If your service organization is in need or realizes the benefits of pursuing a SOC 2 audit report, you probably have a general understanding of what purpose the audit serves.
Quick refresher: a SOC 2 assesses an organization’s (service organization) control environment against criteria for relevant categories, of which the Security category is required. The other four additional categories – Availability, Processing Integrity, Confidentiality, and Privacy – include criteria that may or may not fit an organization’s services and commitments to their customers (user entities).
A SOC 2 Audit delivers four key benefits for you and your clients.
The AICPA has an abundance of resources on its website that provide more detail and insight on SOC2 Audits.
It is common for organizations to begin with just the Security category during their first SOC 2 audit period and then add other categories in future years as their control environment matures. The Security category includes 33 main criteria, while the other four categories have 28 additional criteria that can be added.
Understanding the applicability of the other four categories will assist service organizations in demonstrating a strong control environment to user entities. Depending on the nature of services provided to user entities, there will be an expectation of what is covered within the scope of a SOC 2 examination. Choosing the categories that have the strongest correlation to the service organization’s services will help meet those expectations.
Security
The Security category is used to examine an organization’s systems to verify the data stored is protected, both from a physical and logical perspective, against unauthorized access and unauthorized disclosure. Security refers to the protection of information during the collection, creation, use, processing, transmission, and/or storage. Systems that process, transmit or transfer, and store information should be included within the scope of the Security category evaluation. As Security is the foundation or required category for all SOC 2 audits, there are criteria that will have relation to the other four categories.
Availability
The Availability category is used to examine an organization’s ability to maintain system and information availability for operations and use. Controls surrounding an organization’s availability often are related to system uptime, monitoring, and maintenance. If a service organization provides to customers or has customers requesting a status page, uptime guarantees, or Service Level Agreements related to planned and unplanned downtime, the Availability category may be a good addition to their SOC 2 scope.
Confidentiality
The Confidentiality category is used to examine an organization’s ability to protect confidential information from its initial collection through its disposal. It is important to understand the difference between “confidential information” and “private information”. Information is “confidential” if there is a requirement to limit the access, use, retention, or disclosure to defined parties. Information is “private” if there is identifiable characteristics within the data. Service organizations may consider the Confidentiality category if they are often required to sign non-disclosure agreements, receive request to delete data upon the termination of a contract, and store sensitive financial or research and development information within their product or service.
Processing
The Processing Integrity category is used to examine an organization’s ability to process data in a complete, valid, accurate, timely, and authorized manner. This category addresses whether an organization maintains data integrity throughout processing; with procedures to prevent and detect errors, delays, omissions, and/or unauthorized or accidental data manipulation. Service organizations that rely on data processing to operate their product or service may consider the Processing Integrity category.
Privacy
The Privacy category is used to assess an organization’s ability to collect, use, retain, disclose, and dispose of personal information in accordance with policies, commitments, and regulatory standards. This category examines an organization’s rules and practices around: notice and communication of objectives; choice and consent; collection; use, retention, and disposal; access; disclosure and notification; quality; and monitoring and enforcement. Service organizations that control or process personal information within their product or service may consider including the Privacy category within their SOC 2 audit.
Your service organization should evaluate the nature of their product or service and work with their auditors to determine the appropriate categories to include in current and future SOC 2 audits. Understanding the service commitments made to clients will help guide your organization to ensure the categories included within the scope of the SOC 2 audit meet the requirements of current and potential clients.
If you are interested in undergoing a SOC 2 attestation by a licensed CPA firm, our Risk Advisory Services team can work with you. Our expert service auditors will conduct a Readiness Review of your organization's system and map your current security controls to the SOC 2 framework. We can recommend the appropriate type of report (Type I or Type II) and Trust Services Criteria based on your organization's unique needs.
For more information regarding Freed Maxick's services, please call 716.847.2651 or contact us here.