SOC REPORTS: WHAT YOU NEED TO KNOW AS A

SERVICE PROVIDER OR A CONSUMER OF THESE

REPORTS
How did we all get
HERE?
SOC Reports Matter in Today’s
Service-Oriented World

SaaS

+ PaaS
IaaS
 SaaS – PaaS - IaaS

Customer
Responsibility
IaaS – Infrastructure as a Service (AWS, Rackspace)
Cloud Provider PaaS – Platform as a Service (Engine Yard, Heroku)
Responsibility
SaaS – Software as a Service (SalesForce.com, Zendesk)
 What is SOC Reporting?

• Not SOX!
• SOC – Service Organization Control reporting
• Attestation standards issued by the AICPA for service providers
• Replaced the old SAS 70 standards in 2011.
• Three report versions:
 SOC1 (SSAE16)
 SOC2
 SOC3
What is the Catalyst for doing a SOC Report??
SOC Reporting Participants

Service Organization Service User / User Entity

Service Auditor User Auditor

Potential Customer
 What is a SOC 1 Report?

• Reports on Controls at a Service Organization Relevant to User Entities’ Internal

Control Over Financial Reporting.

• Previously known as SAS70 Reports

• Also known as SSAE16

 What is a SOC 2 Report?

Reports on Controls at a Service Organization Relevant to Security,

Availability, Processing Integrity, Confidentiality or Privacy

SOC 2 engagements use the predefined criteria in Trust Services

Principles, Criteria and Illustrations, as well as the requirements and
guidance in AT section 101, Attest Engagements (AICPA, Professional
Standards).
 SOC2 Principles
A SOC2 Report is based upon the below five Trust Principles. A report may include any or all principles. Each principle contains
criteria which must be met as part of the SOC2 audit.

Security Availability Confidentiality Processing Integrity Privacy

The system is protected
against unauthorized access,
use, or modification.
28 common criteria
(required)
The system is available for
operation and use as
committed or agreed.
3 additional criteria
Information designated as
confidential is protected as
committed or agreed.
8 additional criteria
System processing is This principle addresses the
complete, valid, accurate, system’s collection, use,
timely, and authorized retention, disclosure, and
disposal of PII in accordance
with commitments and system
6 additional criteria requirements.

20 additional criteria

Common Criteria Framework

 SOC 2+ Report

SOC 2 Reports may be • HITRUST

extended and customized to
also include other subject
matter:
• CSA CCM

• COBIT5

• NIST 800-53
 What is a SOC 3 Report?

• A SOC 3 report is a general use report that provides only the service auditor’s
report on whether the system achieved the trust services criteria (no description of
tests and results or opinion on the description of the system).

• SOC 3 reports can be issued on one or multiple Trust Services Principles (security,
availability, processing integrity, confidentiality or privacy).
SOC Reports
 Type I vs. Type II

Type I Report
Report of the design of the controls at a point in time. Typically utilized for first-time issuers,
at the conclusion of the readiness phase, and as a pre-cursor to the Type II report.

Type II Report
Report of the design and operating effectiveness of the controls over a specific period of
time (minimum of six months, maximum of twelve months). A Type II report is what is
expected by business partners, enterprise customers, and their auditors as the procedures
are sufficient to replace the due diligence and security assessment they would otherwise
have had to perform.
How to Prepare for a SOC Report
 SOC Report Key Considerations

• Understand why your customers are requesting a SOC report

• Which SOC Report is most appropriate for the service being

provided:
• Does my organization process transactions?
• Do I have customers that are publically traded?
• Does my organization need to comply with HIPAA?
• Does my organization want to provide some level of assurance to
potential customers?
Project Steps
1. Initial Consultation / Define Expectations
• Gain an understanding of the business
• Define roles and responsibilities, project plan, and timeline
Assistance
Readiness

2. Control & Process Advisory

• Gain understanding of key processes and systems
• Draft control objectives and document individual controls
3. Review Framework
• Assist with management’s descriptions of controls
• Evaluate the suitability of control design
• Prepare Audit evidence request list
• Control Walkthroughs
• Perform and document control walkthroughs
• Provide guidance on areas of potential deficiency and remediation
4. REMEDIATION
Attestation

5. On-site Testing fieldwork

Audit

• Perform one-time final control design evaluation as of a point in time (Type I)

• Perform annual control testing of the sample over the period of review (Type II)
6. Reporting
• Provide final opinion on control design (Type I) or operating effectiveness (Type II)
• Issue final report
 Project Timeline

Readiness / Type I Type II

Remediation Type II Audit Period
Gap Analysis Audit Audit

Oct. 1, 2016 – Sept. 30, 3017

June July Aug As of Nov.

1 1 31 Sept 15
30,
2016
 Identify Controls
Define Scope of
and Control
the service /
owners
System:
Key Service
Organization
Activities
Document the
Identify Sub-
System
service providers
Description
How to Assess a SOC Report
Contents of a SOC Report
SOC 1 and SOC 2 reports include the following sections:

Section I Section II Section III Section IV Section V

Service Management’s System Control Other

Auditor’s Assertion Description Objectives / Information
Report Criteria
Controls and
Testing
 Section I: Service Auditor’s Report

• Kind of Report: SOC1 / SOC2/3 (Trust Service Principles)

• Report Type: Type I / Type II
• Auditor Opinion: Unqualified / Qualified / Scope Limitation
• Subservice Providers: Carve-out / Inclusive Method
• Auditor Credentials: Reputable CPA firm
 Section II: Management’s Assertion

• The assertion should echo the opinion

• Note: Management’s assertions do not vary much from
service provider to service provider.
 Section III: System Description

• Gain an understanding of the environment

• Ensure the description matches the service you receive
• Ensure the system boundaries are properly set (SOC2)
• Assess the complimentary user entity controls (CUECs)

Section IV
Controls
Section III includes the control
objectives (SOC1), applicable
trust service principle criteria
(SOC2) controls, test of controls
and the results.
Control Objectives:
(SOC1 Specific): Do they cover
the areas for the service your
receive, including underlying IT
general controls?
TSP Criteria
(SOC2 Specific): The criteria for
these principles are static. Are
the principles appropriate?
Controls:
Are there specific controls that
should be included (e.g.
developers with access to
production)?
Testing / Results:
What are the failures? How
significant are they considering
the service you receive?
 Section V: Other Information

• Management responses to control exceptions.

• Additional items (not audited)
• Disaster recovery planning
• Compliance efforts (HIPAA, PCI, GLBA, etc.)
Contact Us

www.theCadenceGroup.com

http://www.linkedin.com/company/the-cadence-group

801.349.1360

jeberhardt@thecadencegroup.com
kevin@thecadencegroup.com
gordy@thecadencegroup.com