Its Tuesday, and it’s time for our first TPRM Tuesday posting! As all of us know, SOC reports are a primary source of content when performing due diligence analysis. This will be the first in a series on SOC audit: requirements, concepts, and different terminologies. I know most of you are already aware of SOC audit requirements at a high level, and we will dive a bit deeper to provide more information and context.
What makes a SOC 2 unique compared to the other security frameworks (ISO27k, HITRUST, FedRAMP, PCI, HIPAA, CMMC, etc.)?
👩💼 It is an attestation engagement that must be performed by a CPA firm.
✔ It will not result in a “certification”. CPAs render an opinion on whether the SOC 2 criteria are met.
👩⚖️ Controls are not prescribed in the standards. Organizations can use their judgment and implement controls that make sense for them.
🗓 Type 2 reports cover a specific period of time against Type 1 which is Point-in-time.
🧪 Type 2 reports document the tests performed by the auditor and the test results for every control.
✅ For certain controls, auditors will request a population and select samples. The auditor will want validation that the population is complete and accurate prior to selecting samples.
📄 Organizations are required to complete a system description that is included in the final report. The description documents the infrastructure, software, people, processes, data, and controls scoped in the SOC audit.
🏭 It is not specific to any industry, vertical or type of data.
📆 Since it’s not a “certification” and covers a specific period, reports do not “expire”. Customers do expect an updated report on an annual basis.
📑 Reports can cover the design (type 1) and/or operating effectiveness (type 2) of controls.
We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.