Professional Documents
Culture Documents
Soc 1 & 2 Audits Explained
Soc 1 & 2 Audits Explained
Soc 1 & 2 Audits Explained
UNDERSTANDING
SOC 1 & 2
Get a SOC 1 Audit Get a SOC 2 Audit
TABLE OF CONTENTS
Five Types of Testing Methods Used SOC Qualified Opinions & What they
During Audit Procedures Mean for Your Organization
When Do You Use the Different Audit Testing Procedures? Four Types of Audit Opinions
What Does the AICPA Say About Using the Available How to Evaluate a Modified Report Opinion Related
Audit Techniques? to Your Service Organization
What is an Integrated Audit? Assessing Similarities Between Type I & Type II SOC Reports
Internal Controls Differences Between Type I & Type II SOC Reports
Planning the Audit When Should You Obtain a Type I vs Type II SOC Report?
Using a SOC report in an Integrated Audit
Audit Sampling in SOC Examinations
Subservice Organizations: Carve-out What are the Different Types of Audit Sampling Methods?
Audit vs. Inclusive Audit Methods
Statistical vs. Non-statistical Sampling
Why be Concerned with Your Subservice Organizations?
How to Determine the Best Method for You? Testing & Audit Exceptions
No Separation of Duties
First time SOC 2 Audit: What to Expect
What are the Different Types of Testing Methods Used During Audit Procedures?
There are five main methods to walkthrough and test each control in place at the service organization.
These methods include (listed in order of complexity from lowest to highest): inquiry, observation,
examination or inspection of evidence, re-performance, and computer assisted audit technique (CAAT).
Inquiry: Simply, the auditor asks appropriate management and staff about the controls in place at the
service organization to determine some relevant information. This method is often used in conjunction
with other, more reliable methods. For example, an auditor may inquire of management if visitors to the }
data center are escorted at all times if the auditor is not able to observe this activity while on site. No control
objective or criteria should ever be supported by controls only tested through inquiry procedures.
Observation: Activities and operations are tested using observation. This method is useful when there is
no documentation of the operation of a control, such as observing that a security camera is in place or
observing that a fire suppression system is installed.
Re-performance: This method is used when the other three above methods combined fail to provide sufficient
assurance that a control is operating effectively or this method can be used to prove and automated controls
it operating effectively. This method of testing (as well as a CAAT) is the strongest type of testing to show
the operating effectiveness of a control. Re-performance requires the auditor to manually execute the control,
such as re-performing a calculation that a system automatically calculates.
CAAT: This method can be used to analyze large volumes of data, or just be able to analyze every transaction
rather than just a sample of all transactions. Software is generally used to perform a CAAT, which can range
from using a spreadsheet to using specialized databases or software designed specifically for data analytics
(e.g. ACL).
If, during testing, the auditor encounters an error in a test of controls, they will expand the sample size and
conduct further testing, or perform additional tests. Additional types of testing procedures may be required or
useful. If additional errors are found, the auditor will consider whether there is a systematic controls problem
that renders the controls ineffective, or if the errors appear to be isolated instances that do not reflect upon
the overall effectiveness of the control in question.
Statement on Standards for Attestation Engagements (SSAE) No. 18 (Clarification and Recodification) is the
standard governing SOC engagements (AT-C Section 320 for SOC 1 engagements and AT-C Sections 105
and 205 for SOC 2 engagements). Within AT-C Section 320 (Reporting on an Examination of Controls at a
Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting) the following is
specifically stated about testing methods (bold italics were added to emphasize the key points):
“.26 The service auditor should determine through inquiries made in combination with other procedures
whether the service organization’s system has been implemented.” The AICPA is saying that inquiry alone
should not be used. The standard then provides additional information on the types of audit procedures.
“.31 When designing and performing tests of controls, the service auditor should
Additionally, specifically within the SOC 1 guide put out by the AICPA, the below paragraph regarding testing
is included (bold italics were added to emphasize the key points):
“4.90 Inquiry alone does not provide sufficient appropriate evidence of the operating effectiveness
of controls. Some tests of controls provide more convincing evidence of the operating effectiveness of
controls than others.” The guide then talks about the combination of testing procedures that provide more
convincing evidence than inquiry alone and provides examples of combinations of tests.
Summary
At Linford & Company, we ensure that the audit testing procedures meet the type of controls to confirm
design and operating effectiveness, in addition to complying with guidance set forth by the AICPA.
• Manual Controls
• IT Dependent Manual Controls
• Application Controls
• IT General Controls
These four control types are the ones service organizations and their auditors should concern themselves
with since they are pervasive (or at least should be) in the processes that support the systems and services
provided by service organizations to their user organizations (i.e., clients and customers).
Manual Controls
Manual controls are performed by individuals outside of a system.
Examples of manual controls could be a supervisor review and sign-off of a document, or bank
reconciliation, or having an employee sign a privacy policy acknowledgement. Another example of a manual
control could be the manual application (or matching) of cash received in an organization’s lockbox bank
account against a client’s open accounts receivable (A/R) balance. In many organizations, these controls are
done manually, hence the term manual controls.
For example, a system-generated report lists users that have not accessed (e.g., logged into a system) a
particular system within the past 90 days. The internal control may require an administrator to review such
report and disable certain users as a result.
The IT dependent portion of this control is the system generated report. The manual portion of this control is
the administrator review of the report and disabling certain users as a result.
For example, Google G-Suite and Microsoft’s Office 365 can be configured to require two-factor
authentication (e.g., 2FA, MFA) in order for users to login and access system resources and data. Enabling
2FA helps prevent unauthorized users from logging in to the system.
Another example, if the system is configured to lockout a user that enters an incorrect password after three
attempts, it has an application control that detects problems possibly associated with unauthorized access
attempts.
A third example, could be that the system is configured to automatically download and apply security
patches or updates to software (this would have likely helped prevent the Equifax hack (Google search
Equifax).
IT General Controls
This type of control is usually the focal point of most SOC audits. IT general controls are comprised of logical
access, change management, and physical security.
For example, user access administration controls are used so that the right people have the right access
to system resources (i.e., right people & right access). These processes and the controls supporting these
processes are IT general controls.
Another example could be the organization’s change management process tracks and documents that
changes are authorized, tested, approved, and implemented into production. Moreover, all these changes
happen in an environment where there is proper segregation of duties.
Summary
If the controls in the SOC audit report do not seem to fall into one of these four areas, it could be that
a process is being described rather than a control.
Linford & Company service auditors work carefully with the service organizations to make sure that
descriptions of the controls are accurate and support the achievement of the control objectives in a
SOC 1 (f. SSAE 16) audit examination or Trust Services Criteria (TSC) for a SOC 2 audit examination.
It’s also important to note that these definitions and descriptions work equally well for an audit of internal
control in a financial statement audit or internal audits.
Well, the authoritative source for a SOC 1 audit is the American Institute of Certified Public Accountants’
(AICPA) Statement on Standards for Attestation Engagements number 18 (SSAE 18). The AICPA’s control
objective definition provided in SSAE 18 is “the aim or purpose of specified controls at the service
organization. Control objectives address the risks that controls are intended to mitigate.”
As a SOC 1 examination has the added focus on a service organization’s services that may affect a user
entity’s internal control over financial reporting, one could modify the AICPA’s definition slightly and say that
a control objective is the purpose for a set of controls at a service organization to address risks to a user
entity’s internal control over financial reporting.
Control objectives need to be individually tailored to the activities performed by the service organization.
Additionally, a service organization should strive to have a complete set of control objectives within the
scope of the SOC 1 engagement. Meaning that the control objectives should address all of the major aspects
of the services that may be relevant to user auditors.
Companies providing different services, such as a software as a service (SaaS) and a data center services
providers, would not have the same control objectives in their reports. However, they may have some in
common (i.e., Physical Security). Companies providing the same services will likely have similar control
objectives, but not necessarily the same control objectives.
If you are struggling to identify or are not sure if you have the correct control objectives, you can ask
management of the service organization or a user organization to list the key processing activities provided
to user organizations. This exercise should quickly yield the correct areas for which control objectives should
be formed. Be sure that all control objectives apply to things that the service provider actually performs.
Poor Correlation
Control Objective: Controls provide reasonable assurance that logical access to production application
programs and data files is restricted to appropriately authorized personnel and programs.
