Your organization has decided to obtain a SOC 2 report. What’s next?
You have a scoping call with a licensed CPA firm who advises you that the report needs to cover all of the Trust Services Categories (TSCs). Depending on the path outlined to earning the SOC 2 report your organization is now faced with the cost of achieving a SOC 2 report which can be more than $75K.
Did your organization obtain the appropriate advice regarding which TSCs are truly applicable to your system? You are left with some lingering doubt and ponder which Trust Services Categories should you choose?
At Audit Peak, we want your business to succeed like it’s our business and we want to demystify the TCSs and provide very straight forward guidance and questions a service organization and service auditor can ask to determine which TSCs are applicable to a service organization’s system.
We provided an overview of SOC 2 reporting in our blog article, “What is a SOC 2 Report,” and explained the differences between a Type 1 and Type 2 report, provided guidance on which report type may be right for an organization and addressed the question of why do SOC 2 reports matter. We also indicated that SOC 2 is focused on five (5) Trust Service Categories: Security, Confidentiality, Availability, Processing Integrity, and Privacy.
Asking the right questions – Which TSCs may be right for your organization
Privacy is one of the TCSs that is often incorrectly included in SOC 2 reports. We have seen SOC 2 reports which included TSCs that were not applicable to the service organization for various reasons:
- The service organization was not knowledgeable about the TCS and did not receive appropriate guidance
- Customers and/or stakeholders requested the service organization obtain a SOC 2 report covering specific TSCs that were not applicable to the service organization
- Upselling was involved and the service auditor convinced the service organization to have their system assessed against specific TSCs that were not applicable to the service organization
How can this be avoided? Let’s jump right into the questions which will help a service organization to determine the right TSCs:
Security – The system is protected against unauthorized access.
- A SOC 2 report must contain the Security or Common Criteria at a minimum
Availability – The system is available for operation and use as committed or agreed upon.
- Is the availability of your system critical/key to your customers operations?
- How do customers access your services? Do they access your services via a web application or via a local installation on the customer’s system?
- Does your organization have service level agreements (SLAs) in place with your customers?
- Would a loss of system availability result in a loss of productivity, lost opportunities, brand damage, data loss, and SLA pay-outs?
Confidentiality – Information designated as confidential is protected as committed or agreed upon.
- Does your organization’s customer contracts include provisions around the safeguarding and protection of customer data?
- Does your organization have confidentiality agreements or non-disclosure agreements in place with your customers and employees?
- Are you required to notify your customers if their data is accessed by an unauthorized party or if there is a data breach?
Processing Integrity – System processing is complete, accurate, timely and authorized.
- Does your system process data on behalf of your customers?
- Does your system produce reports which are critical to your customers operations?
- Do you have agreements in place with your clients that mandates any processing integrity requirements?
Privacy – Personal information is collected, used, retained, disclosed and/or destroyed in accordance with established standards.
- Does your system host Personal Identifiable Information (PII)?
- Does your system interact directly with data subjects?
- While confidentiality focuses on the protection of information, privacy focuses on the interaction with data subjects.
Part of Audit Peak’s mission is to unveil the SOC 2 reporting process, provide transparency and empower service organizations to understand what a SOC 2 report entails, understand why and where they are spending their money, and identify if they are unnecessarily being encouraged to purchase additional services.