Question - SOC 2/3

Hello Everyone,

Is anyone here dealing with SOC 2/3 reports? Personally we dont (we do SOX and others). Just wanted to confirm that there is not a “static” or “common” set of requirements for SOC2 reports and they are rather “custom” for each organisation.

Regards!

Hi,

SOC 1, 2 and 3 defines the scope of and how “verbose” the report is. It isn’t related to requirements. Here’s a quick summary of the differences:

http://resource.onlinetech.com/soc-1-soc-2-soc-3-report-comparison/

Thanks

“While the SOC 1 report is mainly concerned with examining controls over financial reporting, the SOC 2 and SOC 3 reports focus more on the pre-defined, standardized benchmarks for controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information”

Both reports focus on at least one of the five Trust Services Principles related to Security, Availability, Processing Integrity, Confidentiality and/or Privacy. Reports may cover one or more of the Trust Services Principles, as specified by management. Source: https://www.linkedin.com/pulse/overview-soc-2-reports-trust-services-principles-criteria-mark-hurst

My question - what the hell are “Trust Services Principles” … ?

The five Trust Services Principles are:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.

So if i get it well, we need to purchase:
https://www.aicpastore.com/AuditAttest/TopicSpecificGuidance/trust-services-principles-and-criteria/PRDOVR~PC-TSPC13/PC-TSPC13.jsp

Then look at it and see how we can build a list of controls (Compliance Package) for that.

Seems accurate. But with what you wrote (you already do SOX and others), I assume two things:

1 - you have money
2 - you already perform external audit (with one of the Big 4 or smaller player)

If it’s the case, I would strongly suggest you work with your audit firm to be 100% sure your controls are aligned with the principles. You don’t want to be caught with your pants down and end up with exceptions or to many observations on your official report.

Most organizations don’t do all five trust principles. Only do those that are relevant to your organization, but it is typical to do confidentiality, security and availability. I’ve built a compliance package for those three of the trust service principles, which imports fine. Unfortunately, I can’t upload it here as they don’t allow CSV files. If you email me directly wwilliams@lattice-engines.com I’ll email it to you.

William - can you send it over to support@eramba.org ?

I’ll make it public if that is all right with you. I spoke with our Deloitte auditors, nice folks, but i always have the feeling they are trying to sell me stuff (expensive stuff) so i dont want to do things unless i have to.

I thought this controls (from each principle) were “custom” for each organisation - obviously not then?

Its now public on our pre-compiled packages - thanks Walt !

A bit of a summary as i always forget this terminology:

User Organisation: who uses the service
Service Provider: who delivers the service (typically who wants a SOC report type 3 to show around)
Service Auditor: who audits the service provider and writes the report

https://s3-eu-west-1.amazonaws.com/tmperamba/Trust+Services+Criteria.pdf

Sorry to bump an older thread, but I can probably give a good bit of insight as my company both performs SOC 1/2/3 audits as well as assists companies in preparing to go through the audit process.

For the SOC 1, there’s not a standard set of controls as the control objectives are tailored based upon the business and how it impacts a company’s financial statements. Typically these controls are much aligned with SOX - you’ll have general IT controls and transaction processing related controls (typically IT Dependent Manual and Automated). The contents of this report have not changed much since its direct predecessor, the SAS 70. The report is also very similar to the ISAE 3402 (main difference being a few lines in the opinion).

For the SOC 2, as mentioned earlier in this thread, organizations can pick which Principles best apply to them (Security being more or less required). This will depend upon the organization’s commitments to its customers and what their customers what assurance over. Over the years, there have been a few revisions to the SOC 2 standard. The compliance package is based upon the 2016 Trust Services Principles (TSPs), but the PDF linked above is for the 2017 Trust Services Criteria (TSCs - renamed from principles due to its alignment with COSO). SOC 2 reports may be issued against the 2016 TSPs through December 15 of this year - beyond that, the 2017 TSCs must be used (and can be used right now).

With respect to how to operationalize a compliance package for this, it gets a bit tricky. When you look at the report, it will state each Criteria in one column and the specified controls that address that criteria next to it. In the auditor’s work papers, there’s an additional column in the middle for risks that the criteria may not be accomplished (which is what the control is supposed to address). In many cases, these risks and controls are fairly common from client to client, but there can and will be differences depending on the organization.

The other fun part that’s more apparent in the 2017 TSCs is that not all of the criteria will be applicable and may be removed. The ones permissible to remove are noted in regular font within the PDF (if I’m remembering right) while the ones you’d best not remove without a good reason are italicized. Thus, not all criteria will apply to all companies.

For the SOC 3, this is the same audit as a SOC 2, it’s just an abridged report (contains the auditor’s opinion, management’s assertion of controls and a couple page system description - versus a full listing of criteria and controls in the SOC 2).

Hi David,

Its so nice to get some enlightenment from someone that obviously knows the stuff upside down! nicely put thanks for the input!