Control Activity: The acceptable use policy applies to all current and future employees as well as
consultants, temporary staff, and vendors, and applies to new hires requiring password access.
Analysis: The control does not specifically relate to the objective of restricting logical access. While the
policy cited in the control may specify control activities that do restrict logical access, the policy itself does
not control logical access. Some possible controls that could be used to restrict logical access would include:
authorizations within access provisioning process, removing access for terminated employees or contractors,
periodic access reviews, or password settings.
Control Activity: Testing is performed to confirm that the change meets the requirements outlined in the
change management documentation.
Analysis: This control is aligned with the control objective. This control is relevant to the tested portion
of the control objective. There are at least four more controls that should also be included to support this
control objective. Those controls should address how changes are authorized, approved, implemented, and
documented.
Summary
In summary, we’ve discussed what a control objective is, how to identify the appropriate control objectives
for a SOC 1 audit, and how control activities should relate to the objectives. Hopefully this has addressed
your questions. If not, we would be happy to discuss them with you. You can contact us here.
All public companies, when filing the annual report with the SEC, are required to include an internal control
report. For these companies with a market capitalization in excess of $75 million, the CPA firm auditing
the financial statements is required to express an opinion on management’s internal control report, thus
integrating the financial reporting audit with an internal controls audit.
Although not required, smaller public companies and some private companies may have their auditors use
an integrated audit approach, in case of potential growth or acquisition. Also, auditors may prefer to use an
integrated audit approach, even if not required, because less substantive testing may be required.
Guidance for performing the integrated audit is provided by the PCAOB in Auditing Standard 2201. This
publication provides guidance on planning the audit, incorporating a risk assessment, testing controls,
evaluating weaknesses and deficiencies, and reporting on an opinion.
Management’s Responsibility
The law requires the auditor to attest to management’s assessment of internal controls. See a related blog
post from us: What is an Attestation? In preparation for the integrated audit, management is responsible for
implementing internal controls around financial reporting. Management must document and sign that they
acknowledge this responsibility and include an assessment of the effectiveness of the internal controls they
have established – this is called a management representation letter.
Entity-Level Controls
The auditor’s evaluation of entity-level controls can influence the amount of testing performed on other
controls. If upper-level management supports a strong, risk-based control environment, control activities
are monitored, risk is continually assessed, and controls are modified based on the assessment, and
management is unable to override control activities, strong entity-level controls are in place, and an auditor
can consider decreasing other controls testing.
Reporting
Based on all the evidence obtained from financial substantive audit procedures and control testing, or from
any other sources, the auditor should form an opinion on whether internal controls over financial reporting
were effective. AS 2201.85 – .92 provide specific guidance for report wording and show examples. Although
procedures performed during integrated audits can greatly vary based on company and industry, the
published reports of the auditor are very uniform.
Two examples of these cases may be when the entire payroll function is outsourced, or when servers
containing financial data and/or applications processing financial transactions reside in a data center owned
and managed by a third party.
The SOC report can provide a level of comfort that the service organization has controls in place around the
significant outsourced services. Although the SOC report is used in forming the audit opinion, the auditor
should not mention or reference the SOC report in the opinion paragraph of the Independent Auditor’s
Report.
PCAOB Auditing Standards 2601 provide additional detailed guidance on the audit impact of an entity’s use
of a service organization: AS 2601. Also see Linford & Co’s past blog post about how SOC reports relate to
Management Assertions: Management’s Assertion and SOC Reports.
This section will provide you the background and basics surrounding this question and map out the factors
you should consider in determining the best approach for your organization.
An example of this is a company that offers its clients a Software as a Service (SaaS) solution that is hosted
by a cloud service organization, which provides physical security, environmental control, and monitoring
services for the SaaS company. In this case, the SaaS company is the service organization and the cloud
services provider is the subservice organization.
If you are reading this, chances are you have clients who require your organization to provide them
assurance regarding the control environment surrounding the services provided to them. They are asking
you for a SOC report because their auditors are asking for it. If your clients are SEC registrants, they are
likely asking for a SOC 1 report on your organization’s controls that are relevant to their internal controls over
financial reporting. Otherwise, they are probably asking for a SOC 2 report to gain comfort that you have
adequate controls in place to safeguard their data and systems that interact with your system.
The bottom line is that, as a service provider, it is not enough to just focus on your in-house operations.
You need to have assurance that your subservice providers have controls in place and your organization is
addressing any complementary user entity controls (CUECs) that are expected to be addressed by your
company. See another one of our blogs for more information on CUECs.
The carve-out audit method allows a service organization to describe services performed by a subservice
organization within its system description, but excludes the controls and, in the case of SOC 1 reports,
control objectives of the subservice organization. While this approach excludes subservice organization’s
controls, the service organization is required to note within its description of its “system” the controls used
to effectively monitor the subservice organization.
For the inclusive audit method, the service organization’s description of its “system” includes the services
performed by the actual subservice organization (same as the carve-out audit method) as well as the control
objectives and related controls of the subservice organization.
The following are considerations that must be evaluated before deciding whether or not to use the
carve-out audit method in a SOC report.
• Are the services performed by the subservice organization relevant to the services offered to your clients?
• If the services are applicable, does the subservice organization receive a SOC report or another form of
certification that will allow you to easily monitor its control environment?
• If the subservice organization can provide a SOC report:
• Did they get a clean opinion in their last report?
• Were there control exceptions noted in the report that would impact the service to your clients?
• Were there CUECs called out in the report?
• If there were CUECs in the report, do you have controls to address them?
• If the subservice organization cannot provide a SOC report, does your organization have another
effective approach to monitor the subservice organization’s control environment (e.g., periodic meetings,
questionnaires, etc.)?
A few key items to consider to determine whether the inclusive audit method should be utilized are:
• Would the subservice organization be willing to have your service auditor test the controls within
their environment?
• Would the subservice organization be willing to provide an assertion letter to be included report—along
with the service organization’s assertion letter?
• How easy is it to coordinate and work with the subservice organization? The two organizations will need to
be able to coordinate schedules for the audit to be performed. Additionally, the two organizations will have
to work together in reviewing and revising the system description within the report.
• Do you want the subservice organization’s results in your report? If the organization historically has
control exceptions, there is a possibility that their performance may impact your clients’ perception of
your organization.
Summary
While the inclusive audit method is probably the best approach to obtaining the most complete SOC
report, it is often not very practical. There needs to be a solid working relationship between the service
organization’s management and the subservice organization’s management in order for the inclusive method
to be effective, as it requires a great deal of coordination between both entities involved in the SOC audit.
Consequently, in practice, the carve-out audit method is the most commonly used method in SOC reports.
To facilitate understanding and adoption, the ASB has changed the naming convention of the attestation
standards impacted by the changes made in SSAE 18 to an “AT-C” prefix. The applicability of the updated
AT-C standards depends on the type of service provided and the subject matter of the engagement.
One of the main focuses of SSAE 18 is to allow the practitioner the ability to create a framework for
engagements that meet client needs. The clarifications now allow the practitioner to report on almost any
subject matter provided:
• The party responsible for the subject matter is someone other than the practitioner and takes responsibility
for the subject matter.
• The subject matter is appropriate.
• The criteria to be used in evaluating the subject matter are suitable and available.
• The practitioner expects to be able to obtain evidence needed to arrive at the practitioner’s opinion,
conclusion, or findings through access to information and unrestricted access to people who can provide
such evidence.
• The practitioner’s opinion, conclusion, or findings are to be contained in a written practitioner’s report.
What’s new? – In addition to the restructuring of the SSAEs, the following are some of the changes
introduced by SSAE 18:
• Separate discussion of review engagements – SSAE 18 separates the detailed procedural and reporting
requirements for review engagements from their counterparts for examination requirements.
• Required representation letters – SSAE 18 requires the practitioner to obtain a representation letter for
all engagements. This is different than AT section 101 which discusses representation letters, but does not
require them.
• Risk assessment for examination engagements – SSAE 18 requires practitioners to obtain a more in-depth
understanding of the development of the subject matter than was required in the past in order to better
identify the risks of material misstatement.=
• Incorporation of detailed requirements – SSAE 18 incorporates a number of detailed requirements (e.g.,
representation letters) that are similar to those contained in Statements on Auditing Standards (SASs).
