Overview of IT Audit and SOC 2

Introduction:
Now that we have gained a solid understanding of change management
and cloud computing, we can now shift our focus to the realm of auditing
and specifically SOC audits.

This chapter will begin with an overview of IT auditing, then introduce the
SOC framework. It will culminate in an in-depth examination of SOC 2 and
its detailed process.

By the end of this chapter, we will build a thorough understanding of SOC

2 and its pivotal role in building trust and providing assurance. This will set
the stage for our next chapter where we will see how SOC 2 audits are
practically applied with a theoretical case study.

Information system audit:

Information System Audit
In the light of the increasing use of cloud computing, the audit of
information systems is becoming more and more crucial. Indeed, the
utilization of the cloud computing has brought new challenges and
complexities regarding data security and access management. This has
highlighted the importance of implementing robust audit practices to
confirm the efficiency, security, and reliability of the organization’s IT
infrastructure and to identify vulnerabilities and risks introduced by the
cloud.

In this section, we will discuss the meaning, types, objectives, and the
process of Information System Audit.

Definition
The Audit of Information System is an evaluation of an IT
infrastructure, controls, and operations made by an independent
external third party. It also shows the organization its strong and
weak spots and gives recommendations for improvement. Through
IT Audit, a firm can review whether its existing controls are
protecting its property and maintaining its data accuracy.

2
 As an unbiased observer, the IT auditor makes sure that an
organization’s controls are implemented appropriately to lower the
risk of data breaches and any risk of security concerns.
SOC 2 reports form an essential part of IT audits, it provides a
thorough evaluation of the quality of an organization’s controls in
areas such as Security, processing integrity, confidentiality,
availability, and privacy. It is a component of IT audit and have a
synergistic relationship with it: On one hand, SOC 2 reports improve
IT audits through providing in-depth analysis and insights about an
organization’s controls. On the other hand, IT audits can expand the
scope of the SOC 2 report. Actually, the boarder scope of IT audits
can identify areas or controls that should be covered in the
upcoming SOC 2 assessment.

Types
There are 3 different types of IT audits, each has its distinct purpose
and concentrate on a particular facet of the information technology.
In this part we are going to delve into each type to better
understand their roles and objectives:

 Contractual Audit:
A contractual audit is carried out without being mandated by law, it
is a contract based on an agreement between the auditor, the
organization, and stakeholders. Its primary objective is to fulfill
contractual obligations that were previously agreed upon by all the
involved parties.
In this type of IT Audit, the client is responsible of specifying the
areas that need to be reviewed, this includes the creation of a SOC
report.
 Security Audit:
The security audit includes the assessment of the systems
infrastructure and the security practices of an organization. It
suggests corrective measures and improvements through identifying
weaknesses and potential security risks. Security audit different from
on-site inspections: It is not limited in scope with specific guidelines
3
 and standards, instead; it thoroughly evaluates the entire system to
detect any vulnerabilities and thus suggests corrective actions.
 Legal Audit:

The legal audit is a mandatory inspection carried out in accordance

with legal requirements and performed by one or more auditors. The
objective of this type of audit is to prove that all the financial
statements are fair, accurate, and in line with the legal standards. In
fact, it is applicable to all businesses depending on their size,
operations, and the laws that apply to their industry.

Objectives of the Information system audit

Setting clear objectives of the IT audit will help the auditor to be in line
with the organization’s goals and ensure that the audit process is
efficient and focused. With clear objectives auditors focus on important
areas and provide valuable insights that support the company’s
strategic direction. Now, let’s discover some of the objectives of IT
audit:

 Evaluating all the systems and processes that secure the

organization’s data. This include reviewing the technologies,
procedures, and controls that are supposed to protect sensitive data
from breaches, loss, or unauthorized access. To ensure this
objective, auditors should evaluate all the security measures; this
can be encryption protocols, network security configuration, backup
procedures and access controls.
 Making sure that the implemented information management
procedures adhere to the information systems standards, rules, and
policies. Auditors should thoroughly examine the relevant
documentation, controls, and processes and check if they are in line
with the specific regulations or significant standards. Adhering to
these regulations and standards helps the company to avoid legal
penalties and to protect the sensitive data of its clients.
 Assessing risks associated with the organization’s information assets
and coming up with solutions to reduce them. Auditors conduct a

4
 strict risk assessment to determine potential vulnerabilities,
weaknesses, and the impact of security incidents on corporate
operations.
 Analyzing computer systems and their management processes in
order to determine its inefficiencies and potential risks. This helps in
identifying areas for improvements and avoid upcoming risks and
vulnerabilities.

