Third-party reporting proficiency with SOC 2+

Nailing down the basic SOC 2 report is an important first step. Generally, service organizations have a certain degree of leeway when it comes to designing their SOC 2 reports. In fact, most contracts are somewhat vague (i.e., they don’t specify which Trust Service Criteria, or which systems, should be tested).

With this in mind, the leading practice is to limit the initial reporting scope to a subset of systems or criteria, emphasizing those that are most important to customers. Once the organization is confident about the controls surrounding this subset, it can then branch out, mapping and testing the controls relevant to a broader range of customer needs.

In considering how to proceed, assurance with regard to the security TSC, which forms the basis of all SOC 2 reports, is a natural place to start, particularly since cybersecurity is vitally important to many customers. The most complex of the five is the privacy TSC.

However, customers are becoming more concerned with service organizations’ interactions with end users and related privacy practices. While saving privacy for last may make sense, it can’t be overlooked. Ultimately, it may need to be addressed for compliance purposes if a service organization interacts directly with end users and gathers or stores their personal information. Given the complexity of the privacy criterion, it can be wise to get help. SOC 2 privacy reports do require more effort, and service organizations often need readiness assistance to complete them.

Every customer has different requirements. While contracts may be somewhat vague concerning the specifics of SOC 2 reporting, service organizations shouldn’t assume they know what a customer is looking for without first confirming it. For example, issuing a SOC 2 report on Application A and its associated processes, when the customer really wanted Application B to be examined, will result in wasted resources and a lot of rework. These costly misunderstandings happen far too often, especially when they can be avoided through better communication and greater insight into customer needs.

For many service organizations, understanding what their customers are looking for often comes down to educating the salesforce and other customer touchpoints about SOC 2 reporting. When customer-facing personnel grasps the value of an integrated approach, they can both communicate the benefits and ask customers the right questions to help scope and define their requirements. Making the effort up front to probe customer requirements—not only the “what” but also the “why”—will both save time in the long run and build customer confidence and trust.

Many customers may be unaware that it’s possible to combine SOC 2 with other compliance initiatives when requirements overlap. This gives service organizations a great opportunity to add value by showing customers how SOC 2+ can be used to streamline reporting processes. This can be accomplished through the following steps:

• To begin, compile a list of requirements for each TSC. Then move on to a list of requirements for each of the other frameworks with which your customers must comply.
• At the beginning of the project, identify areas where similar operational controls will meet both SOC 2 and other requirements.
• Subsequently, create a master list of the integrated requirements by mapping them to one another. This allows for testing each control once and then “checking the box” for all the requirements to which it applies.

If an organization hasn’t previously considered issuing a SOC 2+ report, then most likely external or independent auditors haven’t tested its integrated compliance controls before. Also, it isn’t uncommon for service organizations, particularly those subject to Sarbanes-Oxley (SOX) Section 404, to focus their control efforts primarily on ICFR. If so, they may not have applied that same level of rigor to the controls for their operational systems.

For these reasons, a readiness assessment, performed by an independent third party, is often well worth the effort. This includes inspecting the controls that are already designed and implemented, as well as identifying any gaps that will need to be addressed prior to live testing.

A readiness assessment can ultimately save time and effort by:

• Identifying problems before they need to be reported;
• Leveraging subject matter experts to document controls; and
• Defining the correct scope and boundaries of the system up front.

In our experience, service organizations that don’t complete a readiness assessment tend to have more issues during the actual examination.

Once the necessary controls and procedures are in place for SOC 2, an organization can start integrating other frameworks. Individual controls will invariably fulfill multiple requirements. For example, a control that meets one of the requirements of a SOC 2 Security Trust Service Criteria, may also meet certain NIST and ISO 27001 security requirements. Mapping these redundancies greatly facilitates testing efficiencies when seeking to comply with multiple industry-specific or regulatory requirements.