Category: Assurance

Home / Assurance
Sep222021

What is SOC 2 and what are the benefits?

What is SOC 2 and what are the benefits?

The number of organizations managing customer data is increasing, leading to a growing demand for SOC 2 reports that assess the adequacy of information security measures in place. IT companies are now expected to be SOC 2 compliant, particularly when storing data in the cloud.

SOC 2 compliance means that an organization has implemented strict procedures for information security, privacy protection, and other areas, depending on the scope of the SOC 2 report. The scope is defined by the American Institute of Certified Public Accountants (AICPA) Trust Service Criteria (TSCs), which cover information security (1), system availability (2), process integrity (3), confidentiality (4), and privacy (5). Organizations can choose which principles to comply with, but information security must be included.

What is a SOC 2 report?

A SOC 2 report outlines the TSCs in terms of control measures and a description of the overall risk management system. An external auditor verifies that the description matches reality, and upon approval, provides an assurance statement for the SOC 2 report.

Why is SOC 2 in high demand?

Organizations must demonstrate to their clients that they adequately secure data. This involves implementing a risk management system and ensuring that their vendors also manage risks effectively. Clients demand evidence of this, which can be provided through SOC 2 compliance.

Benefits of a SOC 2 report

  • Organizations use SOC 2 reports as a marketing tool, assuring new and existing clients of their reliability.
  • Implementing SOC 2 positively impacts the quality of risk management.
  • Clients gain confidence that risks are effectively managed.
  • IT inquiries from partners and clients can be answered more efficiently.
  • Opportunities arise to attract and retain clients.

Advantage in procurement

During the sales process, clients often ask vendors to complete an IT questionnaire prepared by their engineering team. A SOC 2 report can effectively answer these questions, streamlining the process and instilling confidence in the client that processes are well-managed.

SOC 2 and the cloud

As demand for cloud-based solutions grows, SOC 2 certification becomes increasingly important. A SOC 2 report is seen as the industry standard that distinguishes an IT solutions provider from its competitors. If your organization aims to stand out, contact one of our consultants.

Get started with SOC 2

Are you prepared to demonstrate your commitment to robust information security and data privacy practices through SOC 2 compliance? Securance offers comprehensive SOC 2 auditing services to guide you through this rigorous certification process. Our experienced auditors will conduct a thorough assessment of your controls against the SOC 2 Trust Services Criteria, providing a detailed report and recommendations to achieve full compliance. Contact Securance today to embark on your SOC 2 journey and gain a competitive edge by instilling confidence in your clients.

Get Started
Aug152021

SOC 2 or ISO 27001: Which is better suited for my organization?

SOC 2 or ISO 27001: Which is better suited for my organization?

If your organization provides business-to-business IT or financial services, it’s likely that your clients will request SOC 2 or ISO 27001 certification or attestation. This process can demand significant resources and time from your organization. This article explains the similarities and differences between these two certifications. A SOC 2 report and an ISO 27001 certificate can be compared to close relatives, and there are opportunities for efficiency, as achieving one certification can significantly reduce the time required to obtain the other.

1. Scope

Both SOC 2 and ISO 27001 are similarly designed to provide clients with confidence that their data is protected. The clients have commonalities, as both frameworks address critical aspects of information security, such as confidentiality, integrity, and availability. Both are widely recognized certifications that demonstrate to clients your company’s commitment to security.

A key difference is that the SOC 2 certification primarily focuses on demonstrating the effective implementation of security measures that protect client data. ISO 27001, on the other hand, solely requires an organization to have an Information Security Management System (ISMS), a prescribed set of security measures.

2. Market applicability

A significant similarity is that both certifications are well-known information security standards widely accepted as proof that an organization has appropriate security measures in place. Particularly in the United States, these certifications are accepted by organizations of all sizes, from small businesses to large corporations. Both are fully accepted across most industries and position an organization as a reliable vendor with robust information security practices.

3. External party

Both certifications are assessed by third parties, either ISO 27001 auditors or (registered) accountants. The key difference is that a firm recognized by the Netherlands Institute of Chartered Accountants (NBA) issues a SOC 2 report, while an accredited ISO 27001 auditor certifies ISO 27001 compliance. Risklane employs both recognized accountants and accredited ISO 27001 auditors who can advise on the audit process.

4. Costs

Both certifications have comparable operational costs, which include the internal costs for the team implementing the control measures and gathering the evidence required to demonstrate compliance with SOC 2 or ISO 27001.

The pricing for the two types of certifications can vary significantly. Generally, the costs of a SOC 2 certification are higher than those of an ISO 27001 certification. This is primarily due to the extensive documentation requirements for auditors conducting a SOC 2 audit.

5. Timeframe

The project approach for both certifications is similar and consists of roughly corresponding phases. Since SOC 2 and ISO 27001 share many of the same control measures, the implementation phases also have a comparable timeframe. However, a SOC 2 audit may require more internal and external (auditor) time due to the aforementioned documentation requirements.

After the audit period, both SOC 2 and ISO 27001 certifications must be periodically renewed to remain valid for user organizations. ISO 27001 typically involves a three-year cycle, with an audit in the first year and annual renewals thereafter.

About Securance

Our mission propels us to go above and beyond in fostering the growth and success of our customers. We are dedicated to expanding possibilities, enabling excellence, fostering growth, attracting new customers, and enhancing internal processes. Achieving this mission involves pioneering risk management innovations, optimizing efficiency through automation, cultivating a diverse global team, and making positive contributions to the communities we serve. Additionally, we are steadfast in our commitment to serving as a gateway for companies to become more sustainable and transparent, thus providing a distinct and valuable contribution to society. Our unwavering pursuit of the highest quality ensures that we have succeeded when all customer objectives are met, and our clients are 100% satisfied.

