What Businesses Can Profit From SOC 2 Type 2 Audits?

SOC 2 Type 2 certifications qualify business to exchange data with other certified IT systems.

Summary

  • Successful SOC 2 Type 2 reports enable businesses to process personal and nonpublic data.
  • SOC 2 Type 2 certifications assure stakeholders that their liability is limited by having well designed controls in place.

Effective June 15, 2011 companies who have information technology systems that handle confidential,  private and nonpublic data can become qualified to connect with other data processing systems by complying with Service Organization Controls (SOC)  systems design and control requirements established by the American Institute of CPAs (AICPA).  User entities and service organizations need to work together to establish and agree on  critical controls that meet the requirements of the audit.  Companies that have not established information technology controls and incorporated standards that meet the SOC guide lines could be in jeopardy of failing the SOC 2 audit requirements established by AICPA. This could result in the loss of business because other companies with whom they are connecting  IT systems will want assurances that their systems designs and controls are sufficient to pass a SOC 2 Type 2 audit.

Users of service organizations who establish proper SOC 2 Type 2 systems design and controls will need their third party service organizations to have been certified also. Users can then state their system has the controls to provide adequate protection.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.




What are SOC 2 Type 2 Reports?

SOC 2 audits of information technology systems determine the adequacy and effectiveness of the system controls.

Summary

  • SOC 2 Type 2 audits assess the management report assertion as to fairness of adequacy and effectiveness of the system controls.
  • SOC 2 Type 2 assessments are conducted at different times over a period of time.
  • SOC 2 audits provide information sufficient for an unqualified opinion as to the adequacy and effectiveness of the controls.

SOC is an acronym for Service Organization  Controls, a name given a set of standards and guidelines for auditing information technology (IT) systems that collect and process private and nonpublic data established by AICPA.  Two 0f the audits, SOC 2 and SOC 3,  audits are conducted in accordance with AT Section 101 and relies on the recently released AICPA audit guide titled ‘’ Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy’’. These audits include tests of the information systems and controls along with other procedures necessary to enable the auditor to express an unqualified opinion that the information technology systems and controls described by the management assertion allow, in all material respects, conformity with the standards established by the following principles:

  1. Security: The system is protected against unauthorized access (both physical and logical).
  2. Availability: The system is available for operation and use as committed or agreed.
  3. Processing integrity: System processing is complete, accurate, timely, and authorized.
  4. Confidentiality: Information designated as confidential is protected as committed or agreed.
  5. Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP).

The SOC 2 Type I auditor issues an opinion of the suitability of the design and operating effectiveness of identified systems and controls established by management as of a specific date.

The SOC 2 Type 2 includes Type I criteria.  The audit is conducted repeatedly over a specific time period. (for example June 15, 2011 to December 31, 2011) It also addresses the Privacy Notice. SOC 2 audit reports are issued to identified users who are knowledgeable about the systems and controls audited.  The SOC 2 audit report is not for general public use.

The SOC 3 audit report does not include the details of a SOC 2 report. It is a summary of a SOC 2 audit intended for general public use.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


 

 

 

 

Who Needs SOC 2 Type 2 reports?

Businesses that are connected to IT systems must be audited to determine if they have adequate controls to protect private and nonpublic data.

Summary

  • A SOC 2 Type 2 audit report is issued by a CPA or CPA.CITP which covers the suitability and effectiveness of controls over data at a service organization
  • A SOC 2 Type 2 audit report examines controls over  the  security, availability, processing integrity, confidentiality and privacy of data.

 SOC 2 is one of three guidelines and standards introduced by the American Institute of Certified Public Accounts (AICPA).   AICPA has named the guidelines,  Service Organization Controls (SOC)  with subcategories SOC 1, SOC 2, and SOC 3.  The SOC 2 engagement is in accordance with the AT 101 and complies with the AICPA audit guide; Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy

SOC 2 Type 2 is an attestation report issued by a CPA or CPA.CITP stating an opinion on the assertion by management of a service organization, related entities and companies processing personal and nonpublic IT data regarding the suitability of their controls and their effectiveness.  A SOC 2 Type 2 report is written after an auditor conducts tests on the system and controls of a service organization’s information technology system and operating procedures to ensure that they meet strict requirements for criteria for security, availability, processing integrity, confidentiality and privacy.

Integrated Accounting Services (IAS) provides SOC2 Type 2.com  as a public service to those seeking an explanation of the SOC standards that must be met by service organizations and their users.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new SOC standards.


Go back to top