SOC 2

Gavias Slider Slider Expertise SOC 2

Internal Control over Non-Financial Reporting

Organizations increasingly outsource processes or data to service providers. Processes that have no relation to financial processes are relevant for SOC 2 reporting. A SOC 2 report is an internal control report that focuses on controls at a service provider relevant to Security, Availability, Processing Integrity, and privacy. A SOC 2 report ensures that a service organization keeps data private and secure while processing and that data is accessible at any time.

Outsourcing the processing or hosting of data requires third-party assurance on security, availability, confidentiality, processing integrity, and privacy of data. SOC 2 audits are external confirmations that these criteria are met.

Public Companies in the US or financial institutions in Europe are required to outsource to providers with a valid SOC 2, ISAE 3402 or SOC 1 report in place to provide investors assurance over controls that are performed by the outsourcing provider.

Our approach for implementing procedures is based on industry best practices for security, risk management, and internal control. This combined with our in-depth knowledge in different industries with improving your internal control and procedures to the best in your industry.

Audits performed by our group company Certicus will help you to continuously improve procedures and reduce the interruption of business operations by multiple user organization audits.

Cloud Services

An important competitive advantage is created by speed and cost control. Cloud hosting providers offer services at a fraction of the costs of self-installation on local servers. Flexible payments plans avoid large investments and provide new opportunities for new and existing business lines. Flexibility and cost control also brings risks; are security, privacy and availability established as solid as you would expect or your supervisors and customers require? A SOC 2 report provides all answers to these questions and risks.

Trust Services Criteria

SOC 2 reports are based on Trust Services Criteria. For Security, Availability, Processing Integrity, and privacy specific principles and criteria are defined. SOC 2 reports are modular, implying that reports can cover one or more of the principles, depending on the needs and requirements of a services organization. The only criteria that is mandatory for SOC 2 is the Security criteria. These criteria are also referred to as the Common Criteria (CC1 – CC9). In addition to security requirements, the Common Criteria also contain requirements for an internal control framework, including risk management (COSO).

The Trust Services Criteria explained

Common Criteria

SOC 2 focuses on a business’s non-financial reporting controls as they relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy. These principles are outlined in the Trust Services Criteria (TSC). Each of the criteria has defined requirements (Points of Focus) that must be met and implemented within the organization to demonstrate adherence to the criteria.

The only criteria that are mandatory for SOC 2 are the Security criteria. These criteria are also referred to as the Common Criteria. In addition to security requirements (Logical and Physical Access Controls, System Operations, and Change Management), the Common Criteria also contain requirements for an internal control framework, including risk management (COSO). The key elements of the COSO framework are Control Environment, Communication and Information, Risk Assessment and Risk mitigation, Monitoring Activities, and Control Activities.

Additional criteria can be included within the scope of a SOC 2 reporting. More often, the applicability of the Availability, Confidentiality, Processing Integrity, and Privacy criteria are considered based on the services provided and in conjunction with key clients and SOC 2 experts. When an organization chooses to include criteria, all associated requirements and points of focus must be considered and implemented when applicable.

Reporting types explained

SOC 2 reports

The key is to successful outsourcing is selecting a service provider that is properly certified. A SOC 2-certification provides assurance on the Security, Availability, Processing Integrity, and privacy of information. If you are dealing with sensitive customer data, these elements are key success factors. In a SOC 2 report, the risk control framework is described, including the related controls and procedures for monitoring the risk control framework. The report is prepared in accordance with the Trust Services Criteria to provide a set of criteria for Security, Availability, Processing Integrity, and privacy to keep pace with the rapid growth of cloud computing and business outsourcing challenges provided by the global economy.

Type I report

A SOC 2 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

Type II report

In a SOC 2 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period of six months minimum. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with the predefined processes and controls.