Services
System and Organisation Control (SOC) 2 Audits and Reporting
CONTINUE READING
Services
What is a System and Organisation
Control (SOC) 2 audit?
A System and Organisation Control (SOC) 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) Trust Services Criteria (TSC). SOC 2 audits are essential in regulatory oversight, vendor management programmes, internal governance and risk management.
SOC2 REPORTING
What is the AICPA TSC?

The Trust Services Criteria (TSC) is an industry-recognised, third-party assurance standard for auditing service organisations such as cloud service providers (CSPs), software providers and developers, web marketing companies and financial services organisations.

The Trust Services Criteria are divided into five trust services categories. They are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework.

In addition to the 17 COSO principles, the TSC contain criteria that supplement COSO principle 12 (“The entity deploys control activities through policies that establish what is expected and procedures that put policies into action”).

These are divided into four categories:
  • 1. Logical and physical access controls
  • 2. System operations
  • 3. Change management
  • 4. Risk mitigation
Trust Services Categories

01.

SECURITY

03.

INNOVATION

05.

SUCCESS

02.

AVAILABILITY

04.

MANAGEMENT

01.

SECURITY

02.

AVAILABILITY

03.

INNOVATION

04.

MANAGEMENT

05.

SUCCESS

SOC2 REPORTING

What does a SOC 2 audit report contain?

A System and Organisation Control (SOC) 2 report is designed to assure service organisations’ clients, management and user entities about the suitability and effectiveness of the service organisation’s controls relevant to security, availability, processing integrity, confidentiality and privacy. The report is generally restricted use for existing or prospective clients.

There are two types of SOC audits and reports:

  • Type 1 – is an audit and report carried out on a specified date.
  • Type 2 – is an audit and report carried out over a specified period, usually a minimum of six months.

There are two types of SOC audits and reports:

  • An opinion letter.
  • Management assertion.
  • A detailed description of the system or service.
  • Details of the selected trust services categories.
  • Tests of controls and the results of testing.
  • Optional additional information.

The audit report will also specify whether the service organisation complies with the AICPA TSC.

SOC2 REPORTING
Who can complete a SOC audit?

A SOC audit can only be performed by an independent Certified Public Accountant (CPA) or accountancy organisation. CPA organisations may employ non-CPA professionals with relevant information security and technology skills to participate in preparing for a SOC audit. However, the final audit report must be provided and issued by a CPA. A successful SOC audit carried out by a CPA permits the service organisation to use the AICPA logo on its website.

SOC auditors are regulated by, and must adhere to the specific professional standards established by, the AICPA. They are also required to follow specific guidance related to planning, executing and supervising audit procedures. AICPA members are also required to undergo a peer review to ensure their audits are conducted in accordance with accepted auditing standards.

Who are SOC 2 audits designed for?

SOC 2 audits are targeted at organisations that provide services and systems to client organisations (for example, Cloud computing, Software as a Service, Platform as a Service).

A SOC 2 audit is often a prerequisite for service organisations to partner with or provide services to tier-one organisations in the supply chain. The client company may ask the service organisation to provide an assurance audit report, particularly if confidential or private data is being entrusted to the service organisation.

If your organisation provides technology infrastructure services, such as cloud computing services, then a SOC 2 audit report will be beneficial in establishing trust with clients and stakeholders.

Other benefits

The Trust Services Criteria (TSC) is also closely aligned with the following standards and frameworks:
  • ISO 27001 and (Information Security Management )
  • GDPR (The General Data Protection Regulation)
  • The PCI DSS (Payment Card Industry Data Security Standard)
  • COBIT 5 (Common Objectives for Information and Related Technologies)
  • HIPAA (the US Health Insurance Portability and Accountability Act) security standards
  • NIST SP 800-53 (Security and Privacy Controls) and SP 800-66 (Implementing the HIPAA Security Rule)
SOC2 REPORTING

Our SOC 2 Audit Readiness Assessment and Remediation Service

1. Readiness assessment

We assess your state of SOC 2 preparedness by evaluating the type of service your organisation offers, the trust services categories applicable to the service(s) you provide and the security controls relevant to the delivery of those services. We will examine and analyse your processes and procedures, system setting configuration files, screenshots, signed memos, and organisational structure.

2. Remediation

Once any deficiencies have been identified, XpertDPO can help you remediate them. We can help with audit scoping, compiling the system or service description, risk assessment, control selection, defining control effectiveness measurements and metrics , or integrating your SOC 2 requirements into your ISO 27001 compliant ISMS (information security management system).

3. Testing and reporting

XpertDPO has partnered with a leading AICPA and PCAOB (Public Company Accounting Oversight Board) registered CPA audit organisation based in the US , which will perform the required testing and reporting. XpertDPO can assist with the full SOC audit process, from conducting a readiness assessment and advising on the necessary remediation measures through to testing and reporting. We facilitate the audit process and put the client in contact with our partners, which can deliver the audit at a fraction of the costs demanded by the Big Four accounting firms. The SOC audit process involves:

  • Reviewing the audit scope;
  • Developing a project plan;
  • Testing controls for design and/or operating effectiveness;
  • Documenting the results;
  • Delivering and communicating the client report.
Ready to start your
Data Protection journey with us?
Contact US
what we can do
Our Experience

XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.

XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.

We are one of the leading providers of Outsourced Data Protection Officer services in Ireland and the UK. We also specialise in offering Nominated European Representative Services to non EU based organisations.

  • Certified Data Protection Officer
  • Certified Information Security Manager (ISACA)
  • Certified Information Systems Auditor (ISACA)
  • Certified in Risk and Information Systems Control (ISACA)
  • Certified Cloud Security Professional (ISC2)
  • Certificate of Cloud Security Knowledge
  • Cyber Essentials
"XpertDPO has worked closely with FIT on matters relating to our responsibilities as Data Processors and, more broadly, on our practical processes for managing client data with due regard for the GDPR regulation. In this respect, XpertDPO’s team has been proactive in sharing knowledge and best practices, which have developed considerably FIT’s internal competence and the necessary ongoing development of staff.”
Andrew Finn, Director of Academic Affairs and Programme Development
Andrew Finn, Director of Academic Affairs and Programme DevelopmentFIT
"XpertDPO have been our European Representative following Brexit in 2020. The onboarding process was simple and the advice provided assists in meeting obligations under EU GDPR."
Emily Aldridge
Emily AldridgeLegal Counsel and Data Protection Officer, NEC Group
"By having XpertDPO act as our European Representative for Frontline Accounting, we are confident we are meeting the legal requirements of the GDPR. XpertDPO’s team are always on hand to answer any queries we may have and to help us respond to any Data Subject Access Requests from any client across the UK and the EU."
Mark D
Mark DFounder and CEO, Frontline Accounting
"XpertDPO are our first and only port of call when we need data protection expertise. We have worked closely with XpertDPO since 2018 and their support has been invaluable. They consistently provide us with the skills, knowledge and technical expertise to deliver excellence to our clients"
Jason Mclaughlin
Jason MclaughlinSales Manager | Ortus Cloud Solutions
"The advice, support, and relationship we have received from XpertDPO has been invaluable. They are exactly the resource we needed to help us scale our Security & Privacy program. Their expert knowledge on GDPR has enabled us to become more knowledgeable in a critically evolving space. With XpertDPO, you receive more than just a data protection service, but the opportunity to learn, feel supported, and bridge the gaps in your compliance journey. Confidently working with global clients has been almost effortless thanks to their expertise and the service they provide us. We could not be happier with our experience thus far and look forward to continuing working closely together.”
Alexis Ortiz, Information Security Analyst
Alexis Ortiz, Information Security AnalystMovespring
"I can highly recommend the services of Stuart and Aimee from the XpertDPO team. Stuart’s wealth of knowledge on all things data protection is second to none and both Stuart and Aimee have always been highly professional and efficient, as well as being friendly, helpful and supportive. All work has been carried out in a timely manner and both Stuart and Aimee have always taken the time to explain our GDPR obligations to us and to help us work through all of the paperwork and processes we need in place. We are delighted to have the services of XpertDPO as the Informed Minds App Data Protection Officer and we feel very safe and secure in the knowledge that we are meeting all of our GDPR obligations with the help of their team."
Paula Fletcher, Managing Director
Paula Fletcher, Managing DirectorInformed Minds App
“I first met Stuart and XpertDPO in 2018, and quickly realised that the level of expertise and depth of knowledge that he possessed was second to none, and I am delighted to say that XpertDPO and TalentPool has worked on many mutually profitable professional projects. The two companies developed Ireland’s first QQI certified Data protection course, which we have successfully delivered with the XpertDPO team into numerous organisations. Stuart and his team have also advised us on many issues around our Data Protection and the incisive advice and guidance he has given us is second to none.”
Cosmo Mellon, Managing Director
Cosmo Mellon, Managing DirectorTalentPool Ltd
“XpertDPO as per their name are truly the experts in GDPR regulations. Stuart is very knowledgeable & very thorough with his understanding of the subject. From my very initial association with them to my continued engagement, XpertDPO have always come across as very approachable. The support that Stuart gives our organisation is very valuable and practicable, especially in today’s post Brexit world. More importantly, I find that Stuart is always at the end of a call to help me out and address any urgent GDPR related queries. I highly recommend XpertDPO and Stuart to anyone who is seeking a very through but practical advice and solution if they are navigating the maze of GDPR regulations!” Stuart and his team have also advised us on many issues around our Data Protection and the incisive advice and guidance he has given us is second to none.”
Minesh Vaidya, Head of Regulatory Compliance
Minesh Vaidya, Head of Regulatory ComplianceNordic Pharma UK
Previous
Next
OUR EXPERIENCE

A Selection of Our Happy Clients

XpertDPO is a Data Protection and Compliance consultancy firm in Ireland UK, that offers practical, tailor-made solutions.

XpertDPO is a Data Protection and Compliance consultancy firm in Ireland UK, that offers practical, tailor-made solutions.