Start your SOC Audit Preparation today!

ControlCase is a global provider of IT Certification and Continuous Compliance services.
Our offerings enable clients to effectively manage their IT Governance, Risk and Compliance.

• On-time compliance to SOC 2 Type 2
• Receive PCI DSS, ISO 27001, or HIPAA compliance reports as part of your assessment
• Avoid checklist auditors – ControlCase uses a partnership approach

 

Automate Evidence Collection

ControlCase SOC 2 Type 2 examination is conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA).
 
The assessment aims to obtain reasonable assurance that an organization’s service/systems were designed and implemented based on the criteria set forth in DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report.
 
The assessment also provides assurance that service commitments and system requirements were achieved based on the applicable trust services criteria for Security, Availability, Processing Integrity, Confidentiality, and/or Privacy principles set forth in TSC 100, 2017 Trust Services Criteria.
 
 

SOC 2 Type 2 Compliance FAQ

What does SOC stand for?

SOC stands for System and Organization Controls and represents a set of compliance standards developed by the American Institute of CPAs (AICPA) – a network of over 400,000 professionals across the globe. SOC Audits aim to examine the policies, procedures and internal controls of an organization.
 

What are the 3 SOC Audits & Reports?

SOC 1 – Reports on the processes and controls that influence the organization’s internal control over financial reporting (ICFR). SOC 1 is also a standard assessment report required by user entities to comply with Sarbanes-Oxley Act (SOX).
SOC 2 – Designed for service organizations and reports on non-financial controls. Focuses on five key trust services criteria (formerly called trust services principles), or TSCs. SOC 2 outlines the standards that are necessary to keep sensitive data private and secure while it’s in transit or at rest.
SOC 3 – SOC 3 is similar to SOC 2 in terms of the audit criteria. The main difference is in the reporting – SOC 2 is tailored for sharing with specific organizations, whereas SOC 3 reports are more applicable for general audiences and therefore made publicly available.
 

What are 2 Types of reports for SOC 1 and SOC 2?

Type 1 Report – Applicable when the service organization has not been in operation for a sufficient length of time to enable the service auditor to gather sufficient appropriate evidence regarding the operating effectiveness of controls, hence is “point in time”. The Type 1 Report is also for service organizations that have recently made significant changes to their system and related controls and do not have a sufficient history with a stable system to enable a type 2 engagement to be performed.
Type 2 Report – Applicable for service organizations that have a long running stable system capable of demonstrating the effectiveness in the design of controls over a defined period of time retrospectively, normally no less than 6 months and not longer than 12 months.
 

Who does SOC 2 Apply To?

SOC 2 applies to any organization wanting to effectively demonstrate to associated organizations controls associated with regard to Security, Availability, Confidentiality, Processing Integrity and Privacy or any combination of these as part of third-party relationships. It is also applicable to organizations that store its customer data in the cloud as well as Third-party service providers such as cloud storage, web hosting and software-as-a-service (SaaS) companies.
 

What is SOC 2 Compliance?

SOC 2 focuses on non-financial reporting of internal controls and systems. By complying with SOC 2 organizations protect the confidentiality and privacy of data that’s stored in cloud environments. Additionally, SOC 2 compliance helps service providers show that the privacy, confidentiality and integrity of customers’ data is a priority.
 

What are the SOC 2 “Trust Service Criteria” (TSCs)?

1. Security
Security is included in all SOC Audits. It covers common criteria related to protecting data and systems. The Security TSC aims to ensure information and systems are protected against unauthorized access, disclosure and damage.
2. Availability
The Availability TSC addresses accessibility and aims to assess the data that customers receive and how readily available it is. It also reviews accessibility for operations, monitoring, and maintenance of data.
3. Processing Integrity
The Process Integrity TSC ensures systems are processing the data as authorized and assesses the accuracy, completeness, validity, and timeliness of the data. It also validates that systems are achieving the goals and purposes that they were designed to achieve.
4. Confidentiality
This TSC aims to ensure “confidential” data remains protected and secure. It encourages encryption for in-transit data as well as client certificates and personal authentication certificates.
5. Privacy
This TSC addresses how data is collected, used, disclosed, retained, and disposed of. It aims to ensure the confidentiality and security of personally identifiable information (PII). PII includes name, social security numbers, contact information, addresses, etc. It is required that organizations demonstrate that they protect and handle personal information securely.
 

What are the SOC 2 Common Criteria?

Each of the 5 SOC 2 TSCs are comprised of nine specific sub-categories:
1. Control environment (CC1)
2. Communication and information (CC2)
3. Risk assessment (CC3)
4. Monitoring of controls (CC4)
5. Control activities related to the design and implementation of controls (CC5)
6. Logical and physical access controls (CC6)
7. System operations (CC7)
8. Change management (CC8)
9. Risk mitigation (CC9)
 

What SOC is NOT

SOC is not certification. SOC 1 and SOC 2 are ATTESTATIONS of the controls as defined being either functioning or not nor as designed.
 

What is SOC 2 Attestation?

SOC attestation is a type of audit report that attests to the trustworthiness of services provided by a service organization.
 

What is a SOC 2 Report?

There are 2 types of SOC 2 reports:
SOC 2 Type 1 – Outlines management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.” This report evaluates the controls at a specific point in time.
SOC 2 Type 2 – Focuses not just on the description and design of the controls, but also actually evaluating operational effectiveness. The report evaluates controls over an extended period of time to ensure the effectiveness of the controls (potentially taking several months).
 

Who can perform a SOC 2 audit?

AICPA requires that SOC audits and reports are performed only by independent, licensed CPAs
 

How do Managed Service Providers (MSPs) comply with SOC 2?

The primary concern that businesses have when it comes to MSPs is security (potential for data breaches and leaks); therefore SOC 2 Compliance can help MSPs attract more clients. MSPs can comply with SOC 2 by starting with a readiness assessment (provided by ControlCase) then bringing in a CPA for the audit.
 

How to lower cost for SOC 2 audit?

1. Security Expertise – It is important to find a knowledgeable partner that can assist in creating and implementing controls for SOC 2 type 2.
2. Collaborate – Ensure all business stakeholders are involved early and often. This will enable the prompt handing of strategic components and other key logistics on an ongoing basis.
3. Commitment – Ensure all stakeholders understand, agree and acknowledge the benefits of becoming SOC 2 attested. Establishing this will drive commitment to the project and ensure accountability.
4. Engage Leadership – Gaining buy-in from the highest levels of the organization as early as possible will help ensure resource allocation, budget and commitment from the rest of the team.