Preparation and Reporting for SOC Audits Based on ISAE 3402 and SSAE 16 Audit Standards

---

What are the AICPA TSC?

The TSC are an industry-recognised, third-party assurance standard for auditing service organisations such as Cloud service providers, software providers and developers, web marketing companies and financial services organisations.

They are divided into 5 trust services categories and are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework.

In addition to the 17 COSO principles, the TSC contain criteria that supplement COSO principle 12 (“The entity deploys control activities through policies that establish what is expected and procedures that put policies into action”).

These are divided into four categories:

1. Logical and physical access controls
2. System operations
3. Change management
4. Risk mitigation

Some of these apply across all five trust services categories.

---

What is in a SOC 2 audit report?

A SOC 2 audit report is designed to provide assurance to service organisations’ clients, management and user entities about the suitability and effectiveness of the service organisation’s controls that are relevant to security, availability, processing integrity, confidentiality and/or privacy. The report is generally restricted-use for existing or prospective clients.

There are two types of SOC audits and reports:

• Type 1 – an audit and report carried out on a specified date.
• Type 2 – an audit and report carried out over a specified period, usually a minimum of six months.

A SOC 2 audit report includes:

• An opinion letter;
• Management assertion;
• A detailed description of the system or service;
• Details of the selected trust services categories;
• Tests of controls and the results of testing; and
• Optional additional information.

It also specifies whether the service organisation complies with the AICPA TSC.

---

Who are SOC 2 audits designed for?

SOC 2 audits are targeted at organisations that provide services and systems to client organisations (for example, Cloud computing, Software as a Service, Platform as a Service).

The client company may ask the service organisation to provide an assurance audit report, particularly if confidential or private data is being entrusted to the service organisation.

If your organisation provides Cloud services, a SOC 2 audit report will go a long way to establishing trust with customers and stakeholders. A SOC 2 audit is often a prerequisite for service organisations to partner with or provide services to tier-one organisations in the supply chain.

---

Who can perform a SOC audit?

A SOC audit can only be performed by an independent CPA (Certified Public Accountant) or accountancy organisation.

SOC auditors are regulated by, and must adhere to specific professional standards established by, the AICPA. They are also required to follow specific guidance related to planning, executing and supervising audit procedures. AICPA members are also required to undergo a peer review to ensure their audits are conducted in accordance with accepted auditing standards.

CPA organisations may employ non-CPA professionals with relevant information technology and security skills to participate in preparing for a SOC audit, but the final report must be provided and issued by a CPA. A successful SOC audit carried out by a CPA permits the service organisation to use the AICPA logo on its website.

---

ISO 27001 and SOC audits

Service organisations that employ an ISO 27001 framework are able to demonstrate to their partners and customers that they are 100% committed to service availability, security and data protection.

By applying the management framework outlined by ISO 27001 and certifying against this standard, you will be able to prove to your clients that your organisation holds data security of paramount importance, giving you a head start on passing a SOC 2 (II) or SOC 3 (III) audit the first time around.