SOC 2 Type 2 Compliance Audit

Why is SOC 2 Type 2 Used?

One of the most important reports for third party (vendor) data security and SOX compliance is the SOC 2 Type 2 Audit.

Compliance and assurance are provided by the SOC 2 Type 2 attest report (also called audit report by clients). SOC 2 Attestation is also known as SOC 2 Audit (by clients), SOC 2 Engagement, SOC 2 Examination, SOC 2 Certification (by clients), and SOC 2 Compliance.

SOC 2 compliance reports are part of AICPA's SSAE 18 Attest Standard used for SOC 1, SOC 2, and SOC 3 reports. SOC reports have been known as SAS 3 since 1974, and SAS 70 audit reports since 1992. In 2011 SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 and other SSAE standards merged into one SSAE 18, bringing all SOC 1, SOC 2, and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs 18 pertaining to SOC compliance reports. AT-C section 205 provides guidance on “Examination Engagements. AICPA Guide, SOC 2 Reporting on an Examination of Controls at a Service Organization”.

SOC stands for System and Organizational Controls. The definition got changed in 2017 from the earlier one as Service Organization Controls as these compliance reports were mainly used for vendor (third-party) compliance audits as these organizations were service organizations. The auditor auditing these service organizations is referred to as a Service Auditor or SOC Auditor.

What does SOC 2 Type 2 Mean?

A SOC 2 Type 2 compliance report provides information about the operating effectiveness of controls over a period minimum of 6 months or a maximum of 12 months in contrast to certifications such as ISO/IEC 27001 which provide a certificate valid for 3 years. For missing periods or periods immediately after the report, some User Entities or User Auditors may insist on a SOC Bridge Letter.

A SOC 2 Type 2 compliance report usually is about 100 pages depending on the controls Reported on. The Type 2 report comprises all the applicable controls reported by the SOC Auditor (Service Auditor). The SOC 2 Type 2 report is now of 4 sections. Section 1 is the Auditor's Opinion, Section II is the Management Assertion, Section III is the Description Criteria or System Description, and Section IV is a detailed list of controls as per applicable TSC 2017 along with the results of the auditors' test of controls.

In comparison, ISO/IEC 27001 does not provide such a detailed list of controls applicable to the entity. The SOA or Statement of Applicability of controls and details of audit or non-compliances (NC) in an ISO/IEC 27001 is between the auditor firm and the entity. These details are not shared with the end-user of the entity and these end-users or clients would not know what are the exact controls that have been implemented by the entity or if they were operated effectively.

SOC 2 Type 2 Report Comprise of?

The SOC 2 Type II compliance report uses the Trust Services Criteria (TSC) to report on an entity's controls. Formerly they were known as the Trust Services Principles and Criteria (TSPC). The most updated one is the TSC 2017 which is now aligned with the COSO Risk Framework.

The TSP 100 section covers TSC 2017 which has 5 criteria namely Security (or Common  Criteria), Availability, Confidentiality, Processing Integrity, and Privacy. The common Criteria itself have about 300 Points of Focus each with multiple controls implemented by the entity.

A SOC 2 Type II compliance report can only be issued only by a Licensed CPA as a SOC Auditor, also known as a Service Auditor.

A SOC 2 Type II compliance report mirrors the ISAE 3000 based on the International Standard on Assurance Engagements standard popularly used in Europe. A licensed CPA such as Accedere can issue a joint SOC 2 and ISAE 3000 report.

To issue a SOC 2 compliance report for a public (listed) entity, the CPA Firm must be registered with the PCAOB.

To issue a SOC 2 Plus CSA STAR covering CCM controls the CPA Firm must be registered with the Cloud Security Alliance.

The SOC 2 Type II compliance report can be qualified or unqualified.

What is SOC 3, Applications of SOC 2 Report?

A SOC 3 report is an abridged SOC 2 report that can be shared with any person or displayed on the organization's website. It is a shorter version of the SOC 2 reports without Section IV. Unlike the SOC 3, a SOC 2 report can be shared only with knowledgeable parties such as prospective clients against an NDA, or a confidentiality agreement.

SOC 2 vs SOC 1 the major difference is the kind of data being processed or stored by the service organization. If it is financial data ICFR (Internal Controls over Financial Reporting) a SOC 1 is used. In all other cases, a SOC 2 is used.

SOC 2 compliance reports now have many flavors:

  • SOC 2 Type 2 Certification for Cloud Security, CSA STAR using CSA’s CCM Framework
  • SOC 2 Type II Certification for Cloud Security using C5 Cloud Standard
  • SOC 2 Type 2 Audit for Cyber Risk
  • SOC 2 Type 2 Audits for Privacy is used for any specific privacy mandate or using the Trust Services Privacy Category formerly covered under AICPA’s Generally Accepted Privacy Principles(GAPP)