AT 101 SOC 2 Report: What is a Section III?

In the last couple of posts, we talked about how an AT 101 SOC 2 report differs from a SOC 1 and SOC 3 report and also what the differences are between a SOC 2 Type I and Type II report. In this post, we are going to continue dissecting the different terminology and components of the AT 101 SOC 2 report so we can gain a little more understanding about this service and what these terms mean. Today, we will focus on what is referred to as the Section III.

In the world of IT Security, we love to use acronyms and other “industry jargon” that might be confusing to folks who are either new to the field or in the case of a client, new to the service that they need assistance with. When we talk about the SSAE 16 process, there is a ton of verbiage that is similar and confusing (SOC Reports, Type I and Type II reports, etc.). Often times we hear Auditors refer to the Section III of a SOC report. What exactly is the Section III and why is this so important? That’s what we plan to answer in this post.

When you review an AT 101 SOC 2 report (either a Type I or a Type II), it is broken into many different sections. The Section III is titled “XXX Company’s Description of its Systems and Controls.” There are many subsections included in this section, but why is the Section III so important? As the name implies, this is a very detailed section, written by the company (and possibly with assistance of a third party), that describes in great detail the system(s) that are in scope for the SOC 2 report, the processes the company uses, and the controls that are in place to secure the system(s) in scope. This is ultimately the section that the Auditor is going to audit against, from his/her opinion, and ultimately put that opinion in writing (in Section I of the report). Since the Section III is so important, here are a couple of items to consider when you are preparing to go through with the SOC 2 reporting process:

• Details, Details, Details – In today’s world, most of the time we are told to keep our writing concise and to the point. In the Section III, the opposite is true. Details are everything and this is not the area to skip out on. Be as thorough as possible in this section because remember, this is the section that is going to form the foundation for the opinion that the Auditor is going to write.
• People, Process, and Technology – When you are writing your Section III, as mentioned in the first point, you need to be as detailed as possible. This means that you need to discuss the systems in scope, the personnel that are using and accessing the systems, and what controls, both physical and logical, you have in place to protect those systems. In addition, make sure you document your risk assessment process, incident response process, and the IT Security policies and procedures you have in place around the system in scope.
• Say What You Do, Do What You Say – There is an old saying out there that goes like this: “if you didn’t write it down, it didn’t happen.” This is a very true point and illustrates the need to document everything. The reverse also holds true. If you write it down but you aren’t doing it, you are going to have a problem on your hands when it comes down to the SOC 2 reporting process. Think about it this way: If you say that you have specific controls in place but you don’t, what conclusion will the Auditor come to when it comes time to formulate their opinion? The last thing that you want is to rush the process, spend a bunch of money, and end up with an SOC 2 report that does not have a favorable opinion from the Auditor.

The AT 101 SOC 2 Report is a very serious undertaking and needs to be treated that way. The process can be costly but it is a large scale effort in your organization and ultimately, at the end of the day, you want to have a favorable opinion written by the Auditor. If you are getting ready for the SOC 2 report process and have questions, contact us to learn more about the services that we provide to help organizations identify weaknesses, remediate those weaknesses, and help ensure your Section III is accurate and representative of your business environment. Click here to learn more on how Compass IT Compliance can guide your organization through the entire SOC reporting process. Next week we will dig into the 5 Trust Service Principles to learn more about what they are and what they mean. Till next week…