In the last couple of posts, we talked about how an AT 101 SOC 2 report differs from a SOC 1 and SOC 3 report and also what the differences are between a SOC 2 Type I and Type II report. In this post, we are going to continue dissecting the different terminology and components of the AT 101 SOC 2 report so we can gain a little more understanding about this service and what these terms mean. Today, we will focus on what is referred to as the Section III.
In the world of IT Security, we love to use acronyms and other “industry jargon” that might be confusing to folks who are either new to the field or in the case of a client, new to the service that they need assistance with. When we talk about the SSAE 16 process, there is a ton of verbiage that is similar and confusing (SOC Reports, Type I and Type II reports, etc.). Often times we hear Auditors refer to the Section III of a SOC report. What exactly is the Section III and why is this so important? That’s what we plan to answer in this post.
When you review an AT 101 SOC 2 report (either a Type I or a Type II), it is broken into many different sections. The Section III is titled “XXX Company’s Description of its Systems and Controls.” There are many subsections included in this section, but why is the Section III so important? As the name implies, this is a very detailed section, written by the company (and possibly with assistance of a third party), that describes in great detail the system(s) that are in scope for the SOC 2 report, the processes the company uses, and the controls that are in place to secure the system(s) in scope. This is ultimately the section that the Auditor is going to audit against, from his/her opinion, and ultimately put that opinion in writing (in Section I of the report). Since the Section III is so important, here are a couple of items to consider when you are preparing to go through with the SOC 2 reporting process:
The AT 101 SOC 2 Report is a very serious undertaking and needs to be treated that way. The process can be costly but it is a large scale effort in your organization and ultimately, at the end of the day, you want to have a favorable opinion written by the Auditor. If you are getting ready for the SOC 2 report process and have questions, contact us to learn more about the services that we provide to help organizations identify weaknesses, remediate those weaknesses, and help ensure your Section III is accurate and representative of your business environment. Click here to learn more on how Compass IT Compliance can guide your organization through the entire SOC reporting process. Next week we will dig into the 5 Trust Service Principles to learn more about what they are and what they mean. Till next week…