• Scope limitation imposed by the engaging party or the responsible party – SSAE 18 indicates that based on
the practitioner’s assessment of the effect of the scope limitation, the practitioner should express a
qualified opinion, disclaim an opinion, or withdraw from the engagement. The current AT section 101
standard requires that a practitioner should disclaim an opinion or withdraw from the engagement altogether.
When using a service organization, there are certain controls that remain the responsibility of a user
entity. For example, consider a user entity that uses a common file sharing program such as Dropbox.
When employees terminate from the user entity, the user entity must remove the former employees’ access
to the file sharing program. The file sharing program (service organization) has no way to know when a
user entity’s employee access should be removed. As a result, the user entity must remove the former
employees access to the file sharing program upon termination. This is an example of a common CUEC.
When reviewing SOC reports, user entities should review all CUECs where the user entity must perform certain
controls. These controls are usually delineated SOC reports within their own report sub-section and/or next to
the control objectives they relate. CUECs together with the control activities at the service organization work
in conjunction to achieve the related control objective (SOC 1) or Trust Service Criteria (SOC 2).
Most SOC audit reports have CUECs since they are integral to the design and operating effectiveness of the
control environment. The CUECs are usually tested by the user auditor in conjunction with the performance
of the financial statement audit of the user organization. If a SOC audit report does not have any CUECs, this
may be an indication of an incomplete report and therefore lead to inadequate audits at user organizations.
If in doubt, talk to the service auditor. In most cases, they should be more than willing to answer questions
on CUECs.
Complementary Controls: These are controls that work together at an organization to achieve the same
control objective. Using an example from above, if a service organization is not notified to make a change to
a user entity’s access list, they will not remove the access for the user entity’s employee when they terminate
employment. The result is that an individual who is no longer authorized to have access to the user entity’s
environment at the service organization may retain access.
See our past Linford & Company blog posts related to identifying the correct SOC report for your service
organization as well as the impact of any findings within your SOC report.
In a SOC report, management asserts that certain controls are in place. If the auditor performs test
procedures that contradict management’s assertion, they may issue a qualified report opinion. See our
recent blog post on assertions.
Qualified opinions (also known as “dirty opinions” in audit jargon) are actually quite common. Many service
organizations that have received a qualified opinion received it in the first year of the examination, but
it’s also common for control failures to occur when controls have operated successfully in the past. One
common reason for report qualification is due to employee turnover if a control performed by a former
employee is no longer performed consistently by another employee.
A qualified opinion means that the user organization and the user auditor cannot place reliance on the
controls supporting a particular area at the service organization. Note that a single qualification does not
mean that reliance may not be placed on other areas of the report with no qualifications.
Example: A service organization fails to disable access for a former employee. The employee continues to
access the service organization’s systems following termination as evidenced by logs. In this case, there
would be a logical access qualification within the report which would be reflected by the CPA firm’s opinion
in the report.
A going concern opinion often means the organization is in financial peril and may meet its demise very
soon. However, a qualified opinion on a service auditor’s report is more akin to a material internal control
weakness disclosure for SEC registrants who have to issue such disclosures for Sarbanes-Oxley Act
purposes.
A qualified opinion in a service auditor’s report is similar to a significant deficiency or material weakness in
internal control disclosure. All should be avoided by management. Though the going concern opinion is the
worst of the opinions just described.
For example, if there is a qualification related to physical access which is an aspect of a service
organization’s service that is not relevant to the user organization, then it is possible that the qualification in
that area is not relevant to the report user. If an organization is considering outsourcing the physical security
of its servers to another service organization and the service organization has a qualified physical access
control objective, the service organization may consider using a different subservice organization.
Summary
To summarize, SOC report qualifications are fairly common. They relate to an area of the report that an
auditor finds exceptions related to. If the exceptions are severe enough in a particular area the auditor may
provide a qualified opinion related to the area with issues.
Qualified opinions should be considered in context to the services being received by a user organization. If
the qualification potentially impacts the services provided to a user organization, the user organization must
consider whether the issues are severe enough to warrant using a different service organization.
As you can imagine, a letter of representation is an important piece of evidence in any audit. Management’s
representations and attestations in the letter provide some assurance that the information provided during
the examination is reliable to use in audit procedures and to base its opinion. Management’s attestation in
the representation letters also shifts blame to management in the case that a control failure is missed during
an audit or inaccuracies because information was not made available or disclosed to the service auditor.
A. Include the management’s assertion about the description, controls, control objectives (SOC 1), and trust
services criteria (SOC 2) based on the criteria.
B. A statement that all relevant matters are reflected in the description or evaluation of the related controls
or assertion.
C. A statement that all known matters contradicting the control objectives, trust services criteria, or
assertion and any communications from regulatory agencies or others affecting the control objectives, trust
services criteria, or assertion have been disclosed to the practitioner, including any communications between
the end of the period addressed and the written assertion and the date of the service auditor’s report.
E. A statement that any events after to the period (or point in time) related to the description, control
objectives, or trust services criteria being reported on, which would have a material effect on the control
objectives, trust services criteria, or assertion, have been disclosed to the auditor.
H. When applicable, a statement that significant assumptions used to make any material estimates are
reasonable.
I. A statement that the individual signing and the company have disclosed the following to the service auditor:
1. Any and all deficiencies in internal control relevant to the engagement of which the responsible
party is aware;
2. Knowledge of any actual, suspected, or alleged fraud or violation of laws or regulations affecting
the control objectives or trust services criteria; and
3. Other matters as the service auditor deems appropriate.
J. A statement that any instances of noncompliance with laws and regulations or uncorrected misstatements
attributable to the service organization that may affect one or more user entities have been disclosed to the
service auditor.
K. A statement that any knowledge of actual, suspected, or alleged fraud by the management or employees
of the service organization that could adversely affect the fairness of the presentation of management’s
description of the service organization’s system or the completeness or achievement of the control
objectives stated in the description have been disclosed to the service auditor.
Summary
An audit letter of representation is a form letter prepared by a company’s service auditor and signed by a
member of senior management. In the letter, management attests to the accuracy and completeness of the
information provided to the service auditors for their analysis. The letter must be dated as of the date of the
report and signed on or after that date. The service auditor must obtain a signed representation letter that
includes, at a minimum, the required representations specified by the AICPA in order to opine an audit.
Below are some excerpts from the AICPA’s SOC 1 guide addressing the period under review.
2.14 The user auditor evaluates whether the period covered by a given Type II report is appropriate for the
user auditor’s purposes. To provide evidence in support of the user auditor’s risk assessment, the period
covered by the Type II report would need to overlap (typically at least six months) the user entity’s audit period.
2.16 The service organization may consider the following examples when determining an appropriate test
period for a Type II report.
• Example 1. The majority of user entities have calendar year ends. The service organization may want
to provide a Type II report for the period November 1, 20X0, to October 31, 20X1, to maximize the
usefulness of the report to user entities and their auditors.
• Example 2. User entities have year ends that span all months of the year. The service organization
determines that issuing a report each quarter (or more often than annually) with tests of operating
effectiveness that cover twelve months is most likely to maximize the usefulness of the report to user
entities and their auditors.
For the period of time that does not overlap with a service organization’s client’s financial year, a bridge
letter may be issued by the service organization saying that their controls did not change during that period,
or if they did change an explanation of the changes that occurred to the controls in place.
If you are a service provider that is considering your first SOC audit to satisfy an existing or potential user
entity request, it may benefit you to understand the difference between SOC report types, specifically a
Type I audit report and a Type II audit report, and when you should choose one over the other.
Additionally, a management’s assertion from the service organization is provided that addresses the description
of the service organization’s system and whether the controls are suitably designed to provide reasonable
assurance over the service commitments and system requirements to meet the stated control objectives.
A Type I audit report helps the service organization to implement the discipline necessary to successfully
complete an unqualified Type II audit report. Generally speaking, at least six months must elapse in order to
have a Type II audit report because this type of audit report covers a period of time. A Type II audit report
generally covers a period between six months and one year.
When existing or potential user entities are looking for assurance that a service provider has a SOC report,
obtaining the Type I audit report initially is a great way to show commitment while the organization is
setting internal expectations and preparing for the more comprehensive Type II audit report.
