check-up” before going through with the official audit.
5. Perform a Readiness Assessment
A readiness assessment represents one last check-up in the pre-audit stage for SOC auditing. Often regarded as a form of a “primary rehearsal,” it’s designed to help a company figure out what should be done first and how to meet the requirements of the chosen trust services criteria.
After a readiness assessment, companies should review and write down all security procedures. While this is relatively simple, it’s highly beneficial, as written procedures cover everything the auditing process may include. Auditors may use the written policies as guidelines to assess security controls, evaluate procedures, and check whether or not your systems are fully updated.
They may also help your employees and staff comply with internal and external rules, ensuring maximum preparedness. Most CPA firms with experience in SOC 2 examinations may also help you perform a readiness analysis.
6. Evaluate and Hire a Certified Auditor
The final item on the checklist is to find and hire an experienced auditor with knowledge of your company’s specific industry. This ensures you can effectively streamline the SOC audit process.
Skilled auditors commonly advise companies and analyze their organizational processes and security measures. Their job is to:
- Work with companies and follow specific testing and assessment dates
- Provide companies with a list of the necessary documentation before the audit
- Request documented reviews, employee interviews, and scheduled walk-throughs for assessment
- Review the issues in a collaborative manner and document all test results
- Give companies a completed report that may be publically available for clients
Most Common Mistakes During SOC 2 Audits
Here are the most common mistakes to avoid during a SOC 2 audit:
- Not performing a readiness assessment before an auditing process.
- Not having a defined scope or goals for a company’s applications and the infrastructure they have in place for the audit.
- Not documenting security policies, access controls, compliance, or procedures.
- Undefined control ownership in which control owners do not know their responsibilities.
- Lack of internal access and privilege controls.
- Current security controls don’t match defined procedures or completely fail to work.
- Attempt to hide or deceive auditors about existing protocols or procedures.
- Not asking for clarification about a specific auditing procedure.
- Delay auditor requests for specific documentation or information.
- Offering more information than is requested.
- Poor or non-existent asset inventory and management.
- Lack of third-party risk management (TPRM) processes.
How Can Companies Avoid Common Mistakes During SOC Auditing
Organizations that want to avoid these common blunders during SOC 2 audits should:
- Define the owners or individuals who are in charge of controls and send out marching orders for the controls.
- Perform periodic tests for all controls, as well as a readiness test before the SOC 2 audit.
- Raise organizational awareness, nurture a security culture, and provide SOC 2 training for employees and staff.
- Communicate with auditor about areas that may have red flags or concerns. In other words, be completely transparent and allow for areas of improvement.
- Designate a specified individual to be in charge of the SOC-compliance process.