SOC reporting explained

SOC reporting explained

Link to the full article https://www.bsigroup.com/blog-soc-reporting?

 "SOC report questions are coming up in the official ISC2 CISSP and CCSP exams but the topic is not adequately explained in most preparation material, leading to a lot of confusion."

 Why would you request a SOC report?

SOC (Service Organization Controls) reports are internal control reports based on a set of auditing standards developed by the American Institute of Certified Public Accountants (AICPA) which concern service organizations. What is a SOC report?BSI trainer and consultant, Tom Brett, who has been training in the area of information security for over 20 years, offers his expert insight into what exactly you need to know when it comes to questions around SOC reporting.

• Over the last few decades, more and more organizations are moving essential services to third party organizations, inciting an increase in cloud computing and similar services including computing, backups, data storage, bill processing, payroll services to name but a few
• These changes in practice of outsourcing exposes organizations to risk and increases the importance of effective vendor due diligence. In the past, organizations used questionnaires and contractual clauses, but these have proved insufficient for critical vendors, identifying the increased need for an independent audit and report – a Service Organization Controls report. This SOC report allows organizations to increase trust and transparency to internal and external stakeholders

History of SOC reporting

Statement on Auditing Standards number 70 (SAS70)

• 1992 - Service organizations were given the option of delivering a SAS70 report, this was geared towards service organizations to provide an opinion on the effectiveness of the controls they used.
• Over a number of years, the purpose of the SAS70 stayed the same but the organizations changed (infrastructure management, cloud computing, software as a service etc.)

Statement on Standards for Attestation Engagements number 16 (SSAE16)

• 2011 - To address these changes SSAE 16 (Statement on Standards for Attestation Engagements number 16) was issued, becoming effective in June 2011

Sarbanes-Oxley (SOX)

• 2008 - Public companies in the US fall under the ‘Public Company Accounting Reform and Investor Protection Act, more commonly known as ‘Sarbanes-Oxley or SOX which requires them to fulfil a number of standards, SSAE 16 reporting can help service organizations comply (section 404) in order to show effective internal controls covering financial reporting

Technology Services

• For reports which are not specifically focused on financial reporting, for example technology companies like SAAS providers, the American Institute of Certified Public Accountants (AICPA) issued an interpretation under AT section 101 permitting service auditors to issue SOC 2 audit reports which focus on the controls relevant to the security, availability, processing integrity, confidentiality and privacy to provide assurance with the delivery of its services

SOC Report Standards 

There are three different standards for SOC reports:

SOC1

SOC 1 also known as a SSAE No. 16 (Reporting on Controls at a Service Organization) is designed for financial transaction processing. It is used to validate controls covering the completeness and accuracy of financial transactions and financial statement reporting. The service organization specify their own control objectives and activities

Components of a SOC 1 report

• Auditors opinion
• Description of controls
• Controls

Subject matter

• Controls at a service organization relevant to user entities internal control over financial reporting

Audience of the report

• Auditors of the user entity’s financial statements, management of the user entities and management of the service organization

SOC 2

SOC 2 (Attestation Engagements) is designed to examine and certify the vendors controls within five “trust services principles” established by the AICPA (Security, processing integrity, availability and confidentiality / privacy of systems and data stored and processed). Service organizations are held to a standardised set of control criteria for each of the principles in the report. SOC 2 applies to all organizations that provide services that process and store customer data

Components of a SOC2 report

• Auditors Opinion
• Description of Controls
• Applicable Trust Services Principles and Controls

Subject matter

• Controls at a service organization relevant to the “trust services principles”: security, availability, processing integrity, confidentiality or privacy

Audience of the report

• Available to management and others under NDA, this is not public information

SOC 3

SOC 3 is based on the same areas as a SOC 2 report (security, processing integrity, availability and confidentiality / privacy), but it is intended for public distribution and omits the detailed test results. The vendor must go through a SOC 2 audit to enable them to get a SOC 3 report

Components of a SOC 3 report

• The report includes only the auditor’s opinion and limited description of controls

Subject matter

• Controls at a service organization relevant to the “trust services principles”: security, availability, processing integrity, confidentiality or privacy

Audience of the report

• Anyone. This is commonly used as a marketing tool to the general public, it contains all of the information from a SOC 2 report but with less detail

Report Types

Each report can also be produced in two types as follows:

• Type 1 reports are based on the design (a snapshot of the organizations control landscape)
• Type 2 reports add a historical context, they validate the operating effectiveness of controls over time

Exam tips

For those who are preparing to sit a CISSP exam you should know what each of the SOC reports are, the differences between each of the 3 types SOC 1, 2, and 3 and the different types and their audiences

Example Questions (TEST YOUR KNOWLEDGE and see answers at the end)

1. Which of the following SOC report types are based on a single point in time?

1. Type 1
2. Type 2
3. Type 3
4. Type 4

2. A service organization is providing Accounting services, which of the following types of reports would be best in order to provide trust and assurance in the quality of their services?

1. SOC 1
2. SOC 2
3. SOC 3
4. SOC 4

3. Which of the following reports would have the general public as its intended audience?

1. SOC 1
2. SOC 2
3. SOC 3
4. SOC 1 and SOC 2

4.Which of the following SOC reports would be produced for management of a company who processes and stores customer data?

1. SOC 1
2. SOC 2
3. SOC 3
4. None of the above

5. An organization prepares to migrate their data to a IAAS provider, as part of their third party due diligence, they want to understand the effectiveness of the providers security, availability and integrity controls, which SOC report would provide them with the most detail?

1. SOC 1
2. SOC 2
3. SOC 3
4. None of the above

Answers

1A, 2A, 3C, 4B, 5B

-

BSI’s expert trainers are recognized as experts in their field, offering a world-class learning experience that our delegates rate as first-class.

BSI provide both classroom and in-house training courses including CISSP and CCSP across the area of information security and data protection and privacy.

Visit our training webpage to find out more