Service Organizational Control reports (SOC) audits and report types are much more important than they used to be. Not only will questions appear on the exam, but ISC2 has beefed up the Common Body of Knowledge with more information on this topic, so let’s dive in with some mnemonics and try to break this down as simply as possible.
For SOC 1, say the phrase “Finance First”. SOC 1 audits deal with internal controls over financial reporting.
For SOC 2, say the phrase “Trust is Two” because SOC2 uses the trust services criteria. SOC2 deals with security controls.
People often refer to SOC as either an audit or report. Remember that the report “type” has not been identified yet, so a key phrase for these concepts would be “report type” which is different than the “SOC type”. Remember, SOC is more of a category for the type of audit and the report type determines whether it reflects a point in time or over the course of a period of time.
A SOC 3 report is basically a redacted SOC2 report. It’s intended for a public audience, and is usually available on an organization’s website. Since the SOC2 report used the trust services criteria, the SOC3 will have it as well.
SOC for cybersecurity is a report that shows how an organization meets its cybersecurity requirements. It also uses the trust services criteria.
You can use the mnemonic SACPiP, or SACpipe, and try to think of a bagpipe as a “sack”pipe. We have Security, Availability, Confidentiality, Process integrity, and Privacy.
The bold letters in this mnemonic give you the sacpipe.
Once again, the trust services criteria are used by SOC2, SOC3, and SOC for cybersecurity.
Now let’s get into the “report types” as mentioned above.
A type 1 report has a point, think of the number one and how it has a point at the top.
This point refers to the fact that it reflects a point in time, not a period of time. The report focuses on the suitability of design, how fairly the represented presentation of a system is, and shows the the organization is conducting due diligence.
A type 2 report has more than one point, so it refers to a period of time rather than a point in time.
The report focuses on everything that type 1 does, but with the addition of operating effectiveness because it’s looking at a period of time rather than a point in time. This report shows that due care is being practiced.
We should point out that in ISC2’s materials reversed the due care and due diligence for the type 1 and 2 reports. This may change, but ISC2 is known to have errors in their study materials.
Here is our video that illustrates this topic in detail:
Preparing for the SOC audit:
There are two phases in preparing for the SOC audit. If you need a mnemonic to memorize the sub phases, use the following: phase 1: SSIRR, phase 2: DAAWM CTO IALR
For context of this mnemonic, pretend you are in charge of collecting evidence for a case that implied that the CTO had committed fraud. As you’re talking to your CIO, you say the following: “Sir, the damn CTO is a liar!” And you’ll spell it SSIRR, DAAWM CTO IALR , so be sure to write this down on your memorization sheet.
Phase one is the preparations phase. During the preparations phase, you would expect to see activities like,
Schedule preparation.
Scope for the audit, which would include success criteria for the audit overall.
Inventory of controls based on the scope.
Readiness review (gap analysis)
Resolve any discrepancies identified during the gap analysis.
As you can see, this is the “SSIRR” part of the mnemonic, except that we spell “SIR” with two S’s and two R’s.
Phase two: audit phase.
If you’ve been through an audit of any kind, this is fairly standard, so this mnemonic is really for those of you who might struggle with this type of thing.
The activities in the audit phase are as follows:
Detailed project plan for the audit. – this might seem like it should be part of planning in phase one, but actually this is referring to specific activities that will be done for the audit.
Artifacts – gather all required data artifacts in advance. – this might also seem like it should be part of preparation phase, but this is typically done when the auditor requests the documents, or provides a list of documents that could be looked at while on site, so technically it’s part of the audit phase.
Access (physical) – providing facilities access is another step.
Work space – providing work spaces so the auditors can work.
Meeting areas – reserving areas for on site discussions with subject matter experts.
Conducting meetings with experts and auditors.
Testing and providing resulting artifacts and evidence to auditors.
Offsite analysis of the artifacts collected or generated during the audit.
Issue resolution – resolving any issues or impediments to audit completion in a timely, collaborative manner,
Audit reports – providing them to management for review.
Lessons learned – the post-audit internal review.
Recommendations for management to consider for the next audit cycle.
Here is some additional information on this that you might need to know – Statement on Standards for Attestation Engagements (SSAE) iteration 16 and 18 in the common body of knowledge talks about how the sections are organized in both standards.
- Section one: Service auditor’s independent report, aka “opinion”.
- Section two: Written attestation or assertion of the control by the service organization.
- Section three: Description of internal controls and control objectives by service organization.
- Section four: Service auditor’s information that includes test of operating effectiveness.
- Section five: Additional information included that the service organization needs to supply.