Preparation and Reporting for SOC Audits Based on ISAE 3402 and SSAE 16 Audit Standards
A SOC audit is often a prerequisite for service organisations to partner with or provide services to tier-one organisations in the supply chain. Pursuit of a SOC audit usually stems from the demands of tier-one clients such as financial institutions.
SSAE 16 and ISAE 3402 are independent, industry-recognised, third-party assurance standards that are used to audit service organisations, such as outsourced hosting providers and Cloud service providers. SSAE 16 and ISAE 3402 (often referred to as SOC audits) have replaced SAS 70 as the new global standards for assurance reporting for service organisations. (Many organisations that have undergone a SAS 70 in the past will now require a SOC 2 (II) report.)
The American Institute of Certified Public Accountants (AICPA) manages the Service Organization Controls (SOC) reporting structure. The service organisation is audited against SSAE 16 or ISAE 3402, and the SOC report is the output of the audit.
Who can perform a SOC audit?
A SOC audit can only be performed by an independent certified public accountant (CPA) or accountancy organisation. The CPA organisations that perform SOC audits must adhere to specific professional standards established by the AICPA. Members of the AICPA are required to follow specific guidance related to planning, execution and supervision of the audit procedures. In addition, member organisations are required to undergo a peer review to ensure that the firm's audits are conducted in accordance with generally accepted auditing standards.
The CPA organisation may employ non-CPA professionals who have relevant information technology and security skills to participate in a SOC audit. However, the final report must be reviewed and issued by a CPA. This is particularly important if an organisation's auditors plan to rely on the results of service auditor's tests.
Get end-to-end SOC reporting support
IT Governance can assist with the full SOC process, from conducting a readiness assessment and applying the necessary remedial measures, through to testing and reporting, by virtue of its partnership with a leading PCAOB-registered CPA firm.
Contact us now for a quote by emailing firstname.lastname@example.org or calling 00 800 48 484 484.
What type of SOC audit do you need?
SOC 1 (I) audit
A SOC 1 (I) audit reports on a service organisation’s services and controls relevant to user entities’ internal control over financial reporting. Use of a SOC 1 report is restricted to existing clients and is not intended for marketing purposes.
SOC 2 (II) audit
A SOC 2 (II) audit reports on a service organisation’s services and controls relevant to security, availability, processing integrity, confidentiality and privacy. Many organisations outsource tasks or functions to service organisations that operate, collect, process, transmit, store, organise, maintain and dispose of information for user entities.
The report provides a description of the service organisation’s system, a description of the controls, control objectives relating to the system description, and tests performed by the service auditor on these controls and the results of those tests. A SOC 2 report is generally a restricted-use report for existing clients.
There are two types of SOC 1 (I) and SOC 2 (II) reports:
- Type 1 (I) — a report carried out on a specified date.
- Type 2 (II) — a report carried out throughout a specified period, usually a minimum of six months.
Some user organisations require their service providers to undergo the Type 2 examination for the greater level of assurance and reporting detail it provides.
SOC 2 (II) reports specifically address one or more of the key system attributes:
- Security – The system is protected against unauthorised access (both physical and logical).
- Availability – The system is available for operational use as committed or agreed.
- Processing integrity – System processing is complete, accurate, timely and authorised.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.
SOC 3 (III) audit
A SOC 3 (III) audit is carried out on a particular date and provides a snapshot of the service organisation when the audit is conducted. It reports on non-financial processing based on the Trust Services Principles and Criteria.
The Trust Services Principles and Criteria are a set of professional attestation and advisory services that form the basis for both the WebTrustTM and SysTrustSM services. The Trust Services are a broad-based set of principles and criteria put forth by the American Institute of Certified Public Accountants (AICPA) to maintain the privacy and confidentiality of information.
In order to gain the trust of key stakeholders, many companies choose to undergo a WebTrustTM or SysTrustSM audit, which is performed by a licensed CPA when a SOC 1 (I) or SOC 2 (II) audit is not appropriate.
SOC 3 (III) reports can be issued on one or more of the five Trust Services principles:
- Processing integrity
A SOC 3 (III) report is a general-use report that provides only the auditor’s report on whether the system achieved the Trust Services criteria. It also permits the service organisation to use the SOC 3 SysTrust seal on its website.
ISO 27001 and SOC audits
Service organisations that employ an ISO 27001 framework are able to demonstrate to their partners and customers that they are 100% committed to service availability, security and data protection.
By applying the management framework outlined by ISO 27001 and certifying against this standard, you will be able to prove to your clients that your organisation holds data security of paramount importance, giving you a head start on passing a SOC 2 (II) or SOC 3 (III) audit the first time around.
How can IT Governance help?
IT Governance can provide assistance throughout the entire SOC preparation, remediation, testing and reporting process.
Readiness assessment and remediation
IT Governance will identify and advise on which SOC engagement is best suited to your organisation, and perform a gap analysis to identify any shortfalls once the correct SOC path has been identified.
We can also help you put together a suitable service description and management attestation.
Our expert information security risk consultants are also experienced in helping organisations prepare for a successful SOC 1 (I), 2 (II) or 3 (III) audit by advising on the correct controls to meet the trust criteria.
These controls can be selected from existing international standards on information and cyber security, i.e. ISO 27001:2013, the 20 Critical Security Controls, Cloud-specific controls such as the Cloud Control Matrix, or any combination of a set of customised, organisation-specific controls.
Testing and reporting
IT Governance has partnered with a leading PCAOB -registered CPA firm that will apply a proven, three-phase methodology within the standards established by the AICPA in order to undertake the required testing and reporting.
IT Governance will facilitate this process and put the client in touch with our partners, who can deliver the full project remotely, if need be, at a fraction of the costs demanded by big four accounting firms.
This process involves:
- Scoping the audit
- Developing a project plan
- Risk assessment
- Identification of controls
- Testing of controls for design and/or operating effectiveness
- Documenting the results
- Delivering and communicating the client report
Speak to an expert
Whatever the nature or size of your problem, we are here to help. Get in touch today using one of the contact methods below.