SOC 1, 2, 3 Reports

Disclaimer
This publication contains general information only and Accedere is not, through this
publication, rendering any professional advice or services. This publication is not a
substitute for such professional advice or services, nor should it be used as a basis for
any decision or action that may affect your business. Before making any decision or
taking any action that may affect your business, you should consult a qualified
professional advisor.
Accedere shall not be responsible for any loss sustained by any person who relies on
this publication. As used in this document, “Accedere" means Accedere Inc. Please
visit https://accedere.io and email us at [email protected] for any specific services
that you may be looking for.
Accedere Inc is a Colorado licensed CPA Firm listed with PCAOB. and Cloud Security
Alliance as Auditors. Restrictions on specific services may apply.

Page 2
 Table of Contents

1. Introduction

2. Need for SOC Report

3. Examples of organizations that may need SOC

Report

4. Some specific terms used in SOC Report

5. SSAE 18 Attest Standard & its History

6. Types of SOC Reports

7. Typical Statement of Work (SOW)

8. SOC 2 Privacy Category

9. SOC 2 & COSO Risk Management

10. SOC Controls

11. Description Criteria

12. New SOC Reports

13. SOC 2 Plus Reports

14. Project Execution Methodology

Page 3
 01
Introduction

$3.86M
Average Total Cost of a Data Breach

280 Days
Average time to identify and contain a
breach

Outsourcing is on the rise despite

increasing cyber security & data
beaches. In today’s challenging world of
Blockchain, AI, IoT and Cloud, you need
to be a step ahead of your competitors.
Think of the SOC Report as your
Rethink
company’s “Security Best Practices”.
You need to demonstrate a level of
your
confidence that your organization can
manage your client’s most confidential company’s
and valuable information, have the
procedures and controls in place to
provide the required assurance. A SOC
cyber
Report can provide this assurance for
your clients.
security
Providing an independent third-party assurance such as a SOC
report helps address these concerns and helps Service
Organizations stay above the competition.
Page 4
 02
Need for SOC Report

A B C
Regulatory SOX-404 & Vendor Due
Compliance PCOAB Diligence

Data Security & Privacy Under the Sarbanes Oxley Having a SOC Report is
are increasing concerns Act (SOX) Public essential for compliance
for many organization. companies are required to with regulatory
this is especially ensure that proper requirements. But there’s
important in cases where controls exist at the more- Think Beyond
data is regulated &/or service organizations for Legalities. If you own an
sensitive as in case of the outsourced services. organization that sells
compliance requirements Public companies have outsourced services (such
for HIPAA, PCI, GDPR,, the responsibility to as payroll services, data
CCPA etc. Cloud examine the control management or cloud
environments are adding environment & may be services) that can
to the complexity of the subject to fines and significantly affect the
issue. Privacy laws are penalties for deficiency of financial health of an user
being enforced that may effective Internal Controls organization, getting a
lead to heavy fines or over Financial Reporting clean SOC Report sends a
penalties. (ICFR). strong signal to your
existing & prospective
clients.

Page 5
 D
Data Governance
Data governance issues also relate to
regulatory compliance, security, privacy
& similar concerns impacting today’s
organizations. Today’s data
management & storage landscape,
where data entropy & data sprawl are
rampant, has wide reaching
consequences for data security.

Many companies are storing data in

distributed hybrid cloud and even in
unmanaged environments thus
increasing challenges for regulatory
compliance. A data inventory & data
flow is often recommended. With
increasing IoT devices and data lakes in
the cloud, the visibility & control in
invariably lost resulting in data
sovereignty challenges.

E
Adaptive use of Disruptive
Technologies
Disruptive technologies like Blockchain Change the
(Distributed Ledger) has emerged as
candidate for financial institutions to way you
reform their businesses. The speed &
cost of doing business using distributed think about
ledger technology is expected to
improve by simplifying back-office
operations & lowering the need for
the SOC
human intervention. However, a number
of security concerns around this new
Reports
technology remains a challenge.