Another difference between a Type I and a Type II audit report is that for the SOC report to be relied upon
by user auditors, the SOC report should cover a minimum reporting period of six months. This is only
achieved through a Type II audit report because it covers a period of time. A Type II audit report provides
the user auditors with a higher level of assurance for them to rely on.
According to the AICPA (in SAS No. 122 AU-C Section 530), audit sampling is defined as “The selection and
evaluation of less than 100 percent of the population of audit relevance such that the auditor expects the
items selected (the sample) to be representative of the population and, thus, likely to provide a reasonable
basis for conclusions about the population.” The entire AICPA audit sampling guide can be referenced here.
• Simple Random Sampling – Every unit has the same probability of being selected. This type of sampling
can easily be accomplished by assigning a number to each item in the population and then using a random
number generator to randomly select numbers in the range of the population (there are online tools for this,
apps, and even Excel formulas can be used to generate random numbers).
• Systematic Sampling – This method selects samples using internals which are a result of dividing the
population of units by the sample size. For example, if there are 250 items in the population and 25 will be
selected for testing, 250 is divided by 25 to come up with 10, therefore every 10th item in the population will
be selected for testing.
• Haphazard Sampling – Similar to simple random sampling; however, random number generators or tools
are not used, and selections are just made from the population without any bias.
• Block Sampling – Represents contiguous population items, for example, the five most recent transactions in
a population or the five most recent events can be selected for testing. Block sampling would include testing
100 percent of a population.
• Every SOC examination should follow one or more of these sampling methods for testing of the
population. A walkthrough or inquiry only would not be sufficient to test all controls.
Non-statistical sampling allows an auditor to use professional judgment when selecting samples.
Non-statistical methods make a lot of sense when a population is very small, rather than spending the time
setting up a statistical sample. While non-statistical sampling allows for auditor judgment, an auditor should
always be careful not to include too much bias in selecting samples.
2. The risk of the control. All the controls that the auditor has selected to test are significant controls, but
there is a spectrum that exists regarding the significance of each control. It is important to consider the
impact (qualitatively and quantitatively) if a control is not operating effectively.
The tables below (Table 1 and Table 2) are what we use as guidelines when selecting our sample sizes in our
SOC 1 and SOC 2 examinations. These tables align with the guidance set forth in the audit sampling guide
from the AICPA.
Table 1 is used for larger sample sizes (250 or greater in the population) and shows recommended sample
sizes to get to a minimum 90% confidence level. The table includes the sample sizes for up to two deviations
and takes into consideration the risk of the control.
Table 2
Sampling Table for Infrequently Operating Controls
Control Frequency and Population Size Sample Sie
Annually 1
Quarterly 2
Monthy 2-4
Weekly 5-9
Transactional See Table 1 and at least 5
Continuous 1
Daily See Table 1
Table 2 gives further guidance sampling on less frequent operating controls and on smaller populations
(transactional).
Example 1: A population of all employees is provided and consists of 389 people and you want to test that
all employees are attending security awareness training. According to the table, expecting no deviations, the
initial sample would be 25 and simple random or haphazard sampling would likely be applied. If it is found
that one of the 25 selected did not attend training, the sample would be expanded to 40 people. If another
deviation is found, the sample would be expanded to 60. If another deviation is found, sampling would stop
and it would be determined that the control is not operating effectively.
Summary
The guidance from the AICPA is pretty extensive around audit sampling. SOC auditors should review
their sampling methods to make sure they are aligned with the AICPA guidance when performing their
examinations.
2. Is the service organization’s description of its system and services accurate or presented fairly?
Are the controls described by the service organization suitably designed to achieve the related control
objectives or criteria?
An auditor must gather sufficient evidence to evaluate and answer these questions with reasonable
assurance to support the unqualified or qualified opinion to be written in the audit report. The process of
gathering evidence is called auditing and will include a number of different activities.
For example, auditors may gather information by inquiring of appropriate personnel (management,
supervisors, and staff); inspect documents and records; observe activities and operations being performed;
and tests of controls. All of these activities used to gather and evaluate evidence are often referred to as
audit procedures or audit tests.
• Control Objective: Controls provide reasonable assurance that statement processing is appropriately
scheduled and that deviations in processing are identified and resolved.
• Control Activity: Statement batch totals are used in order to identify and resolve deviations in processing.
• Testing Performed: Inspected a sample of batches used to process statements and noted that batch
control totals were used to help maintain the integrity of the statements processed.
Using this example, if an auditor performed this test and found that one or more of the batches selected for
testing did not use batch control totals, as expected and indicated in the service organization’s description,
the auditor would note a deviation. These deviations go by many names: audit exceptions, test exceptions,
control exceptions, deficiencies, findings, misstatements, and so on.
• The identified exceptions are within the expected rate of deviation and are acceptable.
• Additional testing of the control or of other controls is necessary to reach a conclusion about whether the
controls related to the control objectives or criteria stated in management’s description of their system or
services operated effectively throughout the specified period.
• The testing that has been performed provides appropriate basis for concluding that the control did not
operate effectively throughout the specified period.
What to Look for When Discussing Audit Exceptions in SOC Audit Results
Auditors have their own vernacular that may cause confusion and worries. We like to compare audits to
taking a trip to the doctor’s office:
Imagine after suffering with an illness for a few days, you finally go in and see a doctor. The doctor visits with
you, inspects you by doing a few checks personally, and may even order a few tests (i.e., blood work) before
coming back to share the prognosis at the conclusion of your visit. The doctor sits down in front of you and
stoically shares that you are suffering from nasopharyngitis or acute coryza. You don’t necessarily know what
that is, but it sounds horrible—much more serious than you had thought. In the moments after hearing the
initial prognosis, your heart rate starts to pick up, you begin to sweat (if you weren’t already), and your mind
begins to race. Seeing your reaction, the doctor quickly clarifies, “That means you’ve got a cold. You need to
get some rest, stay hydrated, and take some pain medication.”
That’s kind of what it’s like when you are visiting with your auditors after an audit. You know there were
a few exceptions, but you’re not sure what it means or just how bad is. Well, not all audit exceptions are
created equal.
There are three basic types of exceptions when it comes to SOC audits:
• Misstatements: a misstatement is used to refer to an error or omission in the description of the service
organization’s system or services.
• Deficiency in the Design of a Control: a design deficiency is used when a control necessary to achieve
the control objective or criteria is missing or an existing control is not properly designed, even if the
control operates as designed, to achieve the control objective or criteria.
• Deficiency in the Operating Effectiveness of a Control: an operating deficiency is used when a properly
designed control does not operate as designed or when the person performing the control does not
possess the necessary authority or competence to perform the control effectively.
As your instinct would suggest, an exception is not a good thing. However, having an exception does not
necessarily mean that a control fails, nor does a control failure mean that an objective or criteria is not met.
It is actually quite common for a SOC report to have some exceptions. Some user entities and auditors
reading an audit report actually like to see one or two exceptions in a report because it gives them some
comfort that the auditor is doing a thorough job.
Spending a little time with your auditors to understand the exceptions and confirming them internally
can pay big dividends. In some cases, you will be able to find and provide the “missing” evidence to your
auditors who can clear the exceptions. In other cases, you may be able to identify another control activity
that your organization performs that mitigates the risk. Often, the risk raised by an audit exception is
mitigated by other controls within the environment.
These questions will allow you to understand just how bad the exceptions are. You don’t really need to worry
about a variance that will be noted in the report, but is not considered a control failure. If a control has an
exception, knowing if it is a design or operating deficiency will help you understand what type and level of
corrective action is needed.
For example, we are qualified for jobs. However, we auditors like to be different. So, your ultimate goal in
audit is to get an unqualified or clean opinion. A qualified opinion is not good in that it means that there is at
least one control objective or criteria that the auditor believes the organization was not able to achieve.
No matter how serious or not serious the exceptions may be, remember to always ask your auditor what
they might recommend that you do to correct the exception(s) going forward.
Conclusion
Hopefully this helped you better understand the purpose and process of an audit, what audit exceptions are,
and clarified what to look for when discussing the results of an audit.
• Payroll processors
• Medical claims processors
• Loan servicing companies
• Data center companies
• Software-as-a-Service (SaaS) companies that may impact the financials of their user entities.
Type 1 reports are as of a particular date (sometimes referred to as point-in-time reports) that include
a description of a service organization’s system as well as tests to help determine whether a service
organization’s controls are designed appropriately. Type 1 reports test the design of a service organization’s
controls, but not the operating effectiveness.
