The System and Organisation Controls (SOC) 2 (SOC 2 in short) aims to protect the interest of the user entity while receiving services from the service organisation. This is assured by the attestation provided by Certified Public Accountant (CPA) in issuing a Type 1 report or a Type 2 report. Type 1 is an attestation of control testing for a point in time, whereas Type 2 report as a result of testing controls over a period of time.
We have a well-defined 6-phase Methodology, to help an organisation achieve successful SOC 2 compliance.
SOC 2 has the following 5 principles, listed below are the principles and their objectives.
- Common Criteria Security: The system is protected, both logically and physically, against unauthorised access.
- Availability: The system is available for operation and use as committed or agreed to.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information that is designated ‘confidential’ is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants, and the Canadian Institute of Chartered Public Accountants (CICA).
Each of these principles has more detail risks/controls that need to be fulfilled.
We have a structured approach to determine the applicable list of risks and controls that are required to achieve SOC 2 attestation. Our approach ensures that the service organisation has adequate ‘internal controls’ over applicable security criteria, to assure any Certified Public Accountant (CPA) for issuance of SOC 2 reports.
This phase involves determining objectives, from user entity, as well as of the service organisation.
This phase involves performing gap analysis of the above listed objectives on one hand, and the applicable SOC 2 controls and risks, on the other. We provide solution for all identified gaps.
This phase involves our methodology that involves distribution of risk, and control responsibility to internal stakeholders. This also includes nomination of key roles such as risk officer – who will drive the ongoing compliance.
This phase involves tracking the client risks, documentation and self-compliance on a weekly basis till all internal controls are adequately implemented.
This phase involves showcasing client with changes in a given period by providing change specific score of compliance between 0 -100%. This gives the organisation an evidence of a measurable framework of demonstrating internal controls.
Internal audit followed by a formal review of the program gives organisation an independent perspective, and enables them to be ready for final attestation.
At this stage the client has implemented the governance system in completeness. Generally upon completion of one month of this, the organisation can achieve SOC 2 – Type 1 attestation, and upon completion of 6 months, the client can achieve Type 2 attestation. Here the assumption that all risks are under control that will give adequate assurance to the user entity.