For those that are not familiar with SOC 2 reports, a question might be what makes up a SOC 2 report. In general, there are five components behind every SOC 2 report. Those components are 1) Principles, 2) Criteria, 3) Points of Focus, 4) Controls, and 5) Evidence. This might be a little overwhelming at first especially if you are new to SOC 2. In this article, we will break down what these five components are and hopefully make understanding a SOC 2 report a little easier.
Five Components of a SOC 2 Report
First, there are five Principles, based on the Trust Services Criteria issued by the AICPA, that can compose a SOC 2 report. These are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Every SOC 2 report is required to include the Security Principle which relates to keeping information and systems protected from unauthorized users. SOC 2’s can also include any or all of the other four Principles. Availability, Processing Integrity, Confidentiality, and Privacy can make a SOC 2 stronger and more reliable, but they are not always required. Depending upon the system and the scope of the report, certain principles may not be applicable. The service organization should determine what principles are most beneficial to their user entities when evaluating whether to add additional principles to the SOC 2 report. Let’s dig into what these additional four Principles are about. The Availability Principle relates to what information and systems are available for operations that meet the entity’s objectives (AICPA). Processing Integrity relates to system processing of information that meet the entity’s needs. Confidentiality refers to how confidential information is handled and protected by the entity. Finally, Privacy relates to personal information that is collected, used, retained, disclosed, and disposed of by the entity (AICPA).
The second of the four components of a SOC 2 report is Criteria. Each Principle has its own set of criteria. For the Security Principle, there are nine Criteria that must be covered in all SOC 2 reports. They are Control Environment, Communication and Information, Risk Assessment, Monitoring Activities, Control Activities, Logical and Physical Access Controls, System Operations, Change Management, and Risk Mitigation. These 9 criteria are composed of 33 individual sub-criteria, 17 of which are the COSO principles. If an entity wanted to add any additional Principles, there is at least two sub-criteria per Principle selected. For Availability, there are three sub-criteria, Confidentiality has two sub-criteria, Processing Integrity has five sub-criteria, and Privacy has 18 sub-criteria. So a SOC 2 reporting on all Principles would include 61 sub-criteria.
Points of Focus and Controls
The third and fourth components are Points of Focus and Controls. Within each of the sub-criteria, there are points of focus. These points of focus are there to assist the service organization in identifying and documenting the controls in place to be tested in the SOC 2. Each sub-criteria may have several points of focus, but each point of focus does not need to be addressed by the service organization. For the Security Principle, there are 200 points of focus. If all Principles are included, there are a total of 290 points of focus. Controls, the fourth of the five components are documented by the service organization within each sub-criteria using the provided points of focus as a guide. It is up to the service organization’s auditor to determine whether the controls within each sub-criterion allow the company to meet that sub-criterion. In general, a service organization’s controls can be used in multiple sub-criteria within a SOC 2 report. A service organization should consult with their service organization auditor to assist in determining where existing controls can be added in other areas of the report. The average SOC 2 report which covers Security has between 80-110 controls.
Evidence, the final component of a SOC 2 report, can be described as the documentation or observation of a control to verify that it is in place or functioning, depending on a Type I or Type II engagement. If controls are used in the various sub-criteria, certain evidence may be sufficient for multiple controls. For example, let’s look at the Control Criteria 1 Control Environment Criteria. One sub-criteria is, “the entity demonstrates a commitment to integrity and ethical values” (AICPA). Here an auditor might look at Evidence such as the entity’s employee handbook or particular policies in place. Then when jumping down to Control Criteria 2 Communication and Information Criteria there is sub-criteria that states, “the entity internally communicated information including objectives and responsibilities for internal control, necessary to support the functioning of internal controls” (AICPA). Here, for Evidence, an auditor may again look at the employee handbook or particular polices and then see that they were communicated internally. There are other Criteria and sub-criteria where evidence can be used in testing multiple controls. The Evidence is vital for all sub-criteria since auditors must see that controls are in place in both SOC 2 Type I or SOC 2 Type II engagements. Although some evidence can be used to cover multiple controls, some controls require several pieces of evidence to validate the activity being tested.
In conclusion, there are several of components to a SOC 2 report: five principles, at least 9 criteria and 33 sub-criteria areas, up to 290 points of focus, at least 80 controls and then evidence to support all sub-criteria. It can be a very in-depth process preparing for a first time SOC 2 audit, but the entity’s SOC 2 auditors can provide assistance along the way to ensure that all Principles, Criteria, Sub-criteria, Points of Focus, Controls, and Evidence are included in the report. If your entity is interested in obtaining any additional information on SOC 2 reports, or if there are any other questions related to SOC 2, please contact us. For more information on these services and more, be sure to visit our SOC services pages.