gap analysis readiness attestation preparedness auditor communication controls design controls documentation policies and procedures documentation evidence collection end-user controls

SAAS e-commerce client data documentation controls evidence policies procedures security availability processing integrity confidentiality privacy end-user controls

SSAE 12 SOC 2 type I type II SAS 70 SOC 3 systrust webtrust trust principles security availability processing integrity confidentiality privacy

Detailed Description

Service Organization Control (SOC) Reports are a closely related family of similar reports familiarly and formerly known by many names – SSAE16, SAS70, AT101, WebTrust and SysTrust. Despite the naming confusion the overall purpose remains: a SOC report provides independently validation and assurance to clients and client auditors that controls are in place and operating effectively to ensure that services, particularly software-as-a-service (SAAS) products, handle client information securely and accurately.

SOC reports are critical tools for gaining and maintaining customers for SAAS and e-commerce products, by providing independent validation and attestation that service and user data is properly controlled and protected. Increasingly customers may require their SAAS vendors to provide SOC reports before doing business with them.

Illumant helps its clients prepare for a SOC report and attestation engagement by developing and addressing all the components necessary to meet these objective. Illumant’s readiness activities are streamlined by building toward the end goal – a final draft of the SOC report.

There are various types of SOC and SOC-related reports. These are described below. Illumant focuses on SOC 2 and SOC 3.

Report	SOC 1	SOC 2	SOC 3	Agreed Upon Procedures
AICPA Attest Standard	SSAE 16 (formerly SAS70) / AT 801	AT 101	AT 101	AT 201
Available Types	Type I, Type II	Type I, Type II	-	-
Use	Restricted Use	Mostly Restricted Use	General Use (Public)	Restricted Use
Purpose	Report on internal controls over financial reporting	Report on internal controls over security availability processing integrity confidentiality privacy	Report on internal controls over security availability processing integrity confidentiality privacy	Report on procedures as defined by the client

Illumant helps clients choose between SOC 2 and SOC 3 (SysTrust, WebTrust):

Features	SOC 2	SOC 3
Trust Principles Covered
Security	X	X
Availability	X	X
Processing Integrity	X	X
Confidentiality	X	X
Privacy	X	X
Report Users
Client and Client Auditors	X
Public		X
SysTrust		X
SOC Report Content
Auditor's Opinion	X	X
Management's Assertion	X	X
System Description	X	X
Detailed Description of Auditor's tests and results		X
Certification
SOC 3 Certification (SysTrust/WebTrust)		X

Note that SOC 2 and SOC 3 can both be obtained in parallel with incremental cost over one report.

The components of a SOC report are as follows:

1. Report Of Independent Service Auditors
2. Client's Assertion
3. Management’s Description Of The System
1. Overview of Operations
2. Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring of Controls
3. Description of Controls
4. Complementary User Entity Controls
4. Principles, Criteria, And Related Controls

Illumant’s methodology has this report and these sections as the ultimate objective of the readiness engagement. By centering all aspects of the engagement around the final report, Illumant ensure cost effective path to obtaining a SOC report.

The following describes Illumant’s methodology for the SOC-C readiness engagement:

• Illumant helps the organization select which SOC report is most relevant to the organization: SOC 2 or SOC 3 (aka SysTrust / WebTrust). Illumant also determine which of the Trust Principles will be covered by the SOC report:
• security
• availability
• processing integrity
• confidentiality
• privacy
• Illumant identifies gaps between the requirements for the selected report and trust principles above and the existing controls and documentation at the organization. Illumant documents existing controls and helps design new controls to fill gaps. Where necessary, Illumant documents policies and procedures that define the controls and security measures. Illumant develops a control matrix that lists all applicable controls, the principle elements and risks that each control address, as well as testing methods to demonstrate that the control is in place operating effectively.
• For the Management Description of the System, documentation is developed that provides and overview of operations. This developed through interviews and walkthroughs of the in-scope service. During this process, Illumant develops a description of the control environment, including the culture of control, mechanisms to identify and manage risks, and governance structures to monitor controls and risk management activities. Illumant also develops a walkthrough narrative of the controls in place, relevant to the SOC report, and specifies which controls are the responsibility user or client of the in-scope service.
• Illumant also helps draft Management’s assertion, which is the target of the attestation engagement. This assertion states that management asserts that controls relevant to applicable trust principles have been describe fairly and are in place and operating effectively.
• To ensure that the attestation audit will go smoothly without exceptions, Illumant tests the defined controls, per the control matrix, and gather evidence so that it can be presented to the auditor which helps streamline the attestation engagement and making it more cost-effective. Any gaps identified during testing pre-attestation will be the target of remediation efforts.
• Attestation must be provided by a CPA firm. Illumant can help select a CPA firm to provide the attestation services. Illumant has experience with the big 4 and many smaller CPAs. Throughout the readiness engagement, Illumant will work and communicate with the selected CPA firm to ensure that prepared documentation and meets with the CPA’s internal standards (which can vary from firm to firm). Illumant has experience communication with CPAs to make the attestation process move smoothly.

On-going, Illumant can help the firm modify documentation on an annual basis to reflect changed to the service or the service organization. Illumant also provide preliminary testing to ensure controls are in place and that the annual attestation engagement will go off without problem or incident.