Get Started
Aug102021

What is ISAE 3402 | SOC 1?

What is ISAE 3402 | SOC 1?

ISAE 3402 is the standard for outsourcing. To become certified, an organization must have a Service Organization Control (SOC) Report. A SOC report is a report that includes a description of the risk management system. This report is then annually reviewed by a service auditor. An organization that provides services is referred to as a service organization. Through an ISAE 3402 report, a service organization provides accountability to another organization (a user organization) regarding the processes performed in the Service Level Agreement (SLA) and the control over these processes. The standard succeeded the SAS 70 standard and was introduced in 2011.

ISAE 3402 and Outsourcing

Organizations are increasingly outsourcing, particularly in the IT domain. Organizations that outsource want insight into information security, fraud prevention, and risk management in general. This is especially important as more crucial business processes are being outsourced, making it essential to understand who has access to information and whether there are sufficient segregations of duties to prevent fraud. An ISAE 3402 report provides this insight.

Report content

In addition to the general overview, the report must include processes that could potentially affect the financial statements (financial processes). This also includes IT processes, known as General IT Controls. Furthermore, an ISAE 3402 report can provide assurance that outsourced processes are being performed according to the agreed-upon SLA. The SOC report consists of a general section based on the COSO 2013 standard and a control matrix. Read more about the report content and the two types of reports: ISAE 3402 Type I and Type II.

Outsourcing example

A pension fund outsources asset management to an asset manager. Pension funds must comply with the Pension Act (PW). The Pension Act requires the pension fund to demonstrate that the outsourced processes are controlled.In this case, the pension fund is the user organization, and the asset manager is the service organization. The agreements between the pension fund and the asset manager are documented in the asset management agreement and possibly an SLA. Therefore, the pension fund requests an ISAE 3402 report from the service organization. With this report, the pension fund demonstrates that the outsourced processes are “in control” and that it complies with the Pension Act for this outsourcing arrangement.In such a situation, the pension fund (the ‘user organization’) wants insight into:

  • Whether investments are processed accurately and completely for the financial statements
  • Whether asset management is conducted in accordance with laws and regulations
  • Whether there are sufficient safeguards against fraud
  • Whether security is adequately implemented at the asset manager
  • Whether specific compliance requirements included in the Pension Act are met

The pension fund will require the asset manager to include the above topics within the scope of the ISAE 3402 report. The pension fund’s auditor will consult the asset manager’s ISAE 3402 report as part of the pension fund’s annual financial statement audit. The auditor does not need to separately test procedures at the asset manager, as this has already been reported on by the service auditor.

Added value

The primary added value for a user organization is that, based on the Service Organization Control report, it can determine whether information security or fraud prevention measures are adequate. This is also important information for the user organization’s auditor. The user organization’s auditor can assess whether the measures at the service organization are sufficiently designed within the framework of the user organization’s financial statement audit. Additionally, a (recognized) other auditor has determined whether these measures exist (Type I) and have been operating effectively (Type II). The auditor then does not need to perform separate controls at the service organization.

Aug92021

ISAE 3402: Type I or Type II?

ISAE 3402: Type I or Type II?

There are two types of ISAE 3402 reports: Type I and Type II. Both report types are similar in content. The difference lies in the nature of the audit performed. In a Type I audit, the auditor determines whether the risk management framework and control measures cover the normative framework (design) and exist at a specific point in time. To establish this, the auditor ‘walks through’ the processes, known as line controls. In a Type II audit, the auditor assesses whether the control measures have been operating effectively over a minimum period of six months.

Increased Assurance

With a Type II report, a user organization gains greater assurance that the service delivery is controlled as agreed upon. The period covered by an ISAE Type II audit is a minimum of six months, unless there is a special situation, such as the acquisition of a new organizational unit or the introduction of a new IT system.

Mandatory Components

An ISAE 3402 report is relatively ‘free-form’. The standard requires, among other things, that risk management is implemented, that the IT infrastructure is controlled, and that the risk management system is effectively monitored. However, an ISAE 3402 report must include the following mandatory components: (1) a description of the internal control framework, (2) a confirmation from the service organization, and (3) a service auditor’s assurance report. While these components are mandatory, the standard does not prescribe how they should be presented in the report. Additionally, ISAE 3402 does not subdivide into sections, unlike the SAS 70 standard (ref. standard 3402.9 sub j). Despite the lack of prescribed components, a best practice has emerged in the Netherlands.

Best Practices

The best practice includes several components: a general description, a description of the control framework, and a control matrix. The general section provides a description of the organization. The description of the control framework typically outlines the complete risk framework according to COSO. The COSO framework was updated to COSO 2013 in 2013 and to COSO 2017 ERM in 2017. A key difference from the original COSO framework is that the latest versions include principles.

Control Matrix

In the control matrix, objectives are linked to risks, and the measures that mitigate these risks (controls) are included. All controls relevant to the user organization are incorporated.

Assurance Report

An auditor assesses whether all expected controls are included during the audit. After this review, the auditor provides an assurance statement in the report according to standard 3402*. Such an assurance statement is sometimes referred to as an ISAE 3402 certification, although it is not a certificate but rather an assurance report according to standard 3402.

* Standard 3402 is the Dutch translation of the international ISAE 3402 standard.

Read more about Securance and ISAE 3402.

Get started with ISAE 3402

ISAE 3402 reports are read not only by your clients but also by their auditors. A report that does not adhere to best practices or is described less professionally is likely to be perceived as less professional by your client or their auditor. With Securance’s experience in ISAE 3402 since 2004, we are well-equipped to produce professional reports. We can also advise you on how to improve your measures to better control risks.

Get Started