Scoping a SOC 2 Audit

Written by
Published 05/16/2017
What is an IT Security Audit

In today’s cybersecurity-challenged world, the System and Organization Controls for Service Organizations 2 (SOC 2) audit is a necessity for service providers including cloud service providers and cloud computing hosts and software-as-a-service (SaaS) providers.

If your service organization doesn’t have SOC 2 certification documenting your security controls, you’re almost certainly losing business.

For smaller organizations, however, passing a SOC 2 audit can be a complex task. To simplify the process, setting the scope of your SOC 2 audit correctly is crucial. 

Define the scope too narrowly, and you might not provide the assurance your customers will want—prompting more SOC 2 audits in the future. Define it too broadly, and you waste money, time, and productivity as the audit disrupts daily operations.

So how do you strike that balance? And what role does the compliance or audit executive play in that task?

If you’re a service provider, SOC 2/3 audits offer assurance that your information security controls and control environment adequately protect customer data. (Check out our long primer on SOC audits: the kinds that exist, how to prepare for them, and how they unfold when the auditors arrive.) 

A Type I SOC audit, conducted by a member of the American Institute of Certified Public Accountants (AICPA), confirms that your service organization controls are correct at a certain point in time; a Type II audit verifies that the controls have been working during a set period of time.

You can learn all about SOC 2 and SOC 3 in our “Ultimate Guide to SOC 2.” And when audit time rolls around, you’ll certainly want to check out our SOC 2/3 audit guide, which shows you how to prepare in three easy steps.

Scoping your Soc 2/3 audit begins with the Trust Services Categories, formerly known as Trust Services Principles.

The 5 Trust Services Categories

The AICPA established five core principles, officially known as “Trust Services Categories” but sometimes called “trust services criteria,” to consider in a SOC audit of a vendor’s security controls or financial reporting. They are:

  • “The security, availability, and processing integrity of the systems the service organization uses to process users’ data,” and
  • “The confidentiality and privacy of the information processed by these systems.”

The AICPA defines the categories this way:

  • Security: The effectiveness of policies and procedures governing the way organizations protect themselves against unauthorized access and respond to security breaches resulting in unauthorized disclosure of information will be periodically evaluated.
  • Availability: Information and systems must be available for operation and use to meet the entity’s objectives.
  • Confidentiality: Information designated as confidential must be sufficiently protected from unauthorized access to meet organizational effectiveness.
  • Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized to meet organizational objectives.
  • Privacy: Personally identifiable information must be collected, used, disclosed, and disposed of in a secure manner.

Not every SOC 2 audit must consider all five categories. After all, you will share the results of these audits with only specific clients (or prospective clients) who presumably have specific needs they want your firm to address. 

Deciding which “TSCs” your audit should cover is key to determining the scope of your SOC 2 audit. Include only those TSPs that are necessary and no more.

For example, if you provide user entities with data storage in a data center but clients do all data processing on their own systems; you need to include the “Security” and “Availability” categories in your SOC 2 audit, but not “Processing Integrity.” 

If you store personal data about individuals, the Privacy principle is in scope. If you only store product design plans, “Confidentiality”  in scope but “Privacy” may not be.

SOC Scoping Questions To Ask

Identifying the relevant TSCs matters because, once you’ve completed this step, you can start to determine which systems, security policies, privacy policies and controls, and procedures support those principles, and organize your internal controls to match these needs. 

Your service organization’s controls in the relevant categories are what your SOC 2 audit will examine. SOC 2 audits covering multiple TSCs can sweep many of your firm’s systems and controls into scope.

If you’re not sure whether a category applies to your enterprise, ask: “If we can’t guarantee that we meet this category, could we cause harm to our relationship with the customer?” If the answer is “yes” then the category is probably in scope.

It’s also important to work with senior executives to define the firm’s products, services, and strategy as clearly as possible. 

  • Who are the target customers? 
  • What do they need? 
  • What service does your firm provide? 
  • What else will you provide in the future? 

The answers to these questions will help define which TSCs should be addressed in the SOC report your firm provides to customers–and to delineate the scope of your SOC 2 audit.

Compliance and audit executives: you don’t need to answer the questions, but to ask senior managers to do so.

Scoping questions become more granular and company-specific from here. 

  • Which type of SOC 2/3 audit should you commission? Most organizations begin with Type I, the “single-point-in-time” type of audit, then proceed to Type II, which looks at compliance over a period of time–typically, one year.
  • Are we ready for an audit? SOC 2 advisory firms (there are plenty of them) are more than happy to perform readiness assessments before a true audit gets underway. Or, you could use governance, risk management, and compliance software to perform self-audits, and feel confident of passing the external audit.

ZenGRC’s user-friendly design lets you audit your systems and controls as often as you’d like, with just a few clicks. And its color-coded dashboards show you in a glance where you comply with SOC 2/3 and more than a dozen other frameworks, where you fall short, and what you need to do to fill gaps.

Worry-free SOC 2/3 compliance is the Zen way. Contact us now for your free consultation.

Tags: , ,
Categorized in: