SOC 2: Build Trust and Confidence

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
SOC 2:
Build Trust & Confidence
Overview & Considerations

01. Background / Overview of SOC 2
02. The AICPA Framework
03. Purpose and Scope
04. The Anatomy
05. Considerations
06. Mapping – Other Standards
06. Q/A
Contents

Background
& Overview
01

Growth &
Popularity

Service
Auditors

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Service
Providers

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
User Entities

Why Do You Need a SOC Report?
Regulatory requirements

User entity mandates

Vendor management programs

Due diligence

Due diligence
Independent 3rd party opinion

Due diligence
Independent 3rd party opinion
Competition and market

Overview
• What is a SOC 2 report?
• How does a SOC 2 differ from a SOC 1 report
• SOC 2 versus SOC 3

Overview of the
AICPA Framework
02

AICPA SOC Framework
Applicable SOC-1 SOC-2 SOC-3
Standard/Guidance
SSAE 16:
AICPA Guide (2013)
AT 101:
AICPA Guide (2013)
AT 101:
Technical Practice Aid
(2014)
Scope ICFR Security/Systems, Privacy Security/Systems, Privacy
Criteria Control Objectives
Trust Services
Principles/GAPP
Trust Services
Principles/GAPP
Usage of report
User auditor, user entity,
management of SO
Knowledgeable parties Anyone

Purpose
& Scope
03

Purpose
• What SOC 2 does cover?
• What SOC 2 does cover?

• System
• Boundaries
• Commitments
• System Requirements
Scope

Principles
• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Common Criteria (Security):
1: Organization & Mgmt
2: Communications
3: Risk Mgmt & Controls
4: Monitoring of Controls
5: Logical and Physical Access
6: System Operations
7: Change Management
Principles

Principles
Availability Common Criteria: +3
Processing Integrity Common Criteria: +6
Confidentiality Common Criteria: +6
Privacy Common Criteria: +74

• Type 1
• Type 2
Report Type

The
Anatomy
04

Service Auditor’s Report – “The Opinion”
Management’s Assertion
Description of the System
Tests of Controls and Corresponding Results
Additional Information – Provided by Service Organization
Report Structure

Unqualified vs. Qualified
Service Auditor’s Report

• Commitment - suitability and accuracy
• Subservice organizations
Management’s Assertion

• Management’s objective description of the
services provided to user entities
• Components of a System Description
System Description

• Test procedures
• Results
• Deviations / Exceptions
Test of Controls / Results

Intended Use
• Management of service organization
• User entities of the services
• Other knowledgeable parties

Considerations
05

Relevance To The User
• RFP requirements
• Customer mandates
• Regulatory needs
• Vendor management process

Understanding Reporting
• SOC 1 vs. SOC 2
• AT 101
• AT 601
• Agreed Upon Procedures
• Readiness Assessment
• PCI

Education & Preparedness
• Contracts, RFP, SLA
• AICPA website
• Training and awareness
• Executive communication
• Discussion with service auditor

Control Environment
• Start-up
• Developing systems
• No customers yet
• Lack of documentation /evidence
• No monitoring of controls

Carve-out Vs Inclusive
• Subservice organization
• Carve-out method emphasis
• Inclusive method requirements

Perform a risk assessment
Risk Assessment & Scope

• Internally
• Service auditors
Readiness Assessment

• Policies / Procedures
• Segregation of duties
• Monitoring
Remediation

• Licensed CPA firm
• Independent
• Single vendor approach
• Audit team
Audit Firm Selection

Mapping to Other
Standards
06

• SOC 1
• ISO 27001
• HIPAA
• HITRUST
• PCI
Other Standards

View the WebinarView the Webinar

SOC 2: Build Trust and Confidence

More Related Content

What's hot

Similar to SOC 2: Build Trust and Confidence

More from Schellman & Company

Recently uploaded

SOC 2: Build Trust and Confidence