Professional Documents
Culture Documents
SOC2 Compliance Handbook 2017
SOC2 Compliance Handbook 2017
SOC2 Compliance Handbook 2017
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 2
Table of Contents
Abstract _________________________________________________________________________________ 3
Why am I being asked about SOC Compliance?________________________________________________ 4
What’s the difference between a SOC 1 and SOC 2?____________________________________________ 5
SOC 1 Audits ____________________________________________________________________________ 5
SOC 2 Audits ____________________________________________________________________________ 5
History of the SOC 2 _______________________________________________________________________ 5
Understanding the Trust Services Principles ____________________________________________________ 6
Type I vs. Type II ___________________________________________________________________________ 7
Who can issue a SOC 2 audit report? _________________________________________________________ 8
Why should I get a SOC 2 audit? _____________________________________________________________ 8
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 3
Abstract
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 4
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 5
SOC 2 Audits
A Service Organization Control 2 report, or SOC 2,
is similar to a SOC 1 in that it evaluates internal
controls, policies, and procedures. However, the
difference is that a SOC 2 reports on controls that
are directly related to the security, availability, pro-
cessing integrity, confidentiality, and privacy. These
five criteria are also referred to as the Trust Services
Principles, or TSP’s.
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 6
Processing Integrity
If the services you provide are financial services or
Security e-commerce services and you are concerned with
In a non-privacy SOC 2 engagement, the Security transactional integrity, include Processing Integrity in
principle must be included. Security is the common your SOC 2 report. The Processing Integrity principle
criteria that applies to all engagements, and is what attests that the services you provide to our clients
the remaining Trust Services Principles are based are provided in a complete, accurate, authorized,
on. The Security principle addresses whether a and timely manner.
system is protected (both physically and logically)
against unauthorized access.
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 7
Confidentiality Privacy
If your organization is responsible for handling The Privacy principle stands on its own and specifi-
sensitive data, such as Personally Identifiable Infor- cally addresses how you collect and use consum-
mation (PII) or Protected Health Information (PHI), the ers’ personal information. It ensures that your organi-
Confidentiality principle should be present in your zation is handling client data in accordance with any
SOC 2 audit report. The Confidentiality principle commitments in the entity’s privacy notice as com-
addresses the agreements that you have in place mitted or agreed, and with criteria defined in the
with your clients in regards to how you use their generally accepted privacy principles issued by the
information, who has access to it, and how you AICPA.
protect that information. It verifies whether you are
following your contractual obligations by properly
protecting client information.
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 8
There are similarities and differences between a processes at a service organization. A SOC 2 Type I
SOC 2 Type I and a SOC 2 Type II. Most organiza- report is an attestation of controls at a service
tions eventually undergo a SOC 2 Type II audit, organization at a specific point in time. A SOC 2
however, it is often recommended that service Type II report is an attestation of controls at a service
organizations begin with a SOC 2 Type I as a good organization over a minimum six-month period and
starting point and then move to a SOC 2 Type II. reports on the “suitability of the design and operating
effectiveness of controls” whereas with a SOC 2
A SOC 1 Type I and Type II are both service organi- Type I, there is no testing.
zation control reports, reporting on the controls and
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
The SOC 2 Compliance Handbook Page | 9
Who can issue a SOC 2 audit report? Why should I get a SOC 2 audit?
A SOC audit can only be performed by an indepen- Many organizations are required to undergo a
dent Certified Public Accountant (CPA). CPAs must third-party audit. If this is the case, you should have
adhere to the specific standards that have been a SOC 2 audit performed. By being able to produce
established by the American Institute of Public a SOC report, you may be a better contender for
Accountants (AICPA) and have the technical exper- RFP’s. Having a SOC 2 audit report can give you a
tise to perform such engagements. This third-party competitive advantage by demonstrating to your
opinion verifies the suitability of the design and clients, and prospective clients, that you are dedica-
operating effectiveness of the service organization’s tion to security and delivering high-quality services.
controls to meet the criteria for the selected Lastly, knowing that your internal controls are validat-
principles. ed and operating effectively can give you the peace
of mind you need to be confident in your security
posture.
SOC2
Service Org.
Control
Report
KirkpatrickPrice
Innovation. Integrity. Delivered.
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701