Steps in an IT Audit Mission

The IT audit process is composed of systematic steps during which
auditors assess controls, detect risks, and offer suggestions for
continuous improvement. Each step of the process has a crucial role in
preserving operational integrity and securing organizational assets.

In this part we will explore the IT audit process and define the aim of
each step involved:

Figure 1: Steps in an IT audit mission

Planning:
During the planning phase, the first thing that auditors do is to define the
audit mission, its objectives, and its scope. The role and responsibilities of
each team member are clearly defined, and the resources are correctly
assigned. Auditors and the auditee collaborate in this step to be sure that
the upcoming steps will be conducted effectively and smoothly. Together,
they set a detailed plan of the audit activities, agree on the timeline, and
discuss the procedures and areas that should be evaluated during the
audit.

 Outcomes of this step: Engagement letter, planification MEMO,

list of the documents that should be collected, list of systems and

5
 applications that should be evaluated, list of contacts to meet,
schedule of the future interviews, work plan...

Evaluate:
During the evaluation step, auditors start analyzing the auditee’s IT
environment to better understand its infrastructure and to identify
patterns and complexities. Then, they determine the controls and IT risks
that needs to be addressed to make sure that they are properly managed
and well organized. In this step, the audit plan should be revised before
validation; auditors should ensure that in aligns with the objectives of
audit and then do the necessary modifications if required.

 Outcomes of this step: Meetings minutes, IT risk worksheet, IT

risk assessment sheet, Description sheet of the IT environment,
Memo of the cybersecurity issues.

Investigate:
During the investigation step, auditors use all the documentation and
evidence that they have gathered to test the operational efficiency of the
control activities. Then, they will revise and improve their initial results
with the audited entity to ensure the accuracy and validity of their
assessment. If needed, auditors can carry out additional investigations to
go more deeply into some areas of concern and to provide a more
complete and accurate evaluation of the IT controls of the company. To
make it short, this step is crucial because it allows to detect potential
problems and make sure that the current controls are operating as
intended.

 Outcomes of this step: IT testing sheets, IT risk work sheet

Conclude:
During this step, the auditor delivers it findings and results to the audited
entity’s management, they communicate to them how IT risks are being
handled and evaluate their scope. In some cases, the audit report should
be shared with the financial audit team to make sure that risks and
controls related to financial reporting are being correctly addressed.

6
Lastly, the performance of each member of the audit IT tam is evaluated
and the audit work is archived.

Outcomes of this step: Audit Report, Summary Memo, Summary of

deficiencies

 Communication plays a crucial role throughout the overall audit

process. It guarantees that there is a common understanding
between the auditors and the audited parties of the internal control
system. In the same way, auditors should maintain a constant
communication with financial audit team to keep them updated and
inform them of the progress of the project and of any findings or
conclusions they have made.

Introduction to SOC
Businesses are confronting more and more cybersecurity risks as they are
increasingly relying on cloud services and undergoing frequent changes on
their IT system. Service Organization Control (SOC) reports are critical to
assess and guarantee the security, availability, confidentiality, and privacy
of the services of an organization. These reports prove adherence to
rigorous security regulations and regulations which will promotes
transparency and foster trust among stakeholders. In this section, we will
explore the SOC reports and delve into its history, types, and better
understand the SOC 2 report.