Page 6
 03
Examples of organizations that may
need SOC Report

SaaS & Data Centres/Co- Healthcare Payroll

Application location Centres Services Organizations
Service Providers

Business Process Knowledge Managed Service Mortgage Service

Outsourcing (BPO) Management (KM) Centres & Payment
Entities Systems Entities

IT Managed Cloud Service Tax Processing Other Financial or

Services Entities Providers Service Providers Intellectual
Property Services

Page 7
 04
Specific terms in SOC Reports

User Organization User Auditor

The client/s who requested the The client’s Auditor that may have
report from Service Organization demanded the SOC Report

Service Organization Service Auditor

The entity for whose environment The CPA Firm that signs the SOC
the report is being issued Report

Page 8
 05
SOC Reports History

System & Organizations Controls (SOC) SOC uses the

SOC was formerly known as “Service Organization Controls”. SSAE 18 attest
The Service Auditor reports on controls implemented &/or standard to
operating effectively at the Service Organization.
evaluate the
The standard requires organizations to demonstrate controls internal control
in operations & its design to achieve objectives set forth. SOC
report is attested by an Independent Service Auditor. The environment of
auditors are subjected to independence training, continuous a service
professional education by the AICPA. Further, the
engagements are subject to peer reviews periodically.
organization.

Page 9
 History of CPA involvement in auditing IT controls

1974 SAS 3
The effect of EDP on the auditor’s study & evaluation of internal control

SAS 44
1982 Special-purpose reports on internal accounting control at service
organizations

1992 SAS 70
Service Organizations

1997 Web Trust

Principle & criteria for electronic commerce

SysTrust
1999 Principles & criteria for system reliability

Trust Services Criteria (TSC)

2003 For security, availability, process integrity, confidentiality or privacy merger
of WebTrust & SysTrust

SSAE 16
2010 Reporting on controls at a service organization

SOC 1: Reporting on Controls at a Service Organization Relevant to User Entity's

2011 Internal Control Over Financial Reporting Guide
SOC 2: Reporting on Controls at a Service Organization Relevant to the TSC Guide
SOC 3: Trust Services Report for Service Organizations

SOC for Cybersecurity

2017 Reporting on an entity’s cybersecurity risk management program &
controls

SOC for Supply Chain Examination

2020 Reporting on an Examination of Controls Relevant to the TSC in a
Production, Manufacturing, or Distribution System

Page 10
 06
Types of SOC Reports
The SOC Engagements can be split into 2 main requirements

SOC 1 or ISAE 3402 SOC 2 or ISAE 3000

Address controls related to user entities A SOC Report conveys trust &
Internal Control Over Financial assurance to users of the system that
Reporting (ICFR). It is used by service the service organization has deployed
organizations affecting financial effective control systems, to effectively
reporting of user organization. mitigate operational & compliance risks
that the system may represent to its
users.
Reports are for User Auditor, &
Management of User & Service It addresses System & Organization
Organization. Controls using Trust Services Criteria
(TSC) for service organizations to apply
and report on controls that may affect
users of their service. A SOC 2 Report
demonstrates an Independent Auditor’s
review of a service organization’s
application of criteria related to one or
more of TSC, which are:

Security: The system is protected

against unauthorized access.

SOC 3 Report Availability: the system is available for

operations and use as committed or
A SOC 3 engagement is similar to a agreed.
SOC 2 engagement. The practitioner
Processing Integrity: System
(Service Auditor) reports on whether
an entity (any entity, not necessarily processing is complete, accurate, timely
a service organization) has and authorized.
maintained effective controls over its
system with respect to TSC. Confidentiality: Information designated
as confidential is protected as
A SOC 3 Report may not have details committed or agreed.
of the controls in the report. It is
commonly used in B2C environment. Privacy: Personal information is
collected, used, retained, disclosed and
destroyed in conformity with the
A SOC 3 report can be shared without
an NDA and also displayed on the commitments in the entity’s privacy
website . notice and with TSC Criteria.

