Attestations
Service Auditors Reports are designed to help organisations take confidence in the Information Systems Control Environment operated by a Service Organisation by assessing the design and operating effectiveness of internal controls over a defined period, usually aligned to an organisation accounting year.
In order to achieve SOC 2 certification and meet the latest SOC 2 report framework standards, organisations must have implemented the latest 2017 Trust Services Criteria (TSC).
The Trust Services Criteria (previously Trust Services Principles) are a set of criteria and related controls that organisations must implement across the organisation and IT infrastructure. The five categories of control criteria are:
At a glance:
We will provide an experienced team led by a subject matter expert
We will work with management to ensure the smooth planning, delivery and reporting of outcomes
We will deliver an independent Service Auditors Report in accordance with AICPA COSO guidance.
Security
A business’s data and computing systems are fully protected against any unauthorised access, unauthorised and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
Security criteria refers to your organisation’s protection of:
Information during its collection or creation, use, processing, transmission, and storage.
Systems that use electronic information to process, transmit or transfer, and store information to enable your organisation to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorised removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.
Availability
All information and computing systems are always ready and available for operation and use to meet the entity’s objectives.
Availability refers to the accessibility of information used by your organisation’s systems as well as the products or services provided to its customers.
The availability objective does not, in itself, set a minimum acceptable performance level
It does address whether systems include controls to support accessibility for operation, monitoring, and maintenance
It does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems).
Processing Integrity
All system processing is complete, accurate, valid, timely and authorised to ensure that the entity meets its objectives.
Processing integrity refers to your organisation’s controls and procedures around:
Verifying the completeness, validity, accuracy, timeliness, and authorisation of system processing
Determining whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorised or inadvertent manipulation
Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity.
Confidentiality
Any information designated as confidential remains secure to meet the entity’s objectives.
Confidentiality refers to your organization’s controls and procedures including:
Your organization’s ability to protect information designated as confidential from its collection/creation through its final disposition and removal
Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others
Confidentiality differs from the privacy criteria, in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information.
Privacy
All personal information collected, used, retained, stored, disclosed or disposed of must meet the entity’s objectives.
Privacy criteria examines your organisation’s controls and procedures around:
Notification and communication of objectives: Notifications to data subjects/users about objectives related to privacy
Choice and consent: Communication choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects
Collection: Collection of personal information to meet its objectives related to privacy
Use, retention, and disposal: Limits around the use, retention, and disposal of personal information to meet its objectives related to privacy
Access: Data subject access provided to their personal information for review and correction (including updates) to meet its objectives related to privacy
Disclosure and notification: How your organisation discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy
Quality: How your organisation collects and maintains accurate, up-to-date, complete, and relevant personal information to meet its objectives related to privacy
Monitoring and enforcement: How your organisation monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.
Our team can deliver an independent Service Auditors Report in accordance with AICPA COSO guidance tailored to the specific needs of the service organisation.