Soc 2 Control Objectives Extra Quality
SOC 2 controls are based on the Trust Services Criteria deemed applicable to your organization. A SOC 2 report focuses on non-financial criteria related to security, availability, confidentiality, processing integrity, and privacy.
Soc 2 Control Objectives
The SOC 2 controls we list here are an overview of those you may need to implement for your SOC 2 report. The ones that are relevant to your business should be selected by your CISO and management team.
SOC 2 controls related to the use of detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities and (2) susceptibilities to newly-discovered vulnerabilities.
SOC 2 controls primarily focus on policies and procedures instead of technical tasks; however, the implementation of technical procedures typically involves building or managing new tools, like endpoint security. These procedures are monitored over time for effectiveness and relayed to audit teams while pursuing a SOC 2 report.
Since SSAE 18 has effectively replaced SSAE 16 (and also SAS 70) and because the SSAE 18 controls and related assertions need to be based on relevant internal control over financial reporting (ICFR), service organizations need to constructively "re-think" their control objectives. Unlike SAS 70, which became a heavily misapplied auditing standard, the new AICPA SOC framework, for which SSAE 16, and now, SSAE 18, falls under, requires service organizations to effectively choose between the SOC 1, SOC 2, or SOC 3 reporting regimens.
A significant number of service organizations that previously underwent SSAE 18 compliance will no doubt be SSAE 18 candidates, due in large part to the services and supporting controls in place that affect the internal control over financial reporting (ICFR) for entities utilizing their services. Great examples of SOC 1 SSAE 18 candidates are the following:
Once you begin documenting your business process lifecycle, you'll start identifying key areas where critical ICFR elements take root, such as certain activities along with supporting procedures and processes that begin to define your control environment. You can then begin to formalize control objectives and their supporting control elements. Speaking with a CPA firm qualified to conduct SSAE 18 assessments can also help the process, as they'll have in-depth experience in many of the above listed industries and business sectors. Most helpful in the process is engaging in a SOC 1 SSAE 18 Readiness Assessment, whereby you can get assistance in documenting your business process life cycle and your description of the "system."
If you've undertaken SAS 70 compliance or even SSAE 16 in the past, you may very well have developed and tested ICFR control objectives, for which you can "carry over" for SOC 1 SSAE 18 testing. You can also work with a CPA firm qualified to conduct SOC 1 SSAE 18 assessments, but ultimately, these are your control objectives from your control environment, for which management is responsible. With that said, here are some sample generic ICFR control objectives for which you may consider.
The auditor should not issue a SOC 1 report without an understanding of the specific and relevant ICFR. Generally, service organizations with relevant control environments to their user but without specific responsibility for identifiable ICFR activities should appropriately define their controls in relation to SOC 2 and/or SOC 3 reporting. Contact Christopher Nickell, CPA, to receive a competitive, fixed fee quote for all your SOC 1 SSAE 16 needs. He can be reached at 1-800-277-5415, ext. 706.
A modified SOC report can be issued if software developers have the ability to introduce changes into the production environment, and this change could not be detected by detective controls in a timely manner by appropriate members of your organization.
In another instance, a qualified SOC report can occur if you cannot demonstrate that adequate controls are in place to support a control objective described in the system description. This is most easily determined by exceptions noted in the test of controls performed.
Your organization would fail to meet all aspects of an objective or criteria if you were to perform backups but lack the controls to ensure the security of the backups, or if you did not periodically test that the backups actually work.
The latest American Institute of Certified Public Accountants (AICPA) 2017 Trust Services Criteria took effect for SOC 2 audit on or after December 15, 2018, allowing for enhanced system and organizational control (SOC) 2 reporting by providing greater coverage over IT governance and operational management.
For more information about the SOC 2 audit process or how your organization can map its current controls and identify gaps, please contact your Moss Adams professional or visit our SOC Examinations page for more information.
System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They're intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service.
Aside from the AICPA Statement on Standards for Attestation Engagements 18 (SSAE 18), the Office 365 SOC 1 Type 2 audit is conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402). The SOC 1 attestation has replaced SAS 70, and it's appropriate for reporting on controls at a service organization relevant to user entities internal controls over financial reporting. A Type 2 report includes auditor's opinion on the control effectiveness to achieve the related control objectives during the specified monitoring period.
Because Microsoft doesn't control the investigative scope of the examination nor the timeframe of the auditor's completion, there's no set timeframe when these reports are issued. The reports are usually issued a few months after the end of the period under examination. Microsoft doesn't allow any gaps in the consecutive periods of examination from one examination to the next.
Most examinations have some observations on one or more of the specific controls examined. This is to be expected. Management responses to any exceptions are located towards the end of the SOC attestation report. Search the document for 'Management Response'.
User entity responsibilities are your control responsibilities necessary if the system as a whole is to meet the SOC 2 control standards. These are located at the very end of the SOC attestation report. Search the document for 'User Entity Responsibilities'.
Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.
The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
The COSO framework was established in 1992, but updated in 2013 to address evolving technology, environments, governance, and regulations. SOC 1, 2, and 3 reports all have some type of inclusion of the COSO framework. The COSO internal control framework outlines objectives, components, and principles. What are the three objectives of COSO and why are they important?
Controls at a Service Organization refer to the controls that are in place at your company. Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control. Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed. Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly. This information is also consistent with SSAE-18 which is effective as of May 1, 2017.
For 50 years and counting, ISACA has been helping information systems governance, control, risk, security, audit/assurance and business and cybersecurity professionals, and enterprises succeed. Our community of professionals is committed to lifetime learning, career progression and sharing expertise for the benefit of individuals and organizations around the globe.
ISACA is fully tooled and ready to raise your personal or enterprise knowledge and skills base. No matter how broad or deep you want to go or take your team, ISACA has the structured, proven and flexible training options to take you from any level to new heights and destinations in IT audit, risk management, control, information security, cybersecurity, IT governance and beyond.
Ineffective governance has a substantial impact on business alignment and risk management. Malformed alignment can result in improper identification of sensitive data, critical services and substandard security controls.