Page 11
Type 1 & Type 2 Reports
Type I Type II

Report is as of point in time Report covers a period of time, generally

not less than 6 months & not more than
12 months
Looks at design of controls- not Differentiating factor: Includes tests of
operating effectiveness operating effectiveness
Limited use & considered for information May provide the user auditor with a
purpose only basis for reducing assessment of control
risk below maximum
Not considered useful for purpose of Requires more internal & external effort
reliance by the user auditor
Not used as a basis for reducing the Identifies instances of non-compliance of
assessment of control risk below the the stated control activity
maximum
Generally performed in the first year More emphasis on evidential matter
that a service organization has a SOC
reporting requirement

A Type 2 Report currently provides the most reasonable

assurance for the following:
SOC Type II Report can cover the entire year & the effectiveness
of the controls in place can be reported.

It is a Third Party Period-of-Time Assessment & so has

Accountability.

Since it is a period of time assessment, it is more like a

continuous compliance with low risk & high reliability

Most other assurance programs or audits are usually, at appoint

in time.

Comprehensive framework for Privacy

Provides a high reliability SOC Seal by AICPA

Page 12
 SOC 1 SOC 2 SOC 3
Purpose: Purpose: Purpose:
Audit of GRC Programs, Marketing or
Financial Oversight, Due General
Statements diligence purpose
Intended Intended Intended
User: User: User:
Financial Management, Anyone with
Statements Regulators, need for
Auditors, Related Third confidence in
Customers, Parties service
Related Third organization’s
Parties Focus On: controls
Operational
Focus On: controls Focus On:
Internal regarding Easy to read
controls security, report on
relevant to availability, controls
Financial processing
Reporting integrity, Report
confidentiality Types:
Type 1: or privacy General
Design of
Internal Type 1: Evaluates:
Control Design of Design of
Internal controls
Type 2: Control related to SOC
Design of 2 objectives
Internal Type 2:
Control and Design of
Operating Internal
effectiveness Control and
of Internal Operating
Control during effectiveness
review period of Internal
Control during
review period

Page 13
 07
Typical Statement of Work
(SOW)

The SOC reports identifies the standards Trust Services Criteria

used by a service auditor to assess the
internal controls of a service organization. (TSC) 2017 for SOC 2
The control objectives & criteria vary
based on the scope of the SOC report &
client operations. This TSC 2017 is effective for all SOC 2
reports signed after December 15, 2018.
The relationship between the service The 2017 edition revises the TSC to align
organization and the user organization with the COSO’s 2013 Internal Control-
must be viewed to help determine the Integrated Framework, to better address
controls that should be included in the cybersecurity risks & increase flexibility in
engagement. application across an entire entity,
In addition, the impact on the user including at a subsidiary, division, or
organizations financial statements will also operating unit level within a function
be the determining factor as to whether relevant to an entity’s operational,
controls at the service organizations are in reporting, or compliance objectives.
the scope of the SOC.

The following are some categories

for controls activities that are
generally included in the
Description of Controls for many
SOC reviews:

Financial Reporting
Controls for SOC 1

In many instances, the financial controls of

the service organization affect the
financial reporting (ICFR) of the user
organization.

Processing Integrity can form an

important control objective for SOC 1
engagements.

The financial controls within the

organization by use of disruptive
technologies such as distributed ledger or
blockchain needs to be evaluated.

Page 14
Trust Services Criteria (TSC) 2017 for SOC 2
Security
Information and systems are protected
The Security
against unauthorized access, unauthorized category covers
disclosure of information, and damage to
systems that could compromise the about 300 points of
availability, integrity, confidentiality, and
privacy of information or systems and focus under the
affect the entity’s ability to achieve its
objectives.
following 9 aspects:

Availability • Control
Information and systems are available for Environment
operation and use to meet the entity’s
objectives. Availability refers to the
accessibility of information used by the
entity’s systems as well as the products or
• Communication &
services provided to its customers. Information

Processing integrity • Risk Assessment

System processing is complete, valid,
accurate, timely, and authorized to meet
the entity’s objectives. • Monitoring
Processing integrity refers to the Activities
completeness, validity, accuracy,
timeliness, and authorization of system
processing.
• Control Activities
Confidentiality
• Logical & Physical
Confidentiality addresses the entity’s
ability to protect information designated as Access Control
confidential from its collection or creation
through its final disposition and removal
from the entity’s control in accordance with • System Operations
management’s objectives.

