To comply with the System and Organization Controls (SOC) 2 reporting requirements, auditors must evaluate whether controls at the service organization meet the applicable trust services criteria (TSC), which can relate to a broad range of systems. As defined by the American Institute of Certified Public Accountants (AICPA), the TSC include five categories.
TSC categories:
- Security (or common criteria) – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability – Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The AICPA requires the application of the TSC for every SOC 2 engagement. Since security is a common component of each of the five categories, a SOC 2 engagement must cover security as a minimum requirement. These security requirements are also referred to as the common criteria and are applicable to all SOC 2 examinations.
Organizations can exercise discretion regarding which of the remaining categories they apply. The application of availability, processing integrity, confidentiality, and privacy depends on:
- Organization’s industry sector
- Types of services it provides
- Customer contracts, service level agreements, and their stipulations
- Key stakeholder requirements
- Types of data that the service organization maintains or stores
- Criticality of operational tasks or processing activities
With certain exceptions, such as an engagement with a limited scope or the non-applicability of certain criteria, every criterion should be analyzed and included in the report. Regardless of the categories included within the scope of the examination, SOC 2 reports are restricted use reports, meaning that only the organization, its customers, and certain other parties should use them.
SOC 2 reports can help organizations:
- Improve oversight
- Demonstrate a commitment to data protection and risk management
- Streamline compliance with additional regulations
- Establish and maintain security as a competitive advantage
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit, and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.