Definition
Service Organization Control (SOC) reports are a set of standards issued
by the American Institute of Certified Public Accountants (AICPA) to
evaluate and report controls related to security, confidentiality, processing
integrity, and availability. They are generated and validated by third-party
auditors to strengthen the trustworthiness of an organization. They certify
that this organization have implemented the necessary and efficient
controls to secure the data of its clients and protect it from any risk. SOC
reports are generally conducted once a year and are considered crucial for
organizations that operate in sectors where privacy and data protection

7
are critical. One of the main objectives of SOC is to test evaluate the
security of an information system; those who seek SOC compliance should
be working in the field of managing large amounts of data on behalf of
other companies. Yet, a service provider can independently opt for SOC
compliance before anyone asks for it; this will show that he is trustworthy
which can help in attracting new clients.

History of SOC:
Since 1990, organizations have been outsourcing all or part of their data
and operations to service providers to run their activities more effectively.
Consequently, risks related to outsourcing grew, and concerns about data
security became alarming.

To address this critical need, the AICPA created the “Statement on

Auditing Standards No. 70 (SAS 70) in the early 1992. This statement was
developed with a particular focus on financial reporting to evaluate the
financial controls of the service providers. But this wasn’t enough!

With the rapid technological evolution and the rising concerns of hacking
and data theft, financial controls were barely covering only 10% of the
risks. Clients became more conscious of the importance of protecting their
data, they started looking for a more complete and thorough assessment
of data security and privacy.

In order to satisfy clients’ requests, the AICPA developed a turning point in

the history of data security: It was the introduction of the “Statement on
Standards for Attestation Engagement No. 16 (SSAE 16) that resulted in
the creation of the SOC reports as one of the most successful data security
solutions among service providers.

After looking at the history of SOC, we will now discuss its different types
and contents and standards that apply to them.

Different SOC Reports:

There are various types and versions of SOC reports depending on the
nature of the business and the information required, each report is
intended to evaluate and report a particular aspect of an organization’s

8
controls. In this part, we will have an overview of the different SOC reports
we will mostly be focusing on SOC 2 reports.

SOC 1, SOC 2, and SOC 3

a) SOC 1:
The SOC 1 report is particularly designed for financial services and
used by service providers who have a direct or indirect on their
clients’ financial statements. It must be supplied by a CPA (Certified
Public Accountant) company that is specialized in business process
controls and audit IT.
A SOC 1 report is a tool to demonstrate to the user entities’ auditors
and their clients that the service providers’ internal controls are
efficient and accurate. In fact, there will be a thorough and careful
assessment of any control that affect financial transactions or
accounting procedures.
b) SOC 2:
The SOC 2 report is more concerned with data security and
technology rather than financial aspects. It reassures user entities’
auditors and their clients about the efficacy of the controls over
security, privacy, confidentiality, and data integration. Indeed, this
report relies on an exhaustive assessment of any control that
impacts access management, risk management, and data
availability and integrity processes. Furthermore, it indicates
whether the service organization is aligns with the TSC.
c) SOC 3:
Different from the SOC 2 that should not be shared to the general
public, the SOC 3 report is a version of SOC 2 that is more concise,
for general-use, and made available to the public.
Because it is meant for the general public, the SOC 3 report doesn’t
contain personnel data and is less detailed than the SOC 2 report. It
has the same aim as the SOC 2 report; it proves that the service
provider can safely protect the clients’ data through implementing
the necessary precautions.

9
 The definition of each SOC report is summarized in the illustration
below:

Figure 2: The definition of SOC 1, SOC 2, and SOC 3

As a summary of the differences between the SOC reports, and the

objectives and scope of each one of them, let me present you this table
below:

Objectives and
Who needs it?
characteristics
- Assess the internal
controls for financial
reports.
- Focuses on financial - Businesses offering
controls. financial services. It can
SOC 1
- Are available only for be the providers of
auditors and clients. payment services
- Standards:
 ISAE 3402
 SSAE 18