• Change
Privacy Management
Personal information is collected, used,
retained, disclosed, and disposed of to
meet the entity’s objectives. • Risk Mitigation
Although confidentiality applies to various
types of sensitive information, privacy
applies only to personal information.

Page 15
TSC Availability Category

Availability refers to the accessibility

of information used by the entity’s
systems as well as the products or
services provided to its customers.

• The availability objective does

not, in itself, set a minimum
acceptable performance level; it
does not address system
functionality or usability.

• It addresses whether systems

include controls to support
accessibility for operation,
monitoring, and maintenance.

TSC Processing Integrity Category

Processing integrity refers to the completeness, validity, accuracy,

timeliness, and authorization of system processing.
• Processing integrity addresses whether systems achieve the aim
or purpose for which they exist and whether they perform their
intended functions in an unimpaired manner, free from error,
delay, omission, and unauthorized or inadvertent manipulation.
• Processing integrity is usually only addressed at the system or
functional level of an entity.

Page 16
TSC Confidentiality Category
Confidentiality addresses the entity’s ability to protect information
designated as confidential from its collection or creation through its
final disposition and removal from the entity’s control in accordance
with management’s objectives.
• Information is confidential if the custodian of the information is
required to limit its access, use, and retention and restrict its
disclosure to defined parties.
• Confidentiality requirements may be contained in laws or
regulations or in contracts or agreements that contain
commitments made to customers or others.
• The need for information to be confidential may arise as per the
contract between parties for many different reasons.
The following points of focus, which
apply only to an engagement using the
Trust Services Criteria for
confidentiality, :

• Identifies Confidential
information

• Protects Confidential Information

From Destruction
• Identifies Confidential
Information for Destruction
• Destroys Confidential
Information
Confidentiality v Privacy
Confidentiality is distinguished from privacy in that privacy applies
only to personal information, whereas confidentiality applies to various
types of sensitive information. In addition, the privacy objective
addresses requirements regarding collection, use, retention, disclosure,
and disposal of personal information. Confidential information may
include personal information as well as other information, such as
trade secrets and intellectual property.

Page 17
 08
TSC Privacy Category
Privacy has become even more
important issue in the current
environment with several large
organizations facing heavy fines.

With about 50 points of focus

the TSC 2017 organizes privacy
category as under:

• Notice and communication

of objectives

• Choice & consent

• Collection

• Use, retention & disposal

• Access

• Disclosure & notification

• Quality

• Monitoring & enforcement

Many of these controls match to the legislations

like GDPR, CCPA etc. In the wake of such new
privacy mandates organizations are encouraged
to include of privacy category in their scope for
SOC 2 Report.
Page 18
 09
SOC 2 & COSO Risk Management

The Committee of Sponsoring Organizations of the Treadway Commission

(COSO) is a join initiative of five private-sector organizations and is dedicated to
providing thought leadership through the development of frameworks and
guidance on enterprise risk management, internal control, and fraud
deterrence.

In addition to the Trust Services Criteria, the COSO framework, states that the
points of focus represent important characteristics of the criteria. Consistent
with the COSO framework, the points of focus assist management when
designing, implementing, and operating controls over security, availability,
processing integrity, confidentiality, and privacy .

Page 19
 Risk Metrics Measurement & Governance
• As per the updated Common Criteria it is important to report on
all aspects of risks covering monitoring as well as on effective
mitigation. To do an effective monitoring and mitigation, we
need to define metrics of measurements where in you define
what legal requirements, threats or indicators of compromise
you are monitoring and their related controls. Any variance must
be monitored daily, weekly or monthly as the case may be and
all exceptions or issues must be reported to the Security
Governance committee.

