Amid the always evolving landscape of cybersecurity risks and technological threats, organizations are constantly faced with various pressing concerns. Is our clients’ data secure? Is the data maintaining its integrity throughout the transactional process? Will the data be readily available in situations of potential downtime? These questions, amongst many others, can be addressed by undergoing a System and Organizational Controls (SOC) 2® examination.
A SOC 2 report evaluates the design and operating effectiveness of internal controls of a service organization and is focused on the systems that capture, store, transmit or process customer data. The primary focus of the SOC 2 relates to data security, which is one of five trust services categories established by the American Institute of Certified Public Accountants (AICPA). Additional categories can be included within the SOC 2 report. These additional categories include availability, processing integrity, confidentiality and privacy.
Security – information and systems are protected against unauthorized access
Availability – information and systems are available for operations to meet the service organization’s objectives
Processing Integrity – system processing is complete, valid, accurate, timely and authorized to meet the service organization’s objectives
Confidentiality – information designated as confidential is protected to meet the service organization’s objectives
Privacy – personal information is collected, used, retained, disclosed and disposed of to meet the service organization’s objectives
The security, availability, and processing integrity categories are related to the system, and the confidentiality and privacy categories are related to the information processed by the system.
The SOC 2 report is utilized to inform external stakeholders, which often includes compliance officers, CIOs/CISOs, vendor risk management professionals, potential business partners, and other executives who oversee governance functions. Information that can be obtained via the SOC 2 report includes the systems, processes and internal controls at a service organization that are critical to meeting the organization’s service commitments and system requirements.
While SOC 2 has traditionally focused on technical aspects of data security, the 2018 Trust Service Criteria (TSC) updates now also allow organizations to demonstrate their commitment to integrity and ethical values, as well as governance and oversight, by aligning the TSCs with the 17 principles of the COSO framework. Organizations can now not only add insight into the technological procedures and controls within their organization, but they can also demonstrate the efforts being taken organization-wide to address data security risks.
For more information on this topic, contact our team or tell us about your SOC reporting needs.