Type 2 reports cover a period of time (usually 12 months), include a description of the service organization’s
system, and test the design and operating effectiveness of key internal controls over a period of time.
In 2017, the AICPA issued SSAE 18 which recodifies all previous attestation standards (including SSAE 16).
SSAE 18 took effect on May 1, 2017.
The abundance of information security questionnaires sent by user entities is enough to drive many
companies to obtain a SOC 1 report to answer many of the common questions. Some individuals at service
organizations spend a significant portion of their time answering questionnaires with slightly different
questions. A SOC 1 report may sometimes be provided in lieu of answering certain sections of the due
diligence questionnaires.
Management’s Assertion
The second section contains an assertion written by management of the service organization that makes
a number of management statements including the following: 1) An assertion that the description of the
system fairly presents the system, 2) The control objectives were suitably designed (Type 1) or suitably
designed and operating effectively (Type 2), and 3) Discussion of the criteria used to make the assertion.
Other Information
Some SOC 1 reports include a section used by service organizations to provide additional information about
relevant processes that were not tested within the report such as disaster recovery and business continuity
information. The SOC auditor will not express an opinion on the statements made by management within
this section.
While most organizations do a good job of recognizing the need to request these reports from service
organizations they use, often they are not properly reviewed and evaluated when received. So, what do you
do with the SOC 1 report once it has been received other than give it the internal and external auditors?
Many users ask if a SSAE 16 is the same as a SOC 2 report? The answer to that is: no. A SOC 1 report was
previously referred to as a SSAE 16 review and there are distinct differences between a SOC 1 and a SOC 2.
A SOC 1 (f. SSAE 16), as mentioned above, is a review of controls in support of a client’s financial statements.
The control objectives included in a SOC 1 report are most likely related to Information Technology and
Business Processes.
So what is a SOC 2 report? A SOC 2 report focuses on non-financial controls, specifically on the Trust
Services Criteria. These criteria relate to security, availability, confidentiality, processing integrity, and privacy
of the service organization’s system. Please refer to our service page on our website for further details
regarding a SOC 2 audit.
Report Topic: Many service organizations issue multiple SOC 1 reports for the various products they offer.
Review the title and system description to determine whether the report is in support of the product your
organization is using.
Report Dates: More than a few service organizations try to pass off old reports as current reports. Make
sure you are provided with the current report. Additionally, make sure the time period covered by the report
meets your needs. Does the performed testing cover the design and operating effectiveness of the controls
over a period of time (Type II) or a point in time (Type I)? If the report timing doesn’t provide you with the
coverage you require, ask the service organization about it.
Auditor Opinion: In the first section of the report, the opinion of the service auditor can be found. This
opinion will outline the scope of the report and whether the report is qualified or unqualified. If the report is
qualified, your organization will need to evaluate how this qualification impacts your reliance on the report.
Learn more about qualified opinions.
Management’s Assertion: Management is required to include their written assertion in the report stating the
report’s accuracy. In some instances, SOC 1 reports are being issued without a management assertion or the
content of the management assertion differs from the auditor’s opinion. If it’s missing or opinions differ, a
conversation with the service organization is warranted.
Location: Service organizations often have multiple locations, which is to be expected in the global
economy. Make sure the report and audit testing covers the locations in which the vendor is performing
services for your company. The locations covered can often be found in the system description of the report,
and if it is not obvious, ask the service organization to clarify.
Processes, People, & Systems: The processes as well as the people and systems that support the processes
should be adequately described in the report. Make sure there is sufficient detail so you can understand
what the service organization is doing and what they are not doing. If a key process (eg, information
security) is not described in the report, ask the service organization about it.
Testing Procedures and Results: Based on whether the SOC 1 report you are reviewing is a Type I or Type
II report, you will need to review the extent of testing performed and determine it is sufficient to meet your
organizations needs. The controls tested, the description of the testing performed and the results of the
testing can generally be found in Section IV of the report. Review any findings/issues identified, including
how they were mitigated and/or remediated, and determine how they impact your organization.
Summary
In this section, we covered various different areas in a SOC 1 (f. SSAE 16) report that could be considered
when reviewing it. There are different concerns to consider when reviewing a SOC 1 report and the lens
in which you review your SOC 1 report through should reflect the coverage you need to obtain for your
organization.
Often times, dialogue with the service organization is required in order to clarify any questions regarding the
scope and results of the report. Reviewing the report yourself, rather than just passing it off to the internal
and external auditors, is important in order to understand the services being provided, the effectiveness of
the service organization’s controls and how it impacts your organization.
Well, yes, it would be easier; however, most user organizations and especially their auditors (user auditors)
want the SOC 1 reports while they are doing their interim internal control testing. This testing often occurs in
the quarter prior to the user organization’s calendar or fiscal year-end.
For example, if a user organization has a calendar year-end of December 31 and this user organization is also
an SEC registrant, the interim internal control testing will be performed by the user organization’s external
auditor (e.g., Big Four accounting firm) sometime during the 3rd and/or 4th calendar quarter. Or in other
words, this interim testing will occur right before Christmas.
This letter is a great tool that can be used by service organizations instead of making their clients (i.e., user
organizations) wait for the next report, which in any case might require waiting another 12 months. This
letter is on the service organization’s letterhead and typically signed by the service organization.
The bridge letter is never on the service auditor’s letterhead nor is the bridge letter signed by the service
auditor. Since the service auditor is not opining—or in other words attesting—on those internal controls
within the gap period, the service auditor cannot issue the letter. Once the service auditors have issued their
SOC 1 report, the service auditors do not know definitively if the internal control environment has materially
changed or not. However, management of the service organization knows or should know this information.
There are several key points that should be addressed in the letter. Namely, the report end date, material
changes in the internal control environment (if any), a statement that the service organization is not
aware of any other material changes, a reminder that user organizations are responsible for following the
complementary user entity controls—sometimes referred to as client control considerations or user control
considerations—a request for user organizations to read the report, and a disclaimer that the bridge letter is
not a replacement for the actual SOC 1 report.
While there are a number of offerings of SOC reports from the AICPA, we will focus on SOC 1 and SOC 2, as
these are the most common from the SOC suite.
SOC 2 Reports: A SOC 2 report also falls under the SSAE 18 standard, though is specifically addressed in
sections AT-C 105 and AT-C 205. The SOC 2 report addresses a service organization’s controls that are
relevant to their operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSC). The
available TSCs include security, availability, processing integrity, confidentiality, and privacy. The security TSC
is the only required TSC in the SOC 2. Controls meeting the TSCs included in the examination are identified
and tested, versus in a SOC 1 where controls supporting identified control objectives are tested.
For additional information on the available TSC’s please see the following blog posts:
• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy
A type I examination looks at the description or design of controls as of a specified date. The report for a
type I includes the same sections as the type II, there is just no testing included outside of a test of one to
confirm the description or design of controls.
A type II examination also looks at the design of controls, but also includes testing of the operating
effectiveness of controls over a period of time. A type II report covers a minimum of six months (there are
exceptions to this, but as a general rule six months is the minimum). The goal of an organization is to have
the type II cover 12 months and then have annual type II reports to have continuance coverage of controls.
If a service organization needs to get an initial report to a client or prospect quickly, the initial report can
be a type I to show evidence of controls in place. If there is not a rush to get an initial report out quickly, we
generally recommend starting with a type II.
Summary
A SOC 1 report is designed to address internal controls over financial reporting while a SOC 2 report
addresses a service organization’s controls that are relevant to their operations and compliance. One or both
could be right for your organization. At Linford & Company we can help determine the correct report or
reports to meet your needs.
There are four main methods to walkthrough and test each control in place at the service organization.
These methods include (listed in order of complexity): inquiry, observation, examination or inspection of
evidence, and re-performance.
• Inquiry: Simply, the auditor asks appropriate management and staff about the controls in place at the
service organization to determine some relevant information. This method is often used in conjunction with
other, more reliable methods. For example, an auditor may inquire of management if visitors to the data
center are escorted at all times if the auditor is not able to observe this activity while on site. No control
objective should ever be supported by controls only tested through inquiry procedures.
• Observation: Activities and operations are tested using observation. This method is useful when there
is no documentation of the operation of a control, such as observing that a security camera is in place or
observing that a fire suppression system is installed.
