Scoping a SOC2 audit
In decades gone by, for service companies, conducting a Service Organization Control (SOC) 2 audit was considered more of a rite of passage that separated the biggest players in the market from the “others” category.
“Wow, we have grown so prosperous that big and important clients now require that we do important things. We now need to perform a Type II SOC audit to prove our worth and mettle!”
However, things have changed tremendously. The modern cybersecurity environment has made SOC 2 auditing more a fact of life than an option for organizations:
“Whew, if our company can’t pass this SOC 2 audit to prove the formidability of our security controls to customers, I doubt anybody will want to consider us.”
This isn’t a walk in the park for SMEs. That is why getting the scope of your Type II SOC audit right is paramount. If you make the scope too narrow, clients may not be assured enough to hire you, forcing you to conduct more SOC 2 audits later to prove yourself further. Conversely, if the scope is too broad, you may unnecessarily waste precious funds in audit costs.
So, how do you balance things out? Further, what role do compliance and audit executives play in the entire process?
For service firms, SOC audits are a way to reassure clients that your security controls have what it takes. While a SOC 1 audit confirms the correct design of security controls, a SOC 2 audit verifies that they’re working.
But what role are they playing exactly?
Let’s look at Trust Services Principles (TSPs) that play the central role when defining the scope of your SOC 2 audit.
According to the AICPA, below are the five core principles a Type II SOC audit should take into account when seeking to establish assurance over a service firm’s security controls and financial reporting:
- Security: The system’s protection against illegal access.
- Availability: The system is available for use as committed/agreed.
- Processing integrity: System processing is authorized, timely, complete, & accurate.
- Confidentiality: Information defined as confidential is fully protected.
- Privacy: Collected personal information is utilized and disposed of as per GAPP.
However, some SOC 2 audits may omit one or two of the above principles according to the needs of a specific client. For instance, if you provide user entities a data storage plan in a data center with your client doing all the processing using their systems, then the Security and Availability principles must be part of your SOC 2 audit while Processing Integrity isn’t required. If you need to store the personal data of individuals, the Privacy principle comes in. But if you only have to keep product design plans, the Confidentiality principle becomes part of your scope while the Privacy one may necessarily not be.
Why the Five TSPs are Important
Once you’ve identified your relevant TSPs, the next step involves determining which systems, procedures, and policies support them and thus organize your internal controls accordingly. This means that Type II SOC audits that encompass many TSPs at once can incorporate into scope lots of your organization’s systems and controls.
As you define your scope, ask yourself: “If we can’t assure this principle to our client, could it adversely affect our relationship with them?” If yes, then such a principle will most likely fall into your SOC 2 audit scope.
You also need to work with top executives to fully understand your company’s products, services, target customers, and even future strategy. The answers you derive here will help define what TSPs your firm needs to offer to clients and thus the scope of your audit. As compliance and audit executives, you need to get this kind of information from your organization’s senior management to handle clients satisfactorily.
Further than this, scoping queries get more granular and client-specific. For example, you may find it better to begin by performing a SOC 1 audit before moving on to the more comprehensive and intrusive SOC 2 audit. Start with “easier” principles like Availability then go into more complex ones such as Processing Integrity.
Most Type II audit advisory firms today will be more than glad to conduct readiness assessments before an actual audit.
The most fundamental questions are: Are we clear on what we offer as a firm? And, what role do our systems need to play concerning security and integrity to uphold our end of client partnership?
In today’s highly competitive market, if you’re to secure any customers at all, then you’d better provide satisfactory answers to these questions.
Editor’s Note: Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.
- Audit requirements – Private US companies
- Risk management plan – What it is for?
- Internal audit effectiveness data analytics strategy
- Prioritizing risk in project management
- Using technology like machine learning to better manage compliance