Everything You Wanted to Know About SOC (and SOX) But Were Afraid to Ask
Things can get a bit hazy when learning all there is to know about the various compliance standards. Luckily, we’re here with a ton of great information about SOX compliance and the three different types of SOC audits and reports.
Things can get a bit hazy when learning all there is to know about the various compliance standards. Luckily, we’re here with a ton of great information about SOX compliance and the three different types of SOC audits and reports. Keep reading to protect your company’s security and compliance and maybe learn a few dinner party ice breakers along the way...IT security is always a crowd pleaser.
What is SOC? …and How Does it Differ from SOX?
Let’s start by talking about SOX compliance. A company that is SOX Compliant has implemented an effective system of controls over their financial reporting and sensitive information in accordance with the Sarbanes-Oxley Act of 2002. On the financial side of SOX compliance, companies must file a financial report at the end of each year, and this report must follow a number of requirements.
SOX financial report requirements include that an external audit was completed and that proof of internal controls exist. There are also a variety of requirements on the IT side of the Sarbanes-Oxley Act. Here are some of the SOX compliance IT requirements that all publicly-traded companies need to adhere to in order to be in compliance with SOX:
• IT teams must strictly log and monitor all account and user activity and information access.
• Access to and interactions with sensitive data must be able to be clearly audited.
• Audits must be done by external auditors to review all security-related controls, procedures, policies, and staff.
Publicly-traded companies who are found to be out of compliance with SOX could be fined millions of dollars and their leaders could be charged with up to 20 years in prison.
A company that is SOX Compliant has implemented an effective system of controls over their financial reporting and sensitive information in accordance with the Sarbanes-Oxley Act of 2002.
IT SOX Compliance, SOC 2 Type 2 Compliance = Compliance Party
SOC audits and reports, on the other hand, exist partly because of how important it is for companies to remain SOX compliant. Governed by the American Institute of Certified Public Accountants, SOC reports are voluntary, verifiable audit reports that help companies show that they are handling sensitive information and data in a consistent, reliable way. What does SOC stand for? This three-letter IT acronym stands for System and Organization Controls.
Typically, SOC reports are given by vendors to companies using their services in order to prove that they are handling financial and other sensitive data correctly. Ultimately, SOC reports help companies be sure that they are working with vendors who will not put their SOX compliance at risk due to inconsistent or ineffective financial and IT practices. With millions of dollars and decades of jail time on the line, you can see why SOC reports are so important.
SOC reports are voluntary, verifiable audit reports that help companies show that they are handling sensitive information and data in a consistent, reliable way.
The Different Types of SOC Audits
There are three different types of SOC compliance standards; SOC 1, SOC 2, and SOC 3. These different compliance standards are all regulated by the American Institute of Certified Public Accountants, but they have different goals.
SOC 1 Type 1 and SOC 1 Type 2:
A SOC type 1 audit and compliance report addresses the company’s financial reporting and the internal controls and checks and limits they have in place to ensure the reporting is correct. There are two different types of SOC 1 reports. SOC 1 Type 1 pertains to how the financial reporting is done at a specific point in time while SOC 1 Type 2 pertains to how the financial reporting is done over a longer duration of time.
The goal of a SOC 1 report is to help the user entity understand how a service organization’s controls are impacting or could impact their financial statements.
If you are with an organization who provides services that could impact your clients’ financial statements, such as a payroll provider or payment processing company, you will likely need to supply a SOC 1 report when working as a vendor with other companies.
SOC 2 Type 1 and SOC 2 Type 2:
So, what is a SOC 2 audit? SOC 2 stands for System and Organization Controls 2 and is the most popular and sought after SOC report. A SOC 2 report looks at specific parameters around IT services and how a company protects non-financial sensitive information. Similar to SOC 1, SOC 2 also has two different types. SOC 2 Type 1 audit confirms that IT and security control do exist within a company and SOC 2 Type 2 audit confirms that these in-place controls actually work to protect the data they are meant to protect.
The goal of a SOC 2 report is to help a service organization report on how they are using internal controls to protect sensitive data.
If you are with an organization that stores or transmits any type of customer data, such as a SaaS company or cloud storage service, you will likely need to supply a SOC 2 report when working as a vendor with other companies.
If you are going to receive a SOC type 2 audit, it could be useful to use a SOC 2 readiness assessment to help you prepare. A SOC 2 readiness assessment is basically a practice run for your formal SOC 2 audit. A SOC 2 readiness assessment can be completed by your internal team, a CPA firm or a consulting company, and it should include these three steps:
1. Review existing controls relevant to the SOC 2 audit and documentation of those controls.
2. Identify existing gaps in these controls and how future gaps could be avoided.
3. Create remediation plans for all existing gaps.
Since SOC 2 audits are the most sought-after type of SOC, we are going to dive deeper into them later in this article.