10
 - It evaluates the
efficiency of user
entities’ data security,
integrity, availability, and
confidentiality controls.
- The IT service providers
- Focuses on operational
who oversee the
controls.
SOC 2 transfer, processing,
- Are available only for
and storage of the data
auditors and clients.
of its clients.
- Standards:
 SSAE 18 AT-C 105 /
205
 ISAE 3000
 TSP Section 100
- Its scope and content are
like the SOC 2 report, but
it doesn’t include the - For commercial
testing procedures, reasons, it is used by
controls, or results. businesses who want to
SOC 3
- Depends also on the 5 communicate their
Trust Service Criteria compliance to SOC 2
- For marketing purposes, standards.
it is published for the
public.
Table 1: Objectives and characteristics of each SOC report

Types of SOC Report:

There are two main types of SOC reports, specifically for SOC 1 and
SOC 2:
 Type 1:
SOC type 1 reports evaluate the design of the controls and
determine whether it meets predetermined standards. They
provide a snapshot of the state of implementation and design of
the controls at one point in time (a particular moment) without

11
 evaluating the effectiveness of these controls during an extended
period.
 Type 2:
SOC type 2 reports form a 12-month assessment of the testing of
the operational efficiency of controls. It provides stakeholders
with valuable insights about how well the organization’s internal
controls function in terms or consistency and reliability over an
extended determined period.
We will now explore the types of the SOC 2 report in more details,
with a particular attention to how SOC 2 type 1 and SOC 2 type 2
differ from one another:

SOC 2 Report
- SOC 2 type 1 is generated at a particular moment in

time.

- It evaluates whether the design and applicability of the

controls implemented by a service company are meeting

the Trust Service Criteria (TSC).

Type 1

- Doesn’t need too much information, documents, and

proofs to demonstrate compliance.

- An ideal solution for clients who want to assess their level

of security at a specific point in time.

- It is faster to obtain and complete the SOC 2 type 1

report

12
 - SOC 2 type 2 is generated over an extended period (3 to

12 months)

- To show compliance with SOC 2 type 2 standards, the

business should go through a rigorous audit over an

extended period; the auditor must review the operational

efficiency of the systems and the design of the internal

Type 2

controls.

- It necessitates a significant investment in time and

resources.

- An ideal solution for clients who want to assess the long-

term sustainability of their controls.

- An expensive and time-consuming audit process.

Table 2: Types of SOC 2 reports

Understanding SOC 2:
The SOC 2 certification is gaining recognition on a worldwide level. It is
designed for companies who provide systems and services such as the
cloud, Software as a Service (SaaS), or Platforms as a Service (PaaS) to
their clients. This certification helps clients to guarantee that service
providers are adhering to high standards in terms of Security,
Availability, Integrity, Processing, and Privacy.

In this part, we will explore the content of the SOC 2 report, go over the
Trust Service Criteria (TSC), and discover the advantages of elaborating
a SOC 2 report.

Content of SOC 2 Report

The final version of the SOC 2 audit report should include 4 key
sections. These sections are as follows:

Management Assertion:

13
In this part, the company’s executives should confirm that the
description of the system that they have stated in the report is
correct and the list of the controls provided in this report is
designed and functioning properly. This part should include:
- A statement that attests to the validity and precision of the
system description
- A statement that the controls are appropriately designed and in
line with the Trust Service Criteria.
- Confirming that the controls were functioning properly during
the designated time frame.

The Auditor’s report:

This part is dedicated for the professional opinions of the

independent auditors regarding the efficacy of the company’s
controls, it includes:
- A full description of the auditor’s testing procedures
- The results of the effectuated tests and the deficiencies or
errors identified.
- The overall assessment of the auditor regarding the controls’
conformance with the Trust Service Criteria.
- An evaluation of the controls’ design and operational efficiency.

System Overview:

This part include a thorough and comprehensive explanation of the

system that is being audited. This part incorporates:
- An overview of the services that the company is offering.
- Details on the flow of data in the system and how it processes
data.
- The parameters and components of the system (Infrastructure,
people, data, software, and procedures)
- Details about the implemented controls related to security,
integrity, availability, privacy, and confidentiality.

