Article
SOC2 – Reporting on Service Organization Control
An efficiently managed IT security control environment is key for any organisation. Inadequately protected IT systems can leave companies vulnerable to threats such as unauthorised access to business-critical data, malware-induced disruptions, or other IT incidents that affect business continuity. The situation is even more critical if the organisation processes or stores confidential data for its customers as part of an IT service.
To help service organisations provide assurance on the adequacy of controls that mitigate risks to their customers, the American Institute of Certified Public Accountants (AICPA) has developed a 5-step audit process based on the "Trust Service Principles" that assesses a service organisation's internal controls for security, confidentiality, processing integrity, availability and privacy, using general compliance requirements.
At the end of the process, an independent auditor's SOC2 (Service Organization Control) report is issued. SOC2 report can be used to show customers that the service organisation operates an effective information security environment. For SOC2 reporting the best cases usually include companies that store/process customer data, provides trust services or wants to provide assurance on the operational effectiveness of information security controls for its customers. For security-conscious businesses, requiring SOC2 reports has now become a baseline when considering the use of an IT service provider, and is often included in contracts.
Deloitte has more than 15 years of experience in conducting SOC1/SOC2 audit investigations. We pride ourselves on our team of experts, whose main profile is to coordinate and conduct these audits efficiently while meeting our clients' needs. We are able to issue both SOC2-Type I (design of IT controls) and SOC2-Type II (implementation and operational effectiveness) audit reports.
By having our assurance SOC2 audit report, our clients can gain a significant
market advantage and enhance their brand and reputation. Unlike a generic audit certificate, it gives a much more detailed and realistic picture of the IT security posture of an organisation.
We recommend the course to:
- trust service providers who want to provide a high level of assurance to their clients
- organisations that carry out data processing activities
- companies seeking to reduce compliance costs
- organisations that want to increase the confidentiality of both internal and external stakeholders
- those who want to improve their organisation's IT security control environment
- start-ups, cloud service providers, outsourcing companies