PCAOB

The United States Public Company Accounting Oversight Board (PCAOB) is a private-
sector, non-profit corporation, created by the Sarbanes-Oxley Act of 2002, to oversee
the auditors of public companies in order to protect the interests of investors and further
the public interest in the preparation of informative,

AICPA
AICPA is an organization consisting of certified public accountants that propose
accounting standards and principles to ensure consistency and accuracy in the
accounting profession

SOC 2
AICPA is an organization consisting of certified public accountants that propose
accounting standards and principles to ensure consistency and accuracy in the
accounting profession

Unlike other compliance frameworks, which have a predefined set

of conditions for all companies, SOC 2 requirements are different
for every organization. Depending on their own operating models,
each organization must formulate its own security controls to
become compliant with the five trust principles.

Security. Broadly speaking, the security principle enforces the

protection of data and systems, against unauthorized access. To
that end, you may need to implement some form of access
control, e.g. using access control lists or identity management
systems.

You may also have to strengthen your firewalls, by introducing

stricter outbound and incoming rules, introduce intrusion
detection and recovery systems, and enforce multi-factor
authentication.

Confidentiality. Data qualifies as confidential if only a specific

group of people should access it. This may include application
source code, usernames and passwords, credit card information,
or business plans, etc.

To adhere to this principle, confidential data must be encrypted,

both at rest and during transit. Moreover, while providing access
to confidential data, adhere to the principle of leastprivilege, i.e.
grant the bare-minimum permissions/rights that people need to
do their jobs.

Availability. Systems should meet availability SLAs at all times.

This requires building inherently fault-tolerant systems, which do
not crumble under high load. It also requires organizations to
invest in network monitoring systems and have disaster recovery
plans in place.

Privacy. The collection, storage, processing, and disclosure of any

personally identifiable information (PII) must adhere to the
organization’s data usage and privacy policy, along with the
conditions defined by the AICPA, in the Generally Accepted Privacy
Principles (GAPP).

PII is any information that can be used to uniquely identify an

individual, e.g. name, age, phone number, credit card
information, or social security number etc. An organization must
enforce rigorous controls to protect PII from unauthorized access.

Processing integrity. All systems must always function as per

design, devoid of any delays, vulnerabilities, errors, or bugs.
Quality assurance and performance monitoring applications and
procedures are crucial to achieve adherence to this principle.

What are the 5 Trust Services Criteria?

The Trust Services Criteria are five categories that organize the SOC 2 controls:
‍

 (CC) ‍Security, also known as common criteria: Controls that protect data from
unauthorized access.
 (A) Availability: Controls that ensure data can be accessed when needed for
business use.
 (C) Confidentiality: Controls that restrict unauthorized access to systems and
data.
 (PI) Processing integrity: Controls to ensure that organizational systems
process data accurately and reliably.
 (P) Privacy: Controls that protect the rights of consumers and their data.

Sections of a SOC 2 report:

When you receive your SOC 2 report, it will be broken into five sections:
‍

 Auditor’s report: The auditor’s determination of whether your organization neets

SOC 2 criteria (an “unqualified opinion”) or whether you still have outstanding
criteria to meet (a “qualified opinion”).
 Management assertion: Your attestation that your organization has
implemented the appropriate SOC 2 controls.
 System description: A description, prepared by your team, of your
organization’s infrastructure, operations, and the components of your data
management system.
 Applicable Trust Services Criteria and control activities: A table that lists all
of the SOC 2 controls relevant to your organization and how you’ve satisfied
each requirement.
 Additional appendices: Evidence and documents to support the findings of the
SOC 2 report.
Every SOC 2 report should have the 5 sections:

 Management Assertion
 Independent Service Auditor’s Report
 System Description
 Applicable Trust Services Criteria and Related Controls, Tests of Controls, and
Results of Tests
 Other information provided by the Management

Sections of SOC 2 Report

The SOC 2 report is an information mine about the audited entity. It includes (but is
not limited to) general information on the audited organization, the auditor’s opinion
on the compliance assessment of the organization’s controls, and the description of
the tests involved. The report also includes recommendations for improving security
protocols when needed.

Here’s a lowdown on each section and what it contains:

Section 1: Management Assertion

This section provides assertions, statements and facts as given by the audited
organization and relates to their system(s) under audit. It’s written by the organization
and is essentially the management acknowledging that the information provided is
accurate and relevant. The section summarises the organization’s services, products,
structures, systems and controls. It, however, doesn’t contain technical details.

Here’s a gist of what this section contains:

1. Types of services provided

 2. Components of systems – Infrastructure, System, People, Procedures and Data
3. Aspects of systems
4. How the systems capture and address significant events and conditions
5. Processes used to prepare and deliver reports
6. Any applicable Trust Service Criteria that are not being met by controls, with
reasons as to why

Section 2: Independent Service Auditor’s Report

This section is much like your university grade card as it captures your auditor’s
rating on your compliance. It shows whether or not you passed the assessment. It is,
therefore, one of the most read and important sections of the report.

In this section, the auditor shares their opinion on your SOC 2 audit readiness. It also
includes a description of the scope of the audit, the organization’s responsibilities, the
auditor’s responsibility and inherent limitations in the assessment, such as human
error and circumvention of controls, to name a few.

Here are the four types of auditor opinions and what they mean:

 Unqualified – You pass with flying colours!

An unqualified opinion means that the auditor did not find any issues during the audit.
Every control tested was designed appropriately (Type 1 report) and operated
effectively (Type 2 report).

 Qualified – Close, but not quite.