Applicability of Trust Service Criteria:

14
 This part shows if there is a compliance between the system’s
controls and the Trust Service Criteria. It involves:
- Describing each control used to meet requirements for security,
privacy, processing integrity, availability, and confidentiality.
- An evaluation of the controls’ weaknesses and if there is any
area for improvement.
- A description of the way the control is designed to reduce risks
and conformity to the criteria.
Table 3: Content of SOC 2 report

=> The structure of the SOC 2 report differs from one audit
firm to another. However, it often similar components.

Trust Service Criteria (TSC):

Trust Service Criteria are guidelines developed by the American
Institute of Certified Public Accountants (AICPA) to assess the
efficacy of security controls, confidentiality measures, data privacy
precautions, and integrity protections accomplished by service
providers. These criteria are critically needed to guarantee that
service providers are respecting rigorous guidelines for protecting
clients’ data and systems.
During a SOC 2 Audit mission, auditors should review if there if a
conformity between the implemented controls to TSCs. In short,
TSCs serve as a benchmark for auditors to assess internal controls of
the service providers.
Trust Service Criteria are grouped into five main categories:
 Security:
This criterion states that the system’s data should be secure and
protected against any damage or leak caused by physical and
logical unauthorized access.
 Availability:
This criteria states that clients’ data and any relevant data should
be always accessible, functional, and accessible by those who
have permission.
 Processing integrity:

15
 This criteria states establish whether the system is functioning
correctly. It ensures that the system processing is valid, accurate,
timely, complete, and authorized.

 Confidentiality:
This criterion enables to guarantee the privacy of the clients’ data
and the internal data of the service provider.
 Privacy:
This criterion enables to ensure that the process of collecting,
transferring, and storing clients’ data is carried out while
guaranteeing people’s privacy.

Figure 3: Trust Service Criteria

Advantages of Elaborating a SOC 2 Report:

For service firms and their clients, the elaboration of a SOC 2 report
is greatly beneficial. This report helps in ensuring conformity to the
16
 industry norms and standards and strengthen the stakeholders’
confidence. In this part, we will explore the main advantages of
elaborating a SOC 2 report:
 Advantages for the service providers:
- Competitive advantage: Obtaining a SOC 2 report allows
the service provider to survive the very competitive
industry. It is issued by an independent auditor to showcase
the maturity of the control environment of the service
provider giving him a competitive advantage over non-
compliant competitors.
- Minimize Risks: The SOC 2 report helps to retain the
clients’ trust and safeguard the reputation of the service
provider. In fact, it helps to reduce the risk of affecting the
privacy and security of personal and sensitive data.
- Minimize audit efforts: Obtaining a SOC 2 report
eliminates the need to go through multiple other audits
which will help to save time and resources. In fact, it is an
independent and unbiased report, and it cannot be
influenced by any party which will boost the credibility and
transparency of the firm.

 Advantages for the entity that uses the SOC 2 Report:

- Cost reduction: An entity that uses SOC 2 spend less on
ensuring the security and safety of its services.
- Maintaining trust and assurance with their service provider.
- Making sure that the internal control system of the third
party is effective.

SOC 2 Audit Process Overview

SOC 2 Audit Process:
While every business is unique and has its own challenges and
characteristics, the SOC 2 audit process follows a clearly and well-defined
series of steps. These steps will provide a structured framework for

17
assessing organizational practices and internal controls. In this part, we
will delve into the approach of the SOC 2 audit process and discuss every
phase of it.

Figure 4: Overview of the SOC 2 Audit Process

Step 1: Determining the type of the report:

Choosing between type 1 or type 2 of the SOC 2 report depends on several

criteria including:

- Business needs: Based on business requirements, competitive

position, and risk management, we can determine whether the firm
necessitate Type I or Type 2 report.
- Budget: Budget constraints could have an impact on the choice of
the type of the SOC 2 report. As explained in the previous section,
the type 2 report require more extensive testing and thus it may be
more costly than the type 1 report.
- Urgency: If there is an urgent need to show compliance with SOC 2
standards, it makes more sense to opt for the Type I report and plan
to follow up with a Type II report later.