• Re-performance: This method is used when the other three methods combined fail to provide sufficient
assurance that a control is operating effectively. This method of testing is the strongest type of the four.
This requires the auditor to manually execute the control, such as re-performing a calculation that a system
automatically calculates.
Samples of populations are selected for testing based on the type of test being performed (i.e., a test of one
would be completed for an automated control using re-performance, but a sample of the population would
be selected for an inspection control), the population size, and the level of precision we want to achieve.
If, during testing, the auditor encounters an error in a test of controls, they will expand the sample size and
conduct further testing, or perform additional tests. If additional errors are found, the auditor will consider
whether there is a systematic controls problem that renders the controls ineffective, or if the errors appear
to be isolated instances that do not reflect upon the overall effectiveness of the control in question.
The results of these testing procedures are documented within the final SOC 1 section, “Independent Service
Auditor’s Description of Tests of Controls and Results” or the SOC 2 section, “Independent Service Auditor’s
Description of Tests of Controls, Control Criteria, and Results.” The type of test performed and the results of
testing are listed with the control. If there are findings listed in the report, a management response is
also included.
The prospect was considering backing out of the deal because our client was not SOC 2 “certified.” We
joined on the call and told our client’s prospect that our client did in fact have a SOC 2 report, but they were
not SOC 2 “certified.” The prospect then said, “oh, so you are SOC 2 certified” and the deal moved forward.
We laughed afterwards with our client because our client’s prospect could not grasp the terminology.
SOC 2 reports are considered attestation reports. For a SOC 2 attestation, management of a service
organization asserts that certain controls are in place to meet some or all of the AICPA’s SOC 2 Trust
Services Criteria (TSC). Management also selects which of the five TSCs best address the risk of the services
provided by the service organization.
When a service organization completes a SOC 2 report, the report contains an opinion from a CPA firm that
states whether the CPA firm agrees with management’s assertion. The opinion states that the appropriate
controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed
and operating effectively (Type II report). In many cases, the opinion is positive and the CPA firm agrees
with management’s assertion. In other cases, the CPA firm does not agree with management’s assertion and
provides a qualified or adverse opinion. See our blog post on qualified opinions.
If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report
option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security,
availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be
the best report for the service organization’s clients.
Using AWS as an example, many companies use AWS and request assurance from AWS that there are
controls in place to mitigate the risk of AWS’ systems and data being compromised. AWS could attempt to
provide different answers to every single client that asks security related questions, but that would take too
much time. Instead, AWS has selected an independent CPA firm to perform a SOC 2 examination (among
many other AWS compliance exams). Then, rather than respond to all the questions regarding AWS’ security
posture, AWS provides its SOC 2 report, which answers many of the common questions asked by its user
organizations related to security, availability, confidentiality, processing integrity, and privacy.
Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.
Recently, we had a prospective client say they wanted all of the TSCs included within their report because
they wanted it to be the strongest report possible. Unfortunately, not all TSCs may apply to a particular client’s
service. For example, if your company does not process transactions, processing integrity is probably not
applicable. I’ve heard of firms including TSCs when they are not applicable within a report and then explaining
why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that is
applicable to your services and answer the questions you hear most from your clients and prospective clients.
First, identify a firm with expertise in performing SOC 2 audits, not just a traditional CPA firm that
moonlights when performing SOC 2 audits. Ensure the firm uses IT auditors with a background in
information security. Common IT auditor certifications are the Certified Information Systems Auditor (CISA)
and Certified Information Systems Security Professional (CISSP).
Next, determine whether your clients or prospective clients will need a type I or type II report.
Most user organizations (SOC 2 report stakeholders) who request a SOC 2 report will accept a Type I report
for the first year. If your user organization needs a Type II report immediately, engage a firm who can perform
a pre-assessment right away to identify any gaps against the desired SOC 2 criteria for the desired AICPA
Trust Services Principles (Security/Common Criteria, Availability, Confidentiality, Processing Integrity, Privacy).
Once any gaps identified within the pre-assessment are remediated, a six month examination period can begin.
Once the six months has passed and all of the controls tested as part of the audit are found to be operating
effectively for the six month period, a six month Type II report with a clean audit opinion can be issued. For
following years, the examination period is almost always adjusted to twelve months.
1. Receive a letter from your firm that you can share with your user organization(s) letting them know the s
cope of the SOC 2 audit to be performed and when they can expect to receive the final report.
2. Receive an initial request list, illustrative risk and control matrix to help facilitate completion of the pre-
assessment and performance of walkthroughs to identify key controls within each in scope process.
3. Schedule a week or more of on-site fieldwork. Length of fieldwork is dependent upon the size of the
company and scope of the SOC 2 audit.
4. Schedule a meeting (in person or remotely) with your audit firm to go through the initial request list and
illustrative control matrix. The documents are used to generate conversation around the actual controls that
are in place vs. the hypothetical controls in the illustrative risk and control matrix.
5. Identify any gaps based on the discussions with your audit firm against the desired AICPA Trust Services
Principles and Criteria.
6. Remediate any identified gaps and provide evidence to your auditor that the gaps were remediated.
7. Perform on-site audit fieldwork to ensure that controls are designed appropriately as of a point in time
such as July 31, 2019.
8. Discuss any potential issues identified in the report and gain agreement with your audit firm on any issues
that are included in the report.
10. Obtain the final Type I SOC 2 report after any feedback is incorporated.
The previous trust services principles (2016 TSPs) and criteria were effective starting December 15, 2016. The
updated trust services criteria were required to be used on any report issued on or after December 15, 2018.
Currently, any reports being issued should be referencing and mapping to the 2017 trust services criteria.
• Security
• Availability
• Confidentiality
• Privacy
• Processing Integrity
The only criteria that is required to be in a SOC 2 examination is the security criteria, which is also known
as the common criteria. The security criteria is referred to as common criteria because many of the criteria
used to evaluate a system are shared among all of the Trust Services Criteria.
For example, the criteria related to risk management applies to four of the criteria (security, processing
integrity, confidentiality, and availability). The common criteria establishes the criteria common to all the
trust services criteria and the comprehensive set of criteria for the security criteria.
When a service organization’s client wants to know their information/data is secure and protected, they are
likely interested in the security criteria. This criteria is comprehensive enough that including it in the scope of
the examination alone will likely be enough for service organization’s clients to get the assurance they need
with respects to the security of their information/data.
The other available criteria can be added to the examination at the discretion of management, or if it is
determined that the criteria is key to the services being provided.
Prior to deciding on the criteria to include in the SOC 2 examination, the service organization, with the help
of their auditor, should determine the system and its boundaries relevant to the services that are being
provided. This should include contemplation of the entire environment, including software, infrastructure,
procedures, data, and people. After the scope of the examination has been determined, it can then be
decided which of the criteria are pertinent to the service organization’s services and system.
Helping determine the criteria to include, as well as determining the boundaries of the system is something
at Linford & Company that we do all the time as part of our SOC 2 audits.
These five categories align with the first five criteria sections within the security/common criteria section.
• Logical and physical access. How an entity restricts access (physical and logical), adds and removes said
access, and avoids unauthorized access.
• System operations. How an entity manages the operation of system(s) and detects and mitigates
processing nonconformities, including access (physical and logical) security nonconformities.
• Change management: How an entity recognizes the necessity for changes, executes the changes using a
controlled process and stops unauthorized changes from occurring.
• Risk mitigation: How the entity recognizes, chooses, and advances risk mitigation activities that have
occurred from business disruptions, and the monitoring and evaluation of the use of business partners
and vendors.
The numbers listed in the previous paragraph should not cause any alarm, because a majority of the points
of focus are what SOC auditors should be reviewing already as part of the SOC 2 examination. The points
of focus have not been listed with the criteria until the 2017 update. Additionally, not all points of focus
are relevant to the service provider. An assessment of whether each point of focus is met by the service
organization is not required according to the guidance at TSP 100.04.
• Security (also known as common criteria). This is the only required TSC and is included to demonstrate
that systems at a service organization are protected against unauthorized access and other risks that could
impact the service organization’s ability to provide the services promised to clients.
• Availability. Included where service organizations need to demonstrate that their systems are available at
all times.
• Processing integrity. Demonstrates that system processing is occurring accurately and timely.