The auditor has some reservations as some areas require attention. But how bad is a
qualified report? Well, it depends on the controls in question that failed and how they
impact the report users.

 Adverse – You failed.

An adverse opinion indicates that the organization materially failed one or more of the
standards, and its controls and system isn’t reliable.

 Disclaimer of Opinion – No comments!

This technically isn’t an opinion. It essentially means that the information provided
wasn’t enough for the auditor to form an opinion. It happens when the auditors do not
have access to the information they need or are unable to complete it neutrally.

Note that this section gives the overall status of the assessment alone. You won’t find
details beyond that here.

Here’s a SOC 2 audit report example that highlights the auditor’s opinion.
Source: AICPA’s Illustrative Type 2 SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls

Matrix (CCM)

Section 3: System Description

If management assertion was a brief overview of the organization’s system
description, this section is a detailed deep dive. It’s a must-read section and covers the
system(s), scope & requirements, components, controls, sub-service organizations and
other systems information.

It includes details of the human resources, roles and responsibilities and also features
the list of system components and controls grouped with the relevant common criteria.

This section covers a detailed account of the control environment, control activities
(policies and procedures), information and communication system, monitoring (to
assess the quality of internal control performance through penetration testing and
vulnerability scans), and risk assessment (the organization’s assessment of relevant
risks and its management).

Some of the items in the system description would be:

Overview of services provided: It contains a brief overview of the services offered

by the organization. Your customers will read here to ensure that the services they
seek from you are covered in the compliance scope. You will also find service
commitments and system requirements here.

System components: You will find technical details such as where the organization
(or its application) is hosted, tools used and access control here. For instance, if your
business is hosted in AWS, you will need to give details about the AWS environment
here. It will contain a detailed description of your infrastructure, software, people,
procedures and data.

Control activities: A detailed description of the various control activities of the

organization can be found here. From how the organization onboards new employees
to how it keeps data secure through database protection, encryption and access, this is
your go-to section for how the organization has designed its controls.

Not applicable trust services criteria specifics: If any specific criteria didn’t apply
to the organization, they would be described here.

Section 4: Applicable Trust Services Criteria and Related Controls,

Tests of Controls, and Results of Tests
This section details all the tests (and their results) performed during the audit and
therefore is a critical section in the report. It gives the insights that explain the
auditor’s opinion detailed in section 2.
This section includes (in a tabulated format) the following:

 Control Criteria
 Control Number
 Control Description from the Organization
 Test Description from the Auditor
 Test Results

Source: AICPA’s Illustrative Type 2 SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls

Matrix (CCM)

Difference between SOC 2 Type 1 and SOC 2 Type 2 Report

While the first three sections of the report will be the same for both SOC 2 Type
1 and SOC 2 Type 2 reports, this section would be significantly different.
In a Type 1 report, this section will feature the list of all the controls tested during the
audit. It won’t feature the auditor tests or the results of tests. This is because Type 1
assesses the design of the controls at a point in time.

In a Type 2 report, you will find the controls list, auditor’s tests and the test results
for each listed control. This section (for a Type 2 report) will also showcase
exceptions or deviations noted by the auditor.
Source: AICPA’s Information for Service Organization Management report

Section 5: Other information provided by the Management

This section is optional and details management’s response to any deviations or
exceptions highlighted by the auditor in Section 4 by giving more context and
information about the exceptions. For instance, if one of the exceptions noted by the
auditor was that some of the new hires didn’t undergo background verification, the
management can acknowledge the same here and cite reasons why and propose ways
to ensure such misses don’t repeat.

This section also contains information on the organization’s future plans that can have
a bearing on its control environment and system(s).

A SOC 2 Type 2 attestation is performed under:

 SSAE No. 18, Attestation Standards: Clarification and Recodification, which

includes AT-C section 105, Concepts Common to All Attestation
Engagements, and AT-C section 205, Examination Engagements (AICPA,
Professional Standards).
 SOC 2 Reporting on an Examination of Controls at a Service Organization
Relevant to Security, Availability, Processing Integrity, Confidentiality, or
Privacy (AICPA Guide).
 TSP section 100, 2017 Trust Services Criteria for Security, Availability,
Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services
Criteria).

Evaluating SOC 2 Security Controls

Security refers to the protection of:

1. Information during its collection, creation, use, processing, transmission, and

storage.
2. Systems that store, process, or transmit data relevant to the services provided
by the organization.
The following are the Security Common Criteria and their
corresponding COSO principles.
CC1: Control Environment (COSO Principles 1-5)
Covers the service organization’s commitment to integrity and ethical values,
independence by the board, management and board oversight, and the hiring,
maintaining, and ongoing monitoring of quality employees at the service organization.
CC2: Communication and Information (COSO Principles 13-15)
Includes the communication of relevant information to internal personnel, as well as
clients of the service organization.
CC3: Risk Assessment (COSO Principles 6-9)
Meant to demonstrate the service organization is assessing risks possibly impacting
their operations and putting plans in place to mitigate these risks. Risk assessments
can be performed internally or by external parties for an alternative perspective on an
organization’s risk posture. Good risk assessments might also include a gap analysis
and provide recommendations to reduce risk.
CC4: Monitoring of Controls (COSO Principles 16-17)
Covers the ongoing evaluation of the system at the service organization and the
notification to relevant personnel in the event that there is a breakdown in the system.
CC5: Control Activities (COSO Principles 10-12)
Tests the level to which service organizations have controls in place for the mitigation
of risk, and certifies the controls in place are monitored on an ongoing basis.