18
 - Competitive advantage: This depends on the company’s vision and
objectives; for example, if the aim is to gain a competitive edge, it
should opt for a type 2 report.
- Regulatory compliance: There are some industries that are subject
to regulatory restrictions that impact the type of the report required.
Companies operating in a highly regulated industries may need a
Type II report to meet certain specific requirements.

Step 2: defining the Audit scope:

The second step of the process is to define the relevant scope, including
the services, systems, and criteria that the end user needs assurance
over. This includes determining the audit period (the AICPA recommended
a period of six months for type II audit) and the relevant Trust Service
Criteria (a firm can choose the criteria that are the most critical to them
especially if they have limited resources).

Once the reporting period and the TSC are fixed, we should identify which
controls and security systems are relevant to the chosen TSC. Then, we
gather all the required documentation for the controls and systems. The
documentation include:

- Change management information

- Asset Inventories
- System backup logs
- Business continuity plans
- Incident response plans
- Codes of conduct and ethics policies

After collecting all the necessary documentation above, the auditor should
review them and assess the operational efficiency of the controls and
systems in question.
Step 3: Conducting a gap analysis:
The gap analysis helps to identify areas where the system is not
adequately protecting clients’ data. The findings from this analysis will
help in highlighting areas that require improvements and setting a plan to
19
fix these gaps and ensure that the system complies before undergoing the
official SOC 2 audit.
Step 4: Conducting a readiness assessment:
During this phase, the IT auditor will develop a readiness assessment in
which he will identify the company’s gap and provide his
recommendations. Throughout this evaluation, the auditing company will
evaluate the degree to which the systems and controls conform to the
selected Trust service criteria. It is imperative that the organization
educates itself about these criteria and be prepared to respond to specific
questions such as:
- About availability: “How do you determine when to share sensitive
data?”
- About Security: “How is the system protected against cyber-
attacks?”
- About Privacy: “What measures do you take to ensure secure
exchange when sharing information?”
- About Confidentiality: “How do you make sure that the system is
maintaining the confidentiality of private information?”
- About Processing Integrity: “Does the system performs its intended
functions accurately?”

Once we complete the readiness assessment, the auditing firm submits a

report that outlines which controls will be included in the final SOC 2 audit
report and discusses how they relate to the selected TSC criteria. It will
also point up any gaps that could prevent adherence to these criteria. This
thorough evaluation will guarantee that the company is ready to fulfill SOC
2 standards before proceeding with the official audit.

Step 5: Choosing the auditor:

Now that everything has been ready, the auditing procedure can start: To
conduct a SOC 2 audit and issue an official report to the organization, the
auditor should be a Certified Public Accountant (CPA) who has been
accredited by the AICPA. There are few key factors to consider when
selecting the auditing firm, these factors include:

20
 - Level of experience: Seek a team that has already performed SOC
audits for businesses of a similar size and operating in related
industries.
- Compatibility: There should be a compatibility between the
organization and the auditing firm. Effective communication and
collaboration are crucial to achieve a successful audit process and
accomplish objectives.
- Engagement duration: Verify the expectations regarding the audit
timeline and on-site visits. SOC 2 audit engagement often take
several months including the periodic assessment and the final
reporting. It is crucial to go over these timelines with the auditor to
make sure they fit the demands and schedule of the firm.
- Audit process: Seek a clear understanding of how the auditing firm
will conduct the audit and prepare the final report. Identify their
methods for gathering data, assessing controls, and distributing
results.
Step 6: Beginning the formal audit process:
With all preparations done, the formal and official SOC 2 audit process
begins. But first, the auditor should spend several weeks working with the
company’s team to schedule the convenient start date and discuss the
audit process and here’s what happens exactly:
1- Security Questionnaire: Various auditing firms prefer to start the
process with posing questions about the firm’s policies, processes,
controls, and IT infrastructure. This will be helpful for the firm’s team
to develop good security habits.
2- Collecting control evidence: The firm should provide auditors
evidence and documentation of security controls. Auditors will
typically review an average of 85 distinct controls; they should
demonstrate the existence of all security policies and internal
controls to show that everything is working correctly. They will then
use these demonstrations as part of their assessment to understand
how controls are intended to operate.