• Confidentiality. This TSC is included to demonstrate that data classified as confidential is protected.
• Privacy. When a service organization is in possession of personal information, this TSC is included to show
that this personal information is protected and handled appropriately.
The Security TSC is the only TSC that is required in a SOC 2. The other four criteria can be added at the
discretion of management, and should be included if the criteria are key to the services being provided by
the service organization.
Protection of Information
The security TSC tests that information is secure during the collection or creation of the data, and during the
use, processing, transmission and storage of the data.
The security TSC is also referred to as common criteria, and is broken down into common criteria sections.
• CC1 – Control Environment
• CC2 – Communication and Information
• CC3 – Risk Assessment
• CC4 – Monitoring Activities
• CC5 – Control Activities
• CC6 – Logical and Physical Access Controls
• CC7 – System Operations
• CC8 – Change Management
• CC9 – Risk Mitigation
The AICPA guidance provides the criteria sections and then also points of focus within each of the criteria
sections. Points of focus (i.e. controls) represent important characteristics of the criteria. These are provided
by the AICPA to assist in designing controls supporting the criteria. Not all of the points of focus will be
suitable or relevant to the service organization, so they can be customized, or different points of focus/
controls can be developed to be included in the examination.
Use of all the points of focus in not required. For example, under CC4 – Monitoring Activities, one of the
points of focus is “Considers Different Types of Ongoing and Separate Evaluations—Management uses a
variety of different types of ongoing and separate evaluations, including penetration testing, independent
certification made against established specifications (for example, ISO certifications), and internal audit
assessments.“
Control Environment
The control environment common criteria (CC1) covers COSO Principles 1-5. This criteria section covers the
service organization’s commitment to integrity and ethical values, independence by the board, management
and board oversight, and the hiring, maintaining and ongoing monitoring of quality employees at the service
organization.
Risk Assessment
The risk assessment common criteria (CC3) covers COSO Principles 6-9. This criteria section is included to
demonstrate that the service organization is assessing risks possibly impacting their operations and putting
plans in place to mitigate these risks.
Monitoring Activities
The monitoring activities common criteria (CC4) covers COSO Principles 16-17. This criteria covers the
ongoing evaluation of the system at the service organization and the notification to relevant personnel in the
event that there is a breakdown in the system.
Control Activities
The control activities common criteria (CC5) covers COSO Principles 10-12. This criteria section tests that
the service organization has controls in place for the mitigation of risk and also that the controls in place are
monitored on an ongoing basis.
On the AICPA website you can download the SOC 2 criteria that includes the mapping to COSO. See
Mapping of the 2017 Trust Services Criteria to Extant 2016 Trust Services Principles and Criteria. They also
offer mapping to other frameworks, including ISO 27001, NIST CSF, and COBIT5.
Summary
A SOC 2 examination includes many areas, even specific areas within the required security/common criteria.
If your organization is considering a SOC examination, or you have questions about what TSCs should be
included, please contact us to request a consultation.
• Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with
the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy
principles (GAPP).
• Name
• Home or email address
• Identification number (Social Security Number, Social Insurance Number, etc.)
• Physical characteristics
• Consumer purchase history
• Information on medical or health conditions
• Financial information
• Information related to offenses or criminal convictions
The term “confidential information” and its meaning can vary between organizations or geographical
location and potentially cover a wide range of information security practices. If the service organization
has outlined contractual commitments with its clients related to the protection of information as the data
custodian, then the confidentiality principle can be considered.
Unlike personal information, confidential information is not so easily defined. Any personal or non-
personal information or data can be designated as confidential, and once it is, it needs to be protected.
Interpretations of this type of information often vary significantly from one company to another. Some
examples of confidential information include, but are not limited to:
• Transaction details
• Engineering drawings
• Business plans
• Banking information
• Legal documents
The framework developed by the Privacy Task Force is called the Generally Accepted Privacy Principles
(GAPP). The GAPP consists of ten privacy principles, which are reviewed as part of the SOC 2 Privacy
Criteria. The privacy principles are listed and summarized below:
1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy
policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes
for which personal information is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or
explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in
the notice and for which the individual has provided implicit or explicit consent. The entity retains personal
information for only as long as necessary to fulfill the stated purposes or as required by law or regulations
and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes
identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical
and logical).
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
For additional information on the 10 generally accepted privacy principles, see The 10 Generally Accepted
Privacy Principles.
• Identification of confidential information: Procedures are in place to identify and designate confidential
information when it is received or created and to determine the period over which the confidential
information is to be retained.
• Protection of confidential information from destruction: Procedures are in place to protect confidential
information from erasure or destruction during the specified retention period of the information.
• Destruction of confidential information: Procedures are in place to identify confidential information
requiring destruction when the end of the retention period is reached.
Summary
In summary, there are differences between the privacy and confidentiality TSCs in a SOC 2, and it depends
on the type of data a service organization has in their possession and what they are doing with it that will
determine which (or both) TSC should be included in the examination.
• Security. Information and systems are protected against unauthorized access, unauthorized disclosure of
information, and damage to systems that could compromise the availability, integrity, confidentiality, and
privacy of information or systems and affect the entity’s ability to meet its objectives.
• Availability. Information and systems are available for operation and use to meet the entity’s objectives.
• Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the
entity’s objectives.
• Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
• Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the
entity’s objectives.
The only TSC that is required to be in every SOC 2 examination is the security TSC. The other four TSCs are
options to be included in the examination at the discretion of the service organization.
In this post we will look specifically at the availability criteria. For additional information on the current
SOC 2 guidance, refer to our article on the New Trust Services Criteria.
A lot of service organizations are providing an outsourced service to their clients, and most of these will have
contractual requirements or service level agreements (SLAs) in place around the services being provided.
Because of these requirements and SLAs, the availability TSC is great to include to evidence this. Data centers
and service organizations that provide software as a service (SAAS) commonly include the availability TSC.
When we are talking to prospective (and existing) clients about which criteria to include, we generally find out
two different things. Specific to availability, we ask:
To identify what testing will be included with the addition of the availability trust services criteria, the
service auditor will walk through the services provided to your clients and identify control points in
the process. This could include controls such as (these are just a few examples taken from the AICPA’s
illustrative mapping (Mapping of 2017 TSC to 2016 TSC)):
• Measures Current Usage—Measurement of use of system components is performed to establish a baseline for
capacity management and to refer to when evaluating the risk of lack of availability due to capacity constraints.
• Forecasts Capacity—A forecast and comparison of expected average and high use of system components to
system capacity and tolerances is performed. Considerations include capacity in the event there is a system
failure.
• Identifies Environmental Threats—Management identifies environmental threats as part of the risk assessment
that could impair the availability of the system. These could include threats resulting from weather, failure of
environmental control systems, electrical discharge, fire, and flood/water.
• Designs Detection Measures—Measures are implemented for detecting anomalies that could result from
environmental threat events.
• Implements and Maintains Environmental Protection Mechanisms— Environment protection mechanisms are
implemented by Management to prevent and mitigate against environmental events.
Summary
While the availability TSC is not required in a SOC 2 examination, it is an important TSC for many service
organizations to demonstrate availability.
Technological innovation and the power of data analytics create remarkable value, but also present new
challenges. Threats to the security and privacy of personal information continue to grow as the value of
information has increased. The protection of personal information is appropriately of utmost importance to
many individuals and organizations around the world. Governing bodies at nearly every level have attempted
to legislate and regulate activities to protect their citizenry. The Health Insurance Portability and Accountability
Act (HIPAA) and the European Union’s General Data Protection Regulation are a couple of examples. Business
expend a great deal of resources complying with these regulations and protecting their data.
Experiencing such an event can be devastating to a business. Damage to the organization’s reputation and brand
are significant, as are potential legal reparations. Evidenced by Blue Cross and Blue Shield / Anthem’s announced
settlement of $115 million earlier this year for a 2015 data breach impacting 80 million of its customers.
The implementation and consistent application of the GAPP privacy framework or privacy principles will
enable an organization to effectively manage the collection, use, retention, disclosure, and disposal of data
requiring privacy protections.