I llu
s t ra
t i ve

• Create your own security metrics of measurement

• Monitor your security metrics on a daily, weekly, monthly

basis as the case may be
• Report the variance to the risk owner/legal compliance
• Report the highlights to your Security Governance
Committee

Page 20
 10
SOC Controls
SOC controls would include the entire commit of
People, Process & Technology & how they are used
in conjunction to achieve the relevant objectives. The
controls would also cover:

Policies

The entity has defined & documented its policies

relevant to the particular principle. (The term
“policies” as used here refers to written statements
that communicate management’s intent, objectives,
requirements, responsibilities & standards for a
particular subjects.)

Communication

The entity has communicated its defined policies to

responsible parties & authorized users of the
system.

Procedures

The entity has planned procedures in operation to

achieve its principles in accordance with its defined
policies.

Monitoring

The entity monitors the system & takes action to

maintain compliance with its defined policies.

Page 21
 11
Description Criteria
As part of SOC report a Description of Controls of
the system is required from the organization. The
new 2017 Description Criteria covers the following
Final Report
areas:
• Technically SOC is an Attest
01 The types of Services Provided report not an Audit report.

02 The Principle Service

• Reports can be either Type I
Commitments & System or Type II for controls
Requirements implemented &/or operating
The Components of the effectively at the service
03 organization.
System used to provide the
services, including the
• It provides information & a
following: service auditors independent
• Infrastructure opinion about controls at the
• Software service organization to its
• People management, stakeholders,
• Procedures and other knowledgeable
• Data parties.

04 Details of identified System • Provides user entities

Incidents (customers) with detailed
The applicable Trust Services information on the design
05 &/or operating effectiveness
Criteria & related controls of service organization’s
The controls would be implemented controls.
06
implemented by user entities • Service organizations are
Subservice organizations & the required to provide a
07 Management Assertion letter
controls at the subservice
& a System Description
organization which provides the basis of
Any specific criterion of the reporting by the service
08 auditor.
applicable Trust Services
Criteria that is not relevant • Report can be either as on a
Relevant details of significant specific date or that covers a
09 period, usually 6 or 12
changes to Service
months.
Organization’s system &
controls
Page 22
 12
New SOC Reports
SOC 2 for Cybersecurity
In 2017, AICPA has developed a cybersecurity
reporting framework that organizations can
use to demonstrate to key stakeholders the
extent & effectiveness of an entity’s
cybersecurity risk management program. A
critical element of any cyber security risk
management program is formulation of
objectives by management. These objectives
that address cybersecurity risks that could
affect the achievement of the entity’s overall The AICPA and SOC logos are owned by
business objectives (including compliance, https://www.aicpa.org
reporting & operational objectives). Our
assessment evaluates the controls in relation SOC for Supply Chain
to entity’s mission & vision, the overall
business objectives established by Management
management, risk appetite & other factors.
In 2020, recognizing the needs of
An examination engagement to report on commercial customers and business partners
whether (a) management’s description of the of manufacturers, producers, and distribution
entity’s cybersecurity risk management companies, AICPA has developed a
program is presented in accordance with the framework for reporting on the controls over
description criteria and (b) the controls within a manufacturing, production, or distribution
that program were effective to achieve the system. Organizations can use the reporting
entity’s cybersecurity objectives based on framework to communicate to stakeholder's
the control criteria. relevant information about their supply chain
risk management efforts and the processes
and controls they have in place to detect,
prevent, and respond to supply chain risks.
The reporting framework also enables a CPA
to examine and report on management-
prepared system information and on the
effectiveness of controls within the system,
thereby increasing the confidence that
stakeholders may place in such information.

An examination engagement to report on

whether (a) the description of the entity’s
system is presented in accordance with the
description criteria and (b) the controls
stated in the description, which are necessary
to provide reasonable assurance that the
entity achieved its principal system
objectives, were effective based on the
applicable trust services criteria.

Page 23
 12
SOC 2 Plus Reports
A service organization may engage the service auditor to examine & report on subject matters
in addition to the description of the service organization’s system in accordance with the
description criteria & the suitability of design & operating effectiveness of controls based on the
applicable Trust Services Criteria.