21
 3- Evaluation: Auditors should collaborate and discuss with process
owners to review operational practices and security measures.
4- Follow up: During the SOC 2 Audit, auditors should meticulously
verify everything for compliance, that’s why they may request
additional evidence or clarification on some controls or processes
despite all the preparation work. If the auditor observes any
compliance gaps that can be quickly corrected, he may request a
correction to it before proceeding further.
5- Final SOC 2 report: At the end of the audit, the firm will get a written
report that outline all the findings. A favorable audit report is
something beneficial that will add more value to the company,
however; if there are any identified issues, the report will serve as a
guidance on addressing them to improve compliance.
Step 7: Receiving the audit report.
A comprehensive report covering all areas of controls across all layers of
Trust Service Criteria is provided to the client demonstrating assurance in
compliance with the SOC 2 requirements.

SOC 2 controls related to change management:

Control mapping in SOC 2 is aa crucial step which entails putting all the
required controls into a framework that is structured and compliant with
the Trust Service Criteria. With a comprehensive coverage of security,
availability, processing integrity, confidentiality, and privacy, this
framework ensures that every control is methodically addressed and
evaluated. In this part, we will briefly present the overall controls
encompassed within the Common Criteria (CC) framework with a particular
focus on controls related to change management.

The SOC 2 Common Criteria list, also known as the CC series, is organized
into nine categories; and change management is specifically addressed
within one of these categories.

Overview of SOC 2 Common Criteria Categories

CC1 - Control Environment: Does the organization prioritize integrity
and security? This evaluates if the company’s culture is valuing security

22
and ethical behavior, it analyzes ethical standards, governance
frameworks, and management philosophy.

CC2 – Communication and information: Is the company implementing

policies and procedures to ensure security? Are these procedures
effectively communicated to internal and external stakeholders? Is
everyone involved and understands security policies?

CC3 – Risk Assessment: Is the company analyzing risks and monitoring

the impact of changes on these risks? It is about identifying risks,
assessing their impact, and putting in place measures to mitigate them.

CC4 – Monitoring Activities: Is the effectiveness of the controls being

assessed, monitored, and communicated by the organization? This
ensures that the company’s controls are performing as intended.

CC5 – Control Activities: Are the right processes, controls, and

technologies implemented correctly to reduce risks? This is about
checking the risk responses are effectively carried out.

CC6 – Logical and Physical Access Controls: Is the physical access to

servers restricted? Does the company encrypt data and manage access
controls in an effective way?

CC7 – System operations: Are systems doing their functions correctly?

Does the company have put in place plans for disaster recovery and
incident response? This means reviewing system operations and ensuring
that they are stable, reliable, and ready to face issues.

CC8 – Change management: Have the significant changes made to the

system been tested and approved before their implementation? This
involves evaluating how the company implement changes and control
them to avoid negative impacts on operations or security.

CC9 – Mitigation: Does the company have suitable operational processes

that aim to manage its risks effectively? This is about ensuring that
operational processes are robust to overcome potential risks.

23
In-depth Analysis of change management controls in SOC 2:

CC8.1 – The entity authorizes, designs, develops, acquires,

configures, documents, tests, approves, and then implements
changes to the infrastructure, data, software, and procedures.
Throughout the system’s lifecycle and its main components (its
infrastructure, software, data, and procedures), we should employ a
change management process to preserve processing integrity and
system availability.
This process aims to:
- Allow system modifications before their development.
- Design then develops changes to support the system’s
maintenance and assist users in achieving their responsibilities.
- Review the system’s modification before their implementation.
- Select and implement configuration settings used to review the
functionality of the software.
- Evaluate the changes throughout the system development
lifecycle.
- Identify the infrastructure, software, data, and procedural changes
that are required to handle incidents and potential issues.
- Establish and manage the foundation IT system configurations.
- Implement a process to authorize, design, test, confirm, and
implement the required changes during emergency situations.
- Make sure that confidential information is well protected during
the system design, development, testing, and implementation
processes to meet the privacy goals.
Table 4: CC8.1 - Change management control in SOC 2

