Service Organization Control (SOC) 2+ reports are a valuable tool for organizations evaluating the cybersecurity risk of their third-party vendors. Organizations frequently outsource key functions to service organizations (or vendors) that provide specialized business-process outsourcing services. As a result, organizations typically share sensitive data – such as financial transactions, customer lists, and patient records – with their vendors and expect them to treat the shared information securely and confidentially.
Organizations expect that their vendors have implemented appropriate controls related to cybersecurity. However, in a 2014 survey of midsize-business owners and C-level executives by The Hartford, 13 percent of the respondents indicated that they have had a supplier’s data breach affect their business information.
In order to properly evaluate cybersecurity risk, organizations must include an evaluation of their vendors in their risk assessment. The third-party risk management activities an organization chooses to perform for each vendor should be based on the risks associated with the vendor. Service organizations are frequently asked to provide evidence of having implemented proper controls to protect their customer data.
A common method of providing information about a service organization’s control environment is with a SOC report issued by an independent CPA firm. A SOC 2+ report is one type of SOC report that service organizations can provide to a user organization. The SOC 2+ report evolved from the industry accepted and trusted SOC 2 report.
A recent news release from the American Institute of Certified Public Accountants (AICPA) discusses the use of a SOC 2+ report to provide end users with information about the design and operating effectiveness of controls related to the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) requirements and the AICPA’s Trust Services Principles – security, availability, processing integrity, confidentiality, and privacy. A SOC 2+ report allows a service organization to report on not only the AICPA’s Trust Services Principles but also on another applicable control framework, a bonus for service organizations that want to demonstrate compliance with another control framework.
Service organizations often are required to demonstrate compliance with different control frameworks based on the industry in which they operate. A SOC 2+ report can be a valuable tool for service organizations to demonstrate their implemented controls for particular frameworks. For example, service organizations may need to demonstrate that they have implemented controls related to one of the following frameworks:
In general, these control frameworks can be mapped to the AICPA’s Trust Services Principles, allowing the design and operating effectiveness of framework-related controls to be represented in a SOC 2+ report.
In order to demonstrate how it has implemented cybersecurity controls, a service organization can provide a SOC 2+ report covering the NIST Cybersecurity Framework and the AICPA’s Trust Services Principles. The content of the report includes the service auditor’s opinion, a management assertion related to controls, a detailed description of controls implemented by the service organization, and a detailed description of the service auditor’s tests of controls and results related to the NIST Cybersecurity Framework and the selected Trust Services Principles. SOC reports are considered a reliable resource for user organizations to evaluate a vendor’s controls because:
When an organization outsources services to a vendor, the vendor’s control environment effectively becomes part of the organization’s control environment. Therefore, evaluating the controls of each service provider being used is an important component of managing cybersecurity risk. SOC 2+ reports provide a trusted and effective method to evaluate a vendor’s controls.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.