SOC 2 for Cloud CSA STAR SOC 2 for Privacy

Attestation
The SOC 2 compliance report assures the
internal and external stakeholders of the
Cloud Security Alliance (CSA) in collaboration with
the AICPA, developed a third-party assessment
organization, the specific controls
program of cloud providers officially known as implemented and/or operating effectively for
CSA Security Trust & Assurance Registry (STAR) complying with privacy regulatory
Attestation. STAR Attestation provides a requirements. A single SOC 2 report can
framework for CPA’s performing independent provide information about the organization’s
assessments of cloud providers using SOC 2 controls over PII data based on the AICPA’s
engagements with the CSA’s Cloud Control Matrix Privacy Trust Services Criteria and/or any
(CCM). Accedere is listed as Auditors with CSA for specific privacy requirements. This SOC 2 can
their STAR Attestation program. provide service organizations the ability to
increase transparency and communicate
through a single deliverable to customers,
business partners, and stakeholders both in
and outside the organization. .

SOC 2 for C5 Cloud Controls

In February 2016, the Bundesamt fur Sicherheit
Institute (BSI), or the German Federal Office for
Information Security, established the Cloud
Computing Compliance Controls Catalog (C5)
certification after they noted the rise in cloud
computing in the country. With the C5, the BSI
redefined the bar that CSP should meet when
dealing with German data. The establishment of
the C5 elevated the demands on CSP by
combining the existing security standards
(including international certifications like the ISO
27001) and requiring increased transparency in
data processing. C5 is intended primarily for
professional cloud service providers, their
auditors, and customers of the CSP’s. The
catalogue is divided into 17 thematic sections
(e.g., organization of information security,
physical security). C5 makes use of recognized
security standards such as 27001, the Cloud
Controls Matrix of the Cloud Security Alliance as The CSA , STAR, logos are owned by
well as BSI publications and uses these Cloud Security Alliance
requirements wherever appropriate.
Page 24
 12
Our Project Execution Methodology
Plan Deliver Access Report
Understanding the Understanding & Evaluate samples Evaluate additional
client’s entity & verifying information
environment documentation of
existing internal
controls
Define scope, Perform Analyse samples for Request
expectations & Walkthrough effectiveness clarification
project roles

Readiness Assess Risks Request additional System Description

Assessment if information & Management
required Assertions is
drafted through
inputs from the
audit team by client
management
Kick off meeting Identifying the Issue draft report
with Stakeholders control objectives &
controls in place
Preliminary Conduct Interviews Incorporate
interviews/ Management
questionnaires comments & Issue
conducted to gain final report
understanding of
requirements
Client information Requests Samples Ongoing support
request list
prepared &
distributed
Analysis of client Validation of the Answer questions to
prepared implementation of Management & User
information controls Auditors
performed & client
feedback provided
Project timeline Test results
(including estimates communicated &
of client hours) / exceptions are
plan created resolved, if possible
Update plan based
on client discussions

Page 25
 Our Value Delivery
Knowing how much extra value and assurance a SOC reports can deliver, many clients find that
it makes sense to take steps to ensure a more successful outcome, including hiring experts who
are skilled in helping organizations be more thorough and thoughtful in how they approach their
engagement. Preparing for a SOC engagement is a matter of clear thinking and smart planning.
Working with a cyber security specialist such as Accedere helps you dig into areas such as cloud
security, data security, privacy, incident response, and much more.

Some of the advantages of working with us are:

01 End to end process for SOC Reporting & Attest Services

Project management methodology consistently applied

02
to each engagement
Efficient service delivery with minimal disruption to
03
operations

04 Our engagements are executed by senior experienced

professionals

05 CEO has 18 years of Information/ Cyber Security

experience

06 Reduced time to complete assignments

Colorado licensed CPA Firm listed with PCAOB and Cloud

07
Security Alliance

08 Prompt services with engagements completed in record

time

09 Ongoing support

10 We are with you when you need us

For more information visit:

https://accedere.io

Page 26