SOC (aka SSAE 16/SAS 70/AT 101) Readiness

Prepares a service organization to obtain SOC 2/SOC 3 reports (aka SAS 70, SSAE 16, AT 101, WebTrust, SysTrust) by identifying gaps between existing controls, attestation standards and applicable trust principles, by designing and documenting controls, and by testing controls to ensure a successful audit.

Service Organization Control (SOC) reports are a closely related family of attestation reports that provide assurance to clients and client auditors that controls are in place to ensure security, integrity and confidentiality of client data. SOC reports are a critical tool for gaining and maintaining service customers by providing assurance that security and integrity of data are well protected while processed and handled by service organizations, in particular those with software-as-a-service (SAAS) products. Illumant helps its clients select the appropriate SOC report(s) and helps them obtain independent attestation, by designing and documenting controls, policies and procedures, by collecting evidence to demonstrate the operating effectiveness of those controls, and by communicating with auditors to ensure a smooth attest engagement.


Highlights

  • Selection of appropriate SOC report type
  • Gap analysis vs SOC requirements/trust principles
  • Design and documentation of controls
  • Documentation of policies and procedures
  • Description of client’s “system” or in-scope service(s)
  • Evidence collection and audit preparation
  • Draft management’s assertion about controls
  • Auditor communication
  • Recommendations for improvement

Targets

  • In-scope SAAS product or service
  • SOC trust principles:
    • security
    • availability
    • processing integrity
    • confidentiality
    • privacy
  • Control activities
  • Evidence of operating effectiveness
  • Policies and procedures
  • Final draft of SOC Report

gap analysis readiness attestation preparedness auditor communication controls design controls documentation policies and procedures documentation evidence collection end-user controls

SAAS e-commerce client data documentation controls evidence policies procedures security availability processing integrity confidentiality privacy end-user controls

SSAE 12 SOC 2 type I type II SAS 70 SOC 3 systrust webtrust trust principles security availability processing integrity confidentiality privacy

Detailed Description
Service Organization Control (SOC) Reports are a closely related family of similar reports familiarly and formerly known by many names – SSAE16, SAS70, AT101, WebTrust and SysTrust. Despite the naming confusion the overall purpose remains: a SOC report provides independently validation and assurance to clients and client auditors that controls are in place and operating effectively to ensure that services, particularly software-as-a-service (SAAS) products, handle client information securely and accurately.

SOC reports are critical tools for gaining and maintaining customers for SAAS and e-commerce products, by providing independent validation and attestation that service and user data is properly controlled and protected. Increasingly customers may require their SAAS vendors to provide SOC reports before doing business with them.

Illumant helps its clients prepare for a SOC report and attestation engagement by developing and addressing all the components necessary to meet these objective. Illumant’s readiness activities are streamlined by building toward the end goal – a final draft of the SOC report.

There are various types of SOC and SOC-related reports. These are described below. Illumant focuses on SOC 2 and SOC 3.

Report SOC 1 SOC 2 SOC 3 Agreed Upon Procedures
AICPA Attest Standard SSAE 16 (formerly SAS70) / AT 801 AT 101 AT 101 AT 201
Available Types Type I, Type II Type I, Type II - -
Use Restricted Use Mostly Restricted Use General Use (Public) Restricted Use
Purpose Report on internal controls over financial reporting Report on internal controls over
  • security
  • availability
  • processing integrity
  • confidentiality
  • privacy
Report on internal controls over
  • security
  • availability
  • processing integrity
  • confidentiality
  • privacy
Report on procedures as defined by the client
Illumant helps clients choose between SOC 2 and SOC 3 (SysTrust, WebTrust):

Features SOC 2 SOC 3
Trust Principles Covered
Security X X
Availability X X
Processing Integrity X X
Confidentiality X X
Privacy X X
Report Users
Client and Client Auditors X
Public X
SysTrust X
SOC Report Content
Auditor's Opinion X X
Management's Assertion X X
System Description X X
Detailed Description of Auditor's tests and results X
Certification
SOC 3 Certification (SysTrust/WebTrust) X
Note that SOC 2 and SOC 3 can both be obtained in parallel with incremental cost over one report.

The components of a SOC report are as follows:
  1. Report Of Independent Service Auditors
  2. Client's Assertion
  3. Management’s Description Of The System
    1. Overview of Operations
    2. Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring of Controls
    3. Description of Controls
    4. Complementary User Entity Controls
  4. Principles, Criteria, And Related Controls
Illumant’s methodology has this report and these sections as the ultimate objective of the readiness engagement. By centering all aspects of the engagement around the final report, Illumant ensure cost effective path to obtaining a SOC report.

The following describes Illumant’s methodology for the SOC-C readiness engagement:
  • Illumant helps the organization select which SOC report is most relevant to the organization: SOC 2 or SOC 3 (aka SysTrust / WebTrust). Illumant also determine which of the Trust Principles will be covered by the SOC report:
    • security
    • availability
    • processing integrity
    • confidentiality
    • privacy
  • Illumant identifies gaps between the requirements for the selected report and trust principles above and the existing controls and documentation at the organization. Illumant documents existing controls and helps design new controls to fill gaps. Where necessary, Illumant documents policies and procedures that define the controls and security measures. Illumant develops a control matrix that lists all applicable controls, the principle elements and risks that each control address, as well as testing methods to demonstrate that the control is in place operating effectively.
  • For the Management Description of the System, documentation is developed that provides and overview of operations. This developed through interviews and walkthroughs of the in-scope service. During this process, Illumant develops a description of the control environment, including the culture of control, mechanisms to identify and manage risks, and governance structures to monitor controls and risk management activities. Illumant also develops a walkthrough narrative of the controls in place, relevant to the SOC report, and specifies which controls are the responsibility user or client of the in-scope service.
  • Illumant also helps draft Management’s assertion, which is the target of the attestation engagement. This assertion states that management asserts that controls relevant to applicable trust principles have been describe fairly and are in place and operating effectively.
  • To ensure that the attestation audit will go smoothly without exceptions, Illumant tests the defined controls, per the control matrix, and gather evidence so that it can be presented to the auditor which helps streamline the attestation engagement and making it more cost-effective. Any gaps identified during testing pre-attestation will be the target of remediation efforts.
  • Attestation must be provided by a CPA firm. Illumant can help select a CPA firm to provide the attestation services. Illumant has experience with the big 4 and many smaller CPAs. Throughout the readiness engagement, Illumant will work and communicate with the selected CPA firm to ensure that prepared documentation and meets with the CPA’s internal standards (which can vary from firm to firm). Illumant has experience communication with CPAs to make the attestation process move smoothly.
On-going, Illumant can help the firm modify documentation on an annual basis to reflect changed to the service or the service organization. Illumant also provide preliminary testing to ensure controls are in place and that the annual attestation engagement will go off without problem or incident.