System and Organization Controls

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "System and Organization Controls" – news · newspapers · books · scholar · JSTOR (March 2020) (Learn how and when to remove this message)

System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria.^[1] The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017 (2017 TSC). These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled inconformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (COSO Framework). In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

Trustworthy, secure, reliable — all companies strive to achieve and sustain these three qualities for their clients.

So, how can you ensure the data security of your clients?

Well, SOC 2 is your solution.

SOC 2 is a framework that applies to all technology service or SaaS companies that store customer data in the cloud. Compliance with SOC 2 ensures that organizational controls and measures can effectively protect and secure the data of their clients and customers.^[2]

SOC 2 is a reporting platform developed by the American Institute of CPAs (AICPA). It shields the information of your clients and keeps it safe and secure.

As a framework for data protection — it works on the five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

Following is a list of the same:

1. Security is the protection of information and systems from unauthorized access. A company can achieve this criterion by implementing IT security infrastructures such as two-factor authentication, firewalls, and other features.

2. Availability refers to whether the infrastructure, software, or information used by your company is secured by prevalent controls — ensuring that the operations are conducted, monitored, and maintained properly. This practice also assesses whether or not your organization works on minimally acceptable network performance levels and assesses and mitigates potential external threats.

3. Processing integrity secures that the systems perform their functions perfectly and without any error, delay, omission, or unauthorized or unintentional manipulation. This principle, therefore, checks whether all the data processing operations are authorized, complete, and accurate.

4. Confidentiality brackets the expertise of a company to protect data that should solely be accessible to a limited number of entities. As per this policy — confidential information about a company, such as business plans or intellectual property rights, or client data intended solely for company personnel (or any of such documents that require the protection by various laws, regulations, and agreements) are to be kept secured.

The Privacy standard reflects the ability of an organization to protect the personally identifiable information of customers from unauthorized access. This data includes their names, their social security numbers, and addresses, as well as other identifiers such as race, ethnicity, or health information.

Remember: SOC 2 is not a list of controls, tools, or processes that are mandatory to follow.

It rather lists the criteria required to maintain strong information security — allowing your company to adopt practices and processes that are relevant to its objectives and operations.

Well, what is the difference?

The primary distinction between SOC 2 Type 1 and SOC 2 Type 2 reports are:

1. The timeline and,

2. The subject matter covered.

SOC 2 Type 1 is a point-in-time report that solely covers control design.

This, therefore, implies that you can begin your audit as soon as your compliance program becomes fully operational.

The question, however, to be answered over here is: whether you are currently SOC 2 Type 1 compliant and can demonstrate to an auditor that your controls are designed appropriately or not?

SOC 2 Type 2 is a time-based report. It covers both — the design and operational effectiveness of controls.

Thus, when adhering to this reporting program, you have to verify that you have been compliant every hour of each day — within a set time frame (usually between six months and a year).

The question that pops over here is: whether you have consistently been SOC 2 Type 2 compliant and whether you can show an auditor that your controls have been designed competently and, hence, operated effectively?

Thus, ensure to answer these questions and subsequently start working on your SOC 2 compliance procedures.

As said earlier, SOC 2 applies to any technology service provider or SaaS provider that handles or stores customer data.

Third-party vendors, support organizations, or other partners with whom your firm collaborates — should all be SOC 2 compliant^[3]. This process will ensure the efficiency and integrity of your safeguards and data systems.

SOC 2 necessitates an organization to develop and implement specific information security policies and procedures that are well-aligned with its goals.

The compliance procedure can be conducted over a six to twelve-month period — to ensure that the security measures of a company are in accordance with the evolving requirements of cloud data protection.

Now, when your company adheres to SOC 2 compliance — it renders utmost satisfaction to your clients and their customers. It provides them with the assurance that you have the infrastructure, tools, and processes, effective enough, to protect their data from unauthorized access both — within and outside the firm.

1. Your company understands what normal operations are and regularly monitors for malicious or unidentified activities. It consistently documents system configuration changes and keeps track of user access levels.

2. Your company has tools to detect threats and notify the appropriate parties — allowing them to evaluate the risks and granting them the power to take the required actions for protecting data and systems from unauthorized access or use.

