By Mark Hurst, CISA
A SOC 2 attestation focuses on an organization’s controls in areas such as operations and compliance. It is performed in accordance with AT Section 101: Attest Engagements, and this report is generally best suited for financial services, health care and other technology-based entities heavily reliant on cloud computing and online systems for day-to-day operations.
A key element of SOC 2 reports is the inclusion of one or more trust service principles, based on a framework put forth by the American Institute of Certified Public Accountants (AICPA). These principles, one or more of which can be specified by the organization’s management team for use in a SOC 2 report, include:
- Security. This means that the system is protected against unauthorized access, use or modification, in accordance with the organization’s business commitments and system requirements.
- Availability. This means the system is readily available for operation and use.
- Processing integrity. This means that system processing has been found to be accurate, complete, timely and valid.
- Confidentiality. This means confidential information is protected.
- Privacy. This means all personal information is collected, used, retained, disclosed and destroyed within the boundaries of the organization’s business commitments and system requirements.
Like its SOC 1 cousin, SOC 2 reports can be drafted as Type 1 (management’s description of the organization’s system and suitability of the design of controls) and Type 2 (management’s description of the organization’s system, and suitability and operating effectiveness of design of controls). This report provides valuable, third-party validation that the organization is meeting all criteria underlying one or more of the five trust service principles. While organizations can share a SOC 2 report with key stakeholders – such as customers, regulators, suppliers and directors – broader use is restricted. This report can serve to enhance confidence in management’s oversight of these systems and internal controls.
Last fall, AICPA updated its trust service principles and criteria, which contained a number of significant changes, primarily around eliminating redundant criteria and clarifying procedural language.
The new trust service principles and criteria took effect for reporting periods ending on or after December 15, 2016.
Republished with permission from Hein CPA. With nearly 30 years of experience in consulting on finance, technology, and organizational management, Mark Hurst specializes in assisting companies with implementation of internal controls.
This Month’s Top Accounting & Audit Social Media Posts:
SAMPLE, old one- Do not use. (Need 5.) Is Corporate Tax Planning Ethical? Stuart Jehan via LinkedIn: http://bit.ly/2q2og7l
Latest Accounting & Audit News:
Study Questions Accounting Manipulation to Meet Investor Priorities. Just how much weight do investors assign to revenues as distinct from earnings.
10 Steps Government Can Take to “Harness Power of Data” to Grow Economy. Congress may want to have the federal government publish more of the data it already gathers. It could spur business.
Guides Provide Clarity on Implementation of GASB Standards. Two new implementation guides offer questions and answers on GASB statements.
Insurance Companies Not Ready for New Accounting Standards. More than 60 percent have revenue streams subject to ASC 606 but have yet to implement new standard.
What Boards Can Do to Address Corporate Leadership Crisis. A new report provides insight on how boards can advance business strategy by cultivating leadership, talent and culture.
See inside June 2017
June 2017 Firm Management Channel
With the current break-neck pace of software and technology we can often overlook the fact that "the cloud" is really just outsourcing. The term "cloud" is simply a catch-all term for subscription-based services running on someone else's network.