How to interpret the System and Organization Controls (SOC 2) report

How to interpret the System and Organization Controls (SOC 2) report

How to interpret the System and Organization Controls (SOC 2) report?
Have you ever been in a situation that requires reading and interpreting a SOC 2 report? A SOC 2 report reveals quite a lot of information about security controls including people, processes and technology implemented in the service organization.

Here's a step-by-step guide to help organizations comply with Hitrust requirements

Some basic terminology to start with:

  • What is a security control? Let’s start with the anti-malware installed on your device. Anti-malware is a technical security control. Similarly, background screening is a people control. Change management policy is a process control, which requires approval before any change is implemented.
  • What are the 5 trust principles? Security, Availability, Processing integrity, confidentiality and privacy. A service organization has to choose those that apply. Among the five, the common criterion security is mandatory. The other four are driven by risk or applicability based on the scope of services.
  • How many controls are there in SOC 2? SOC 2 has controls and points of focus, totalling up to 299. The point of focus is guidance references to design an organization’s controls.
  • What is a service organization? The service organization is the organization which gets attested and has to demonstrate implementation of the controls as per the applicable trust service criteria (TSC)
  • What is a user organization? The user entity is the customer of the service organization, who is using the report to make a judgment on whether to make a ‘go-no go’ decision on the service organization.
  • What is a sub-service organization? An organization that the service provider engages to perform a set of controls on their behalf such as a screening provider.
  • What is complimentary user entity controls? A set of controls that the customer needs to apply. In cloud security is a shared responsibility, and this section plays a significant role.
  • Who issues a SOC 2 report? SOC 2 reports are issued by CPA firms, that are members of AICPA.

SOC 2 reports reveal important information about a service organization’s control environment that is relevant for users of the Organization’s services. Specifically, the report outlines the scope of Trust Principles included in the independent audit and the auditor’s opinion on the achievement of the related criteria based on the design and operating effectiveness of required controls. The SOC 2 report is divided into mainly four key sections:

1. Management's Description of the System: This section gives an overview of the system and its environment. It includes information about the provided services, system components, boundaries, and control environment. If you are the customer for a service, review this section to determine whether the services that the service provider provides your organization are referred here.

2. Management's Assertion: In this section, the management of the service organization makes assertions about the system’s adherence to the Trust Services Criteria (TSC). Management asserts that the controls are suitably designed and operating effectively to meet the relevant criteria. Check this section to ensure the applicable TSCs are adequately covered. For example, if your Service level agreement (SLA) with the service provides has a strict SLA’ (such as 99.99) ensure the ‘availability’ TSC is covered in this section.
Also, look carefully for sub-service organizations of the Service Provider and whether the SOC 2 report excluded sub-service provider(s) (carve-out) or included the sub-service provider(s)

Service Auditor's Report:This section includes the opinion of the independent auditor who conducted the SOC 2 examination. Coverage includes the following sub-sections:

  • Service auditor opinion: The auditor provides an opinion on whether the system's controls were suitably designed and operating effectively based on the TSC during the review period. It’s important to examine the opinion to check if it is a clean audit opinion (no material deficiencies in the design or operating effectiveness of controls) or a qualified opinion (means either control design or operating effectiveness is impaired)
  • Complimentary user entity controls (CUEC), which list the user organization (i.e. customer) side of applicable controls.
  • Complimentary Sub-service organization controls. As a reader, you need to verify that a critical control requirement is not outsourced to another entity. If so, whether the reports cover testing those controls.

4. Detailed Description of Controls and Tests: This section provides detailed information about the specific controls in place, the tests performed by the auditor to evaluate those controls, and the results of those tests. It includes any identified control deficiencies. Look for the tests that conclude with either exceptions or deviations. As a user organization, you must consider them, as they may have the potential to be risks to your entity.

5. Other section provided by Service Organization. This section is filled when there is a deviation or exception in the report. This section provides the remediation plan for exceptions recorded in section 4 by the service organization. As a reader, one can evaluate whether the remediation plan is adequate to gain confidence about the service provider’s role.

These sections together provide a comprehensive view of the service organization's control environment and the effectiveness of those controls in meeting the TSC for the in-scope principles from within security, availability, processing integrity, privacy and confidentiality.

Hope the article was of help in navigating through a SOC 2 report and interpreting the content and findings.

If you have questions, do write to us at roadmap@coralesecure.com.