3. Your company will have access to relevant data about any security incidents, allowing you to assess the scope of the problem, remediate systems or processes as needed, and restore data and process integrity.

under-controls Management System can help your company comply with or audit its SOC 2^[4]. This process can allow you to map your business processes, examine your infrastructure and security practices, and identify and rectify any gaps or vulnerabilities.

So, if your company handles or stores customer data, then SOC 2 framework can surely help you become compliant with industry standards. It can provide your customers with the confidence that you have the necessary processes and practices in place to protect their data.

So, what is the wait for?

Trust Services Criteria were designed such that they can provide flexibility in application to better suit the unique controls implemented by an organization to address its unique risks and threats it faces. This is in contrast to other control frameworks that mandate specific controls whether applicable or not. Trust Services Criteria application in actual situations requires judgement as to suitability. The Trust Services Criteria are used when "evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of information and systems used to provide product or services" - AICPA - ASEC.

Organization of the Trust Services Criteria are aligned to the COSO framework's 17 principles with additional supplemental criteria organized into logical and physical access controls, system operations, change management and risk mitigation. Further, the additional supplemental criteria are shared among the Trust Services Criteria - Common Criteria (CC) and additional specific criteria for availability, processing integrity, confidentiality and privacy.

Common criteria are labeled as, Control environment (CC1.x), Information and communication (CC2.x), Risk assessment (CC3.x), Monitoring of controls (CC4.x) and Control activities related to the design and implementation of controls (CC5.x). Common criteria are suitable and complete for evaluation security criteria. However, there additional category specific criteria for Availability (A.x), Processing integrity (PI.x), Confidentiality (C.x) and Privacy (P.x). Criteria for each trust services categories addressed in an engagement are considered complete when all criterial associated with that category are addressed.

SOC 2 reports focus on controls addressed by five semi-overlapping categories called Trust Service Criteria which also support the CIA triad of information security:^[1]

1. Security - information and systems are protected against unauthorized access and disclosure, and damage to the system that could compromise the availability, confidentiality, integrity and privacy of the system.
   • Firewalls
   • Intrusion detection
   • Multi-factor authentication
2. Availability - information and systems are available for operational use.
   • Performance monitoring
   • Disaster recovery
   • Incident handling
3. Confidentiality - information is protected and available on a legitimate need to know basis. Applies to various types of sensitive information.
   • Encryption
   • Access controls
   • Firewalls
4. Processing Integrity - system processing is complete, valid, accurate, timely and authorized.
   • Quality assurance
   • Process monitoring
   • Adherence to principle
5. Privacy - personal information is collected, used, retained, disclosed and disposed according to policy. Privacy applies only to personal information.
   • Access control
   • Multi-factor authentication
   • Encryption

There are two levels of SOC reports which are also specified by SSAE 18:^[1]

• Type I, which describes a service organization's systems and whether the design of specified controls meet the relevant trust principles. (Are the design and documentation likely to accomplish the goals defined in the report?)
• Type II, which also addresses the operational effectiveness of the specified controls over a period of time (usually 9 to 12 months). (Is the implementation appropriate?)

There are three types of SOC reports.^[5]

• SOC 1 – Internal Control over Financial Reporting (ICFR)^[6]
• SOC 2 – Trust Services Criteria^[7][8]
• SOC 3 – Trust Services Criteria for General Use Report^[9]

Additionally, there are specialized SOC reports for Cybersecurity and Supply Chain.^[10]

SOC 1 and SOC 2 reports are intended for a limited audience – specifically, users with an adequate understanding of the system in question. SOC 3 reports contain less specific information and can be distributed to the general public.

SOC 2 Audits can be carried out only by either a Certified Public Accountant (CPA) or a certified technical expert belonging to an audit firm licensed by the AICPA.

The SOC 2 Audit provides the organization’s detailed internal controls report made in compliance with the 5 trust service criteria. It shows how well the organization safeguards customer data and assures them that the organization provides services in a secure and reliable way. SOC 2 reports are therefore intended to be made available for the customers and other stakeholders only.^[11]

• "Statement on Standards for Attestation Engagements 18, Attestation Standards: Clarification and Recodification", AICPA
• "Professional Standards", section AT-C 320, AICPA