Basket
United Kingdom
Select regional store:
IT Governance is now a GRC Solutions company. Find out more
Cyber security solutions Cyber security SOC 2 audits

SOC (System and Organization Controls) 2 Audits

IT Governance can help you prepare for your SOC 2 audit and maintain your compliance with the relevant AICPA TSCs.

Speak to an expert

For more information on how IT Governance can help with your SOC 2 audit, please contact us. 

What is a SOC audit?

SOC (System and Organization Controls – formerly Service Organization Controls) audits are an independent assessment of the risks associated with using service organisations and other third parties.

They are essential to regulatory oversight, vendor management programmes, internal governance and risk management.

There are three levels of SOC audit for service organisations:

  • SOC 1 audits relate to organisations’ ICFR (internal control over financial reporting). They are conducted against the assurance standards ISAE (International Standard for Assurance Engagements) 3402 or SSAE (Statement on Standards for Attestation Engagements) 18.

  • SOC 2 audits assess service organisations’ security, availability, processing integrity, confidentiality and privacy controls against the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria), in accordance with SSAE 18. A SOC 2 report is generally used for existing or prospective clients.

    In the UK, SOC 2 audits can also be carried out against ISAE 3000. You can learn more about using the ISAEs for SOC 2 examinations in the AICPA document SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

  • SOC 3 audits are like SOC 2 audits, but their reports are much more concise and designed for a general audience.

SOC 1 and SOC 2 audits are divided into two types:

  • Type 1 – an audit carried out on a specified date.
  • Type 2 – an audit carried out over a specified period, usually a minimum of six months.

SOC 3 audits are always Type 2.

The AICPA has also developed SOC for cybersecurity and SOC for Supply Chain.

Speak to a SOC 2 expert

If you need more information about SOC Type 2 compliance or are unsure whether your organisation needs a SOC 2 audit, our experts can help. Call us now on +44 (0)333 800 7000, or request a call using the form below. 

Contact us

What is a SOC 2 audit report?

A SOC 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and privacy controls, based on their compliance with the AICPA’s TSC, in accordance with SSAE 18.

It includes:

  1. An opinion letter.
  2. Management assertion.
  3. A detailed description of the system or service.
  4. Details of the selected trust services categories.
  5. Tests of controls and the results of testing.
  6. Optional additional information, such as technical information or plans for new systems, details about business continuity planning, or the clarification of contextual issues.

It also specifies whether the service organisation complies with the TSC.

What are the AICPA TSC?

The TSC are industry-recognised, third-party control criteria for auditing service organisations. They are divided into 5 trust services categories – security, availability, processing integrity, confidentiality and privacy.

Criteria common to these 5 categories are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework.

The common criteria cover:

  1. The control environment
  2. Communication and information
  3. Risk assessment
  4. Monitoring of controls
  5. Control activities related to the design and implementation of controls

In addition to these 17 common criteria, there are supplemental criteria for four of the five trust services categories. (The security category has no supplemental criteria of its own.) These supplemental criteria can also apply to any or all of the other categories. For instance, criteria related to logical access can apply to all five categories.

The supplemental criteria cover:

  • Logical and physical access controls
  • System operations
  • Change management
  • Risk mitigation

Trust services categories

Service organisations must select which of the five trust services categories they must cover to mitigate the key risks to the service or system that they provide:

1. Security

“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”

This is the only mandatory trust services category.

2. Availability

“Information and systems are available for operation and use to meet the entity’s objectives.”

3. Processing integrity

“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”

4. Confidentiality

“Information designated as confidential is protected to meet the entity’s objectives.”

5. Privacy

“Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.”

The full set of criteria can be found here

Who are SOC 2 audits designed for?

SOC 2 audits are aimed at organisations that provide services and systems to client organisations (for example, Cloud service providers, software providers and developers, web marketing companies and financial services organisations).

A client company might ask the service organisation to provide an assurance audit report, particularly if confidential or private data is entrusted to the service organisation.

If your organisation provides Cloud services, a SOC 2 audit report will go a long way to establishing trust with customers and stakeholders. A SOC 2 audit is often a prerequisite for service organisations to partner with or provide services to tier one companies in the supply chain.

