Highlights of the August 2024 edition of the HBK Risk Advisory Services webinar series, hosted by Bill Heaven, CPA/CITP, CISA, Senior Director, HBK Risk Advisory Services, with featured guests Owen Bleibtrey, CISA, CCSFP and Joel Van Horn, CPA/CITP, CISA, Principal.
Watch on demand here.
Third-party risk management remains a critical aspect of cybersecurity protection as both the number of relationships with vendors and other third-party business partners and the related cyber incidents continue to increase. System and Organization Control (SOC) reporting is a valuable risk management tool. Whether you are a service organization being asked to undergo SOC attestation or an organization looking for a way to better assess your vendors and business partners, SOC can help.
• What is SOC Reporting? Systems and organization controls, a service that only CPAs can offer in connection with the controls of a company, a service organization, or the entity-level controls of other organizations.
• How does SOC reporting work? In simple terms, an organization defines its business objectives, then designs internal controls to meet those business objectives, and then an auditor tests and reports on the design and/or effectiveness of those internal controls.
• Any company with a model based on providing a service to another company can benefit from a SOC exam. The exam is a third-party validation of the service company’s commitment to the design and effective operation of its operating controls.
General benefits:
- Reduce compliance costs and time spent on audits
- Meet contractual obligations and market concerns
- Proactively address risks across the organization
- Increase trust and transparency
- Enhance reputation, credibility, and marketability
SOC Types:
- SOC 1 covers financial reporting
- SOC 2 relates to security
- Both reports are restricted-use reports.
- SOC 3 is a general-use, public report
- Must have a SOC 1 or 2 to have a 3.
Two types of reports:
- Type I refers to the existence of documented controls
- Type II refers to the operating effectiveness of the documented controls during a specific time period
A SOC report is an independent assessment of a company’s controls by an independent third party.
More specifics on SOC 2:
- Five service criteria:
- security, confidentiality, availability, privacy, and processing integrity
- security is required in all SOC 2 reports.
- can start with security then include other service criteria down the road.
- security, confidentiality, availability, privacy, and processing integrity
- Nine common criteria for security:
- CC1: Organization and Management Controls: Focuses on individual responsibilities for security.CC2: Communication and Information: communicating internally and externally with appropriate people in each case.CC3: Risk Assessment Identify risks then determine how those risks should be managed and mitigated. Could include IT risk, but also regulations laws, geographical location risks. Notably, SOC specifies areas that must be covered but not how to cover them.CC4: Monitoring: Need a system that monitors controls making sure that they are functioning, and if not, that there is a corrective action in place.CC5: Control Activities: All risks identified should have controls in place to mitigate those risks. A catch-all for risk assessments and general IT controls.CC6: Logical and Physical access controls. Scope is important: anything related to logical access to information, software, onboarding; controls must be in place to provide logical and physical access.CC7: System Monitoring: infrastructure, computer networks; assure any incidents are identified and addressed with strong incident response plan in place.CC8: Change Management: Ensure any changes in infrastructure are properly made. Crucial if you develop your own software.
- CC9: Risk Mitigation: Ensure policies and business continuity plans are in place. Review on a periodic basis and test. Assess vendors relative to their access to data.
- SOC 2 Reports will follow the same format:
- Section I: Independent Auditor’s Report: The auditor’s opinion on the system design, description, and operating effectiveness
- Section 2: Management’s assertion: all the facts and assertions management will present to the reader.
- Section 3; Management’s description of the system: infrastructure, controls, sub-service organizations if applicable. Important to note that not all vendors are sub-service organizations. Make sure to get a SOC 2 report of subservice organization if you require additional information. Can be cared out or included.
- Section 4: Identified Controls and Tests of Controls . No prescribed format but a control number assigned and the control, and should refer back to another section of the report. This is the auditors’ report. Includes exceptions or if there are no exceptions.
"*" indicates required fields