24
Control evaluation process:
Design suitability:
Checking if a control is properly configured to manage a particular risk is a crucial step in
evaluating the control’s design and checks if it responds to the relevant TSCs for this process.
Here is what this involves:

- Identify the missing controls: We check if there is any important control that is
missing.
- Assess the existing controls: We evaluate the current implemented controls, and we
check if they are properly designed and achieve their intended objectives. In some
cases, a control can be operating properly and as it should, yet it may not be effective
and does not manage the risks it meant to manage.

During this step, the firm’s auditor usually needs to implement these
procedures:

- Conducting an interview with the control responsible to better

understand how the control is carried out.
- Observing how the control is operating through a demonstration
done by the person in charge.
- Reviewing the documentation and practices of the service provider
regarding this control
N.B: The audit team is required to perform 2/3 of the
techniques mentioned above.
After that, the audit team need to validate the design based on criteria
that are described below:
- How is the control’s objective correlated with its identified risks?
- Checking the experience, authority, and qualifications of the person
performing the control.
- Checking how often the control is performed (the frequency of
execution)
 Through this step, we can identify any design flaws and take
corrective decisions through making necessary adjustments
to strengthen the control environment.

25
Operational effectiveness:
The operational effectiveness is evaluated during a period of 12 months to make sure that
the control is functioning effectively and achieves its desired objectives.

To validate this step, it is crucial to obtain the necessary documentation that describe how
the control is operating. W should then make sure that these documents are accurate and
complete through assessing these criteria:

a) IPE and IUC validation:

The Information Provided by the Entity (IPE) refers to the documents and data supplied
to the audit team to test the control’s effectiveness.

The Information Used by the Control (IUC) refers to the data used by the service
provider’s team to perform the internal controls. The audit team should determine
whether the information is accurate, comprehensive, and complete to support their
testing phase.

There are 3 main criteria used to validate IPE and IUC:

- Data source: We should access the data sources to verify their completeness and
accuracy, it is through determining where the information is created, transmitted,
and stored.
- Parameters: This involves the paths
- Logical reports: Checking the algorithm, formula, and scripts used to extract and
provide the require information.

Once IPE and IUC have been verified, we can start the operational effectiveness testing.

b) Techniques to assess the controls’ operational effectiveness:

To test how well the controls are working, we first need to understand how it operates. This
can be done using three techniques:

- Observing how the control is operating.

- Inspecting documents and procedures
- Reperforming the control operation

26
 c) Determining the scope and effectiveness of control testing:

The auditor team should rely on their experience and professional judgment to decide
whether to test the full population or just a sample of it when determining the scope of
control testing.

These are the main important factors to consider:

- The population size: The total number of transactions or items that should be tested.
- The control frequency: How often the control in applied?
- Inherent Risk (RAIT): The possibility that a significant anomaly or incident would
happen throughout the process regardless of the internal controls in place. The RAIT
can be LOWER or HIGHER.
- Control risk (RAWC): It refers to the risk that a major anomaly would arise in the
process and go unnoticed by the internal control which will lead to unsolved
problems. The RAWC can be HIGHER or NOT HIGHER.

Once the control’s design and operational effectiveness are both regarded effective, the
control is then deemed valid. If, however, there are issues with the effectiveness tests, it
is deemed useless.

Conclusion:
SOC 2 reports are becoming highly common and crucial for companies
that offer services to user entities, it guarantees the existence of strong
internal controls and plays a necessary role in preserving trust between
service providers and their clients. In this chapter, we have explored,
going over its background, different types, and the detailed process of the
audit mission. We also covered the content of a SOC 2 report and the
importance of having such a report. In the upcoming chapter, we will
highlight a theoretical case study of a SOC 2 mission and we will
demonstrate its practical application especially for change management.

27