Who can perform a SOC audit?

In the US, a SOC audit can only be performed by an independent CPA (Certified Public Accountant) or accountancy organisation.

SOC auditors are regulated by, and must adhere to specific professional standards established by, the AICPA. They are also required to follow specific guidance related to planning, executing and supervising audit procedures. AICPA members are also required to undergo a peer review to ensure their audits are conducted in accordance with accepted auditing standards.

CPA organisations may employ non-CPA professionals with relevant IT and security skills to prepare for a SOC audit, but the final report must be provided and issued by a CPA. A successful SOC audit carried out by a CPA permits the service organisation to use the AICPA logo on its website.

In the UK, SOC audits can be conducted by a qualified member of the ICAEW (Institute of Chartered Accountants in England and Wales) or an equivalent organisation.

SOC 2 and ISO 27001

Certification to ISO 27001, the international standard for information security management, shows that an organisation has implemented an ISMS (information security management system) that conforms to information security best practice.

Whereas an ISO 27001 certification audit assesses an organisation’s information security controls at a given time, a SOC 2 Type 2 audit is more comprehensive, covering several months, and results in a formal attestation rather than a certificate.

It might therefore be argued that a SOC 2 Type 2 report provides greater – and more specific – assurance than ISO 27001 certification.

However, a SOC 2 audit report is the opinion of the auditor – there is no compliance framework or certification scheme. With ISO 27001 certification, an accredited certification body confirms that the organisation has implemented an ISMS that conforms to the Standard’s best practice.

Just as there are benefits to both ISO 27001 and SOC 2, there is sufficient overlap between SOC 2 and ISO 27001 to justify addressing them simultaneously and incorporating your SOC 2 compliance into your ISO 27001-compliant ISMS.

For instance, you can structure your risk assessment and risk treatment plan to account for the five SOC 2 and SOC 3 trust services categories (security, availability, processing integrity, confidentiality and privacy).

or more information about the similarities and differences between SOC 2 and ISO 27001, watch our free webinar, ISO 27001 vs SOC 2: What’s the difference?

IT Governance SOC 2 services

SOC 2 Readiness Assessment

This consultancy service has been designed to help you prepare for and pass a SOC 2 audit. It evaluates your organisation’s audit-readiness by assessing the suitability of the TSC risk-mitigating controls to the service(s) you offer.

The SOC 2 Readiness Assessment results in a detailed report that identifies any areas in which your controls fall short of the required standard.

This service includes advice on defining a suitable audit scope, guidance in compiling the content of the service or system description, and assistance in identifying which of the TSC are relevant to your organisation’s key risks.

Learn more about this service

SOC 2 Remediation Service

The SOC 2 Remediation Service can help you rectify any compliance gaps identified by our SOC 2 Readiness Assessment. Remediation consultancy is specific to each organisation but typically could include the following:

  • Development of policies/procedures and modification of existing policies/procedures;
  • Conducting a risk assessment;
  • Selecting appropriate controls; and
  • Testing to ensure that new controls have been implemented and are operating effectively.

Learn more about this service

SOC 2 Maintenance Service

Although SOC 2 reports do not technically expire, they are generally considered valid for 12 months.

Once you’ve passed your SOC 2 audit, you’ll therefore want to maintain your compliance with your selected TSC to ensure your recertification audit goes as smoothly as possible – after all, no one wants to start again from scratch the following year, especially if they also have to add extra security controls to meet the requirements of new clients.

Our extensive expertise helping organisations implement and maintain information security best practices means we can support you as you embed the controls you need to operate securely.

Learn more about this service

Why choose IT Governance?

IT Governance specialises in providing IT governance, risk management and compliance solutions and consultancy services, focusing on information security and ISO 27001, cyber security, data privacy and business continuity.

In an increasingly punitive and privacy-focused business environment, we are committed to helping organisations protect themselves and their customers from cyber threats.

Our deep industry expertise and pragmatic approach help our clients improve their defences and make critical strategic decisions that benefit the entire organisation.

IT Governance is duly recognised under the following frameworks:

Read more about our credentials

Book
of the
month
OSZAR »