SOC 2: How to Comply with the Tough New Changes
Companies that want SOC 2 certification are scrambling to get in front of new requirements from the American Institute of Certified Public Accountants (AICPA).
The AICPA has released additional information on what’s needed for a SOC 2 audit. SOC 2 audits finished after December 15, 2018 will have to comply with the new rules, which include revisions to Trust Services Criteria.
We know that the new rules add significant work to a compliance audit (as we just helped a company finish a SOC 2 audit) – it’s important to know what’s involved for the ongoing SOC 2 audit processes.
Three Tough New SOC 2 Changes
Three new SOC 2 rules put a greater burden on companies, requiring more stringent data handling practices:
- File integrity monitoring – this new rule relates to identifying changes that are unauthorized, or changes that may introduce vulnerabilities and add risk to your organization. It is a best practice, and not only provides valuable insight into your technical environment, but also provides an additional layer of data security.
- Third-party vendor risk management -these new standards require third-party vendor commitments to be reviewed and updated annually. In light of these changes, it’s important to obtain a SOC report covering your company’s software vendors, as well as data centers and all other sub-service organizations.
- Whistleblower Policy – requires that firms have a method where internal personnel and external users of the system can report potential fraud anonymously. Setting up a whistleblower hotline / messaging system is one more piece that you need to put in place now.
Most of the other rules may require some process changes and documentation. For instance, new SOC 2 rules govern how key management processes or data disposal policies are implemented. In general, the changes make data holders more vigilant about various risks and threats to data assets– even those that are off-premises.
SOC 2 auditor selection
The difference between a successful and an unsuccessful audit can depend on the strength of your auditor. We have found that the keys to selecting a good SOC 2 auditor are:
- Having an audit team with significant SOC 2 experience. Having an auditor that is not familiar with SOC 2 can cause you countless hours of frustration. Sometimes the audit firm has done plenty of SOC 2 assessments, but the specific auditor has not! Make sure that your auditing firm commits to sending you an experienced SOC 2 auditor.
- Committing to a schedule. You want a commitment from your auditor for scheduling the audit and delivery of the certificate within a specified time frame – a deadline for delivery after completion of an audit. One company we know of had to wait eight months from the time their audit was finished to the issuance of their certificate!
- Getting a readiness assessment. Companies performing their first audit should get the auditor to perform a readiness assessment. This step will show you exactly what gaps you have remaining for the successful audit.
- Reviewing work. Make sure that if you have a readiness assessment, the auditor will take the results into consideration in the final review. There is nothing like duplicating effort! Tens or hundreds of person hours might seem excessive. But if you don’t get credit for what has already been done, you are in for a lot more work.
Scoping the SOC 2 Audit
Scoping the SOC 2 audit is a crucial step, and there are always several questions when it comes to defining the scope of the audit.
Audit professionals will carefully consider what should be included in the scope of the audit and which principles should be selected.
Defining the scope too narrowly might lead to an inability to provide customers the assurance that they need. It might also prompt more audits in the future.
On the other hand, define an audit too broadly, and you would be wasting money and disrupting daily operations during the audit process. A firm undergoing an important audit will need to strike the right balance. The audit should focus on the cloud services being delivered. This will also help to define which control principles you need and how they can be implemented to limit your risk.
Trust Services Criteria
SOC 2 compliance is governed by five fundamental principles. These serve as control criteria for use in various interactions between client companies, consultants and other stakeholders. Auditors will evaluate and report on controls over information and systems. The five categories that encapsulate these controls are:
- Security – systems are protected against unauthorized access, both physically and logically
- Availability – a system is available for operation and use, as committed to or agreed on in planning
- Processing Integrity – system processing is complete, accurate, timely and authorized
- Confidentiality – information designated as confidential is protected as committed to or agreed on in planning
- Privacy – personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments made
Also, those trying to accomplish audit goals must understand that not every SOC 2 audit must consider all five principles. For instance, many business to business companies do not include the Privacy principle.
SOC 1 vs SOC
The SOC 1 audit focuses on company controls that are likely to be relevant to an audit of the customer’s financial statements. To put it in simple words- if you are hosting financial information that could affect your client’s financial reporting, then a SOC 1 audit makes the most sense for your organization.
The SOC 2 report addresses company controls that relate to operations and compliance, as outlined by the AICPA’s Trust Services Criteria. The report includes a detailed description of the service auditor’s test of controls and results. If a company is hosting or processing any other type of information for clients that does not impact their financial reporting, stakeholders might ask for a SOC 2 audit report. The SOC 2 report should satisfy customers regarding concerns like – “Is data being handled in a secure way? Is it available as spelled out in a service contract?”
There might be instances where it is appropriate for a company to obtain both SOC 1 and SOC 2 reports. Typically, if the firm offers multiple service offerings, that will require SOC 1 and SOC 2. Multiple service offerings may process financial information on behalf of the client, and also store or transmit sensitive client data. In such cases, SOC 1 and SOC 2 reports will effectively ensure that controls meet the demands of a variety of clients and stakeholders.
Type I vs Type II
The difference between Type I and Type II is that Type I is a verification of company controls at a specific point in time. A Type II report covers a continuous period of at least six months.
Product vs company
Should you scope the SOC 2 to your product or your company? Customers probably want your product covered under the SOC 2. If your company processes important data then potentially the whole company should be in scope. The controls you will need to put in place and the amount of work for your organization can vary significantly.
Closing the SOC 2 Audit Gap
Your auditor may give you a list of what they are expecting in order to perform a SOC 2 audit. This list can be daunting. If you don’t have full-time staff filling out these answers, it can be a significant burden on your organization.
Closing the gap for a SOC 2 audit can be challenging. Our clients rely on us to create and edit the documentation. We also help them identify and close gaps for their SOC 2 audits.
If you would like help with your SOC 2 audit or your cybersecurity strategy, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].