24. What is the AICPA Service Organization Control (SOC) reporting framework and why are information security policies and procedures so important?

The AICPA Service Organization Control (SOC) reporting platform consists of three reporting options for service organizations regarding reporting on controls – SOC 1, SOC 2, and SOC 3. After twenty years of faithful service, the SAS 70 auditing standard was finally superseded by a completely new and much needed reporting platform. And while the SOC 1 SSAE 18 reporting effectively replaced the aging SSAE 16 and SAS 70 auditing standard, AT 101 SOC 2 and SOC 3 reporting were also introduced, ultimately allowing service organizations to pick and choose their reporting for purpose of internal controls. As for the AICPA SOC platform, it’s worth noting the following:

  • SOC 1 reporting utilizes the SSAE 18 professional standard, for which service organizations can opt for SSAE 18 Type 1 and Type 2 reports.
  • SOC 2 and SOC 3 reporting utilizes the AT 101 professional, while also incorporating the following SysTrust and WebTrust Trust Services Principles (TSP): (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy.

One of the most fundamentally important concepts to note about SOC compliance is that need for documented operational and information security policies and procedures. From the SSAE 18 Type 1 and Type 2 reporting, to SOC 2 and SOC 3 SysTrust and WebTrust compliance, auditors look long and hard at an organization’s policies and procedures. After all, many of the general I.T. controls within the scope of an SSAE 18 report, along with the Trust Services Principles for SOC 2 and SOC 3 reporting will require policies and procedures to be in place. The FLANK21 set of documented operational, business specific, and information security policies, procedures today from FLANK.