SOC 3 Type 2:
A SOC 3 audit and compliance report is similar to a SOC 2 Type 2 report, however, since it reports on how current IT and security controls are working, but it includes much less detail and technical language than a SOC 2 Type 2.
The goal of a SOC 3 report is often to use compliance as a tool for marketing to the general public, so it takes the information often found in a SOC 2 audit and tailors it for a general audience.
Like the goal of this report implies, if you are a company looking to share your SOC 2 report with the general public, such as consumer facing SaaS companies and cloud storage services, you will likely need a SOC 3 report to make it so they can actually understand what you are trying to share.
SOC 2 In Detail
SOC 2 reports use five SOC 2 controls called Trust Service Principles to define how customer data should be managed. These Trust Service Principles are as follows:
• Security: This SOC 2 Trust Service Principle refers to how the system’s resources are protected against unauthorized access. Examples of how security is managed in relation to SOC 2 could include intrusion detection and network firewalls. Both of these SOC 2 security tools are useful in preventing unauthorized access to sensitive systems and data.
• Availability: This SOC 2 Trust Service Principle refers to whether or not information and systems are available for use to meet the company’s goals. Examples of how availability is managed in relation to SOC 2 could include performance monitoring and disaster recovery plans.
• Processing Integrity: This SOC 2 Trust Service Principle refers to whether or not a system does what it is supposed to do. Examples of how processing integrity is managed in relation to SOC 2 could include quality assurance and processing monitoring. Both of these techniques help the organization be sure that they are delivering the right data at the right time to the right place for the right price.
• Confidentiality: This SOC 2 Trust Service Principle refers to the protection of all confidential data. In this case, confidential data is data that should only be accessible to a specific group or groups and is not public. Examples of how confidentiality is managed in relation to SOC 2 could include access controls and data encryption. Both of these management techniques help companies be sure that sensitive data remains confidential and is only available to the correct people or groups.
• Privacy: This SOC 2 Trust Service Principle refers to how companies and organizations collect, use, retain, disclose, and dispose of personal information. Examples of how privacy is managed in relation to SOC 2 reports could include data encryption and two-factor authentication. These management techniques help companies keep sensitive data such as social security numbers and address information private.
During a SOC 2 audit, these SOC 2 principles are applied to five system components. These include:
• Infrastructure: Including everything from physical items like desktop computers and other hardware to telecommunication networks.
• Software: Including all types of software programs such as operating systems and other applications.
• People: Including anyone involved in the use of a system such as developers, managers, and vendors.
• Procedures: Including both manual and automated procedures.
• Data: Including everything from databases to transaction streams.
Requesting a SOC 2 Report
If you are concerned with how a vendor handles their security, availability, processing integrity, confidentiality, or privacy, you need to request an independently audited SOC 2 report from them. SOC 2 reports are unique to the needs of the organization they are being prepared for, meaning the organization is able to choose which Trust Service Principles are important to them when requesting this report from their vendors. Organizations should be sure to request a SOC 2 report from all critical vendors handling sensitive information or data. It’s best practice to request this report during initial vendor selection and contracting to be sure IT and security controls are in place and functioning as intended before getting too far into a contract.
The Link Between SOC 2, Security, and Compliance
While SOC 2 reports are not required, it controls for SOX compliance, making them extremely important for many organizations. SOC 2 reports help organizations maintain oversight of their IT systems and processes and vendors. SOC 2 compliance can also help prevent major IT risks. When it comes to SOC 2 cybersecurity, it’s obvious that complying with SOC 2 guidelines helps organizations defend against cyber attacks by ensuring that there are data safeguards in place that actually work.
One way to get a jump start on this is to conduct regular access reviews. Verifying that only authorized users have access to certain programs can go a long way in ensuring your company is secure and compliant. Access reviews relate directly to an organization’s identity audit as user accounts are analyzed.
An independently audited SOC 2 report goes a long way towards proving compliance with SOX regulations thanks to its strict review of how an organization handles sensitive information and other data. If your company is required to maintain SOX compliance, it’s important that you ensure that each of your vendors provide a SOC 2 report.
Another benefit of SOC 2 compliance is that it gives the complying organization a competitive edge. In today’s digital world, everyone prefers to work with companies who protect data and sensitive information, and having a SOC 2 audit or report done helps prove that the company’s data and sensitive information is being managed in a safe way.
SOC 2 and Your Company
We’re here to help you understand the best ways to protect your company’s sensitive information. Typically, preparing for a compliance audit takes hours and involves long, tedious spreadsheets. At Lumos, we help your company prepare for compliance audits by making it easy to manage vendor security risks, grant and log account access requests, and make least privilege part of your everyday workflow.