1. Names
2. Geographic identifiers (more specific than state)
3. Dates specific to an individual (other than year only)
4. Phone numbers
5. Email addresses
6. Fax numbers
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers (e.g., license plate or vehicle numbers)
13. Device serial numbers
14. Web URLs
15. IP address numbers
16. Biometric identifiers (such as finger, retinal, and voice prints)
17. Full face images
18. Any other number, characteristic, or code unique to an individual
PHI that is created, received, stored, or transferred in an electronic form is often referred to as ePHI. The
same privacy protections needed for PHI are required for ePHI.
The implementation phase includes the design and documenting of a privacy program and action plan to
implement and manage it. The plan should clearly define privacy ownership, assign responsibility and tasks,
establish an implementation schedule including major milestones, and measures of success.
Summary
Every organization faces a significant challenge in maintaining the security and privacy of personal
information within its custody. The GAPP presents a framework of generally accepted principles and
practices that an entity can employ to mitigate risk of not maintain the privacy of its information assets.
Using the definition defined above we will dissect a few of the incidents identified above.
According to the new guidance, management is now required to include specific information about incidents
that (1) occurred as a result of a failure in the design or operating effectiveness of one or multiple controls
or (2) upon occurrence resulted in the company not being able to meet service commitments and system
requirements.
Something important to note is that the AICPA understand that not all incidents are major and require
reporting to their users. The new Description Criteria provides considerations that management can use
when determining whether an information security or cyber security incident response is warranted, and
therefore meet the reporting requirements noted in the section above. The considerations are as follows:
If the answer to any of these considerations is yes, then it is likely that the incident needs to be reported
within the upcoming SOC 2 report.
Get a SOC 1 Audit Get a SOC 2 Audit 102
I Have a Reportable Security Incident, What Now?
If by going through the considerations in the previous section and through conversations with the
appropriate personnel it is decided that an incident does need to be reported, it is important to understand
what that should look like.
When a company reports an incident, the information reported should be presented in a high-level for a
number of reasons. The first reason is that certain details could provide parties with bad intentions enough
information needed to further exploit the system. Secondly, the reporting of incidents is only intended to
provide readers with the description of the incident, timing, and any consequences the incident has caused.
Service organizations that determine they have a reportable incident should work with appropriate
personnel such as their auditor and legal team to ensure that the information provided will not result in
further damage to their system.
Educating staff about the purpose and benefits of policies and getting their commitment to comply are
essential for obtaining and maintaining compliance.
There are many ways to avoid this mistake, and below are just a few of them. Simply being aware of this gets
you much closer to defining a way to protect against it.
• Document which products have access controls and the roles/permissions that are defined in each. When a
user changes positions or leaves the company, having a detailed and accurate list will help ensure that their
permissions are updated/removed appropriately.
• Review roles and permissions on a regular basis. This will help one identify if a user was not removed or a
permission change was missed.
• Document changes to a user’s permissions in a service ticket or checklist and retain this information. This
provides historical evidence of the actions taken.
In 2015, the POODLE attack made SSLv3 obsolete and insecure. It is recommended organization’s disable
this protocol, but according to the 2016 TLS Telemetry Report provided by F5 Labs, as of October 2016, 23%
of the internet at large still is supporting it. Without an external vulnerability scan or well documented and
reviewed interface documents, organizations may still be using an insecure protocol and not even know it.
Performing external vulnerability scans and/or penetration tests is a great way to determine the security of
your external connections and network configuration. We also like to recommend that every organization
document their connections and review the connection details periodically.
Note: We recommend contacting your vendors for details on how to disable SSLv3. http://disablessl3.com/
is also a good resource to help your organization identify and disable the protocol.
No Separation of Duties
Separation of duty means that in order to complete a task, more than one person is required. When talking
about systems, this is especially important when it comes to Change Management. In Change Management,
you do not want to allow the same person to build, test and push updates to production. If only one person
can do everything, it creates an environment where a coding mistake could be pushed into production, or
more nefarious acts like installing a backdoor into the system, can be done without anyone knowing.
A user organization should be reviewing and monitoring their subservice organizations to ensure that they
are fulfilling their obligations as well as understanding what role the user organization should be fulfilling.
Understanding the service’s scope and boundaries starts with understanding the people, processes and
technology that support the service. From there, determine which risks are related to the service(s)
provided, generally through a risk matrix, and ensure that each risk is being addressed. If an organization
has not been directly told which type of report is required by their customer or auditor, then the
organization would also need to identify which report type is necessary. SOC 1 reports are for internal
controls over financial reporting, and a SOC 2 report includes security, confidentiality, processing integrity,
availability and privacy. For additional information on what report you may need, see: Need A SOC Report?
How To Know Which One Is Best For Your Service Organization.
Summary
Whether you are preparing for your first SOC audit or have been through an audit before, the above
common mistakes can sneak up on any organization and each one could qualify a report, create exceptions,
and/or create a less secure environment. Stay diligent, know your environment and monitor changes. With
proper processes and team buy-in, your SOC audit can be smooth and free of issues.
• Management’s Assertion
• Auditor’s Opinion
• Description of Services
• Results of Testing
If a firm completes a SOC audit that is not a certified CPA firm, then they cannot provide an opinion of the
contents detailed within the Description or Services and Results of Testing. Because of this, it is imperative
to confirm that the firm your organization chooses to perform the SOC audit, meets this fundamental
requirement.
With that said, the AICPA requires that team members that work on engagements have a certain level of
competence and capabilities. While a non-CPA organization may have the technical capability to perform a
review of the services or system being examined, they must also have experience with the following:
• Evaluating the design of controls and the operating effectiveness to confirm that they have functioned
over a period of time and meet the applicable trust service criteria included in the report.
• Understand professional standards that are required by the AICPA such as the AICPA Code of Conduct along
with other audit standards that allow auditors to apply professional skepticism and judgment as required.
This, however, does not mean an auditor cannot enlist the use of a specialist, if required, to complete an audit.
This question will be addressed in question number five.
What are the Ramifications to the Service Organization if One of the Above
has Happened?
Any user organization and/or user auditor that relied on the SOC 1 or SOC 2 examination report from the service
organization may have placed unwarranted reliance on that SOC report. In other words, the user organization’s
financial statement audit may have to be performed again for each period in which there was unwarranted
reliance. Moreover, it is illegal to depart from state laws in regard to performing attestation services.
Guidance also exists that states that the only type of organization that may perform a SOC 1 and SOC 2
audits is a licensed CPA firm. The following bullets are selected excerpts from authoritative sources listing
some, but not all, of the relevant guidance supporting the comments above:
• “[A]uditor should not assume responsibility for the predecessor auditor’s work or issue a report that
reflects divided responsibility” (AICPA, AU315.16).
• “The independent auditor also has a responsibility to his profession, the responsibility to comply with the
standards accepted by his fellow practitioners” (AICPA, AU110.10). This includes adherence to CPE, Ethics,
and licensing requirements.
• “No person, partnership, professional corporation, or limited liability company shall, without an active
certificate of certified public accountant or a valid registration: Attest or express an opinion, as an
independent auditor” (Colorado Revised Statute 12-2-120 Unlawful Acts (6)(II)(B)).
• “The practitioner must adequately plan the work and must properly supervise any assistants” (AICPA,
AT101.42).
• “Attest services may only be rendered through firms holding permits from the state” they are performing
attest services. (Uniform Accountancy Act, Section 7).
• Does the specialist have the required skills to understand the service or system and do they have the
required independence to complete the required work?
• Is enough evidence available to the auditor to determine whether the specialist has the necessary
proficiency to understand the nature of the specialist’s work along with the scope of their expertise, and
determine whether the objective of their work meets the needs of their expected role as a specialist?
• Will the auditor and the specialist be able to come to an agreement on the expected work (i.e. nature,
scope, and objectives) to be completed by the specialist, the roles and responsibilities that will be
required of the specialist, when and the extent of work expected by the specialist, and the duties and any
confidentiality requirements that are expected of the specialist.
Through consideration and documentation of the items listed above, an auditor can engage the use
of a specialist.
Summary
The overall goal of an attestation engagement is to provide users of the report or clients of subservice
organizations, in this case, with an opinion on the assertions made by management. As a result, report users
can place reliance on the information before deciding whether they want to put an agreement or contract in
place to use that system or service. Because reliance is placed on these reports to enter into or agreement
often times, it is important to understand who exactly can perform a SOC 1 and SOC 2 audit.
The main take-away from this post is this: if the report is not completed by a CPA firm, the report should
not be relied on.
https://linfordco.com