The Persisting Challenges of SOC 2 Reporting

March 19, 2014

via The Data Center Journal

Increasing concerns regarding information security have heightened scrutiny of service organizations’ control infrastructure and driven demand for attestation reports. As a result, the SOC 2 examination's popularity has increased dramatically since its inception in January 2010. The SOC 2’s operational and security centric scope and the Webtrust based control framework, allows for an attestation process that addresses critical security concerns that customers have regarding third party services. Despite the growing acceptance of SOC 2 examinations, many organizations still undergo challenges regarding the different facets of the examination and reporting processes. As a leader in the SOC 2 space and trusted advisor to businesses from cloud service providers to claims processors, BrightLine has had conversations with hundreds of system owners and security personnel regarding compliance issues and challenges.

 The top 3 challenges voiced by our customers and accompanying recommendations are listed below.


SOC Report Selection

The market place is filled with confusion because of the uncertainty of the potential customer backlash of issuing one report over the other. Even though the Trust Service Principles were recently revised and enhanced, users and service organizations are concerned whether the customer will understand the inherent value found in the criteria.

For reporting options including non-SOC reporting, service organizations are strongly encouraged to consult with an experienced and reputable SOC 2 firm. This firm should provide the organization with various choices and paths without requiring any commitment. As a result, service organizations will be more prepared to convey the importance of the provided service, more effective at communicating the positive impact, and the type of control in place with customers and stakeholders. If the SOC 2 is the chosen solution, the benefits and significance of the Trust Service Principles should be emphasized by the service organization.


Selection of Trust Service Principles for SOC 2 Engagements

Many of the service organizations electing to have SOC 2 exams are unclear on the exact Trust Service Principle(s) that should be included in the report. In addition, the best method of using the service principles in describing the control environment also represents a gray area. The most common concerns are, "Are the controls in place?", "Will the controls satisfy the required criteria?", and "Should the organization provide a Type 1 or Type 2 report?".

The best way to reach a common solution is by starting with the end. In the beginning, communicating and determining the information the user organization will want should guide towards electing the best Trust Services Principles. Frequent RFPs and customer questionnaires can be very instrumental in determining the type of coverage needed to address commonly asked questions. As a leading provider of SOC 2 reporting, BrightLine ensures the most beneficial reporting solutions are chosen.


SOC 1 and SOC 2 Are NOT Created Equal

Don't assume SOC 1 and 2 activities are identical. SOC 2 Principles create a preset baseline standard. From there, service providers commonly identify, adjust or implement new baseline standards for achieving the SOC criteria. In contrast, more flexibility may exist under the control objective framework of the SOC 1.On the path to being successful, SOC 2 service organizations should plan and be prepared. To achieve this, readiness assessments are found to be very helpful. In conjunction, everyone's expectations must be set at the most appropriate level, both internally and externally. It's also equally important to determine the organization's existing controls and commitments to its customers.


BrightLine expects higher demand in 2014 for SOC 2 related services than all prior years combined. The aforementioned challenges and solutions were designed to help service organizations better meet the needs and expectations of their clients, while achieving their compliance objectives. BrightLine remains optimistic that this increased demand will help the overall adoption and acceptance of the SOC 2 report and discover new solutions to common challenges faced by both service organizations and the users of these reports.


Previous Article
Documentation: How Important Is It?
Documentation: How Important Is It?

When auditors begin to test procedures for compliance examinations (i.e., SOC 1, SOC 2), there are cases wh...

Next Article
SOC 1 - Preparing & Reviewing the System Description: How To Streamline The Audit Process?
SOC 1 - Preparing & Reviewing the System Description: How To Streamline The Audit Process?

When issuing a SOC 1 report, the system description is the basis for the controls that the auditors test.