SOC 2® Audit Services

A framework for auditing service organizations, focusing on non-financial reporting controls.

Will 2024 be the year you thrive with SOC 2?

SOC 2 or System and Organization Control 2 is a framework for auditing service organizations, developed by the American Institute of Certified Public Accountants (AICPA), and focusing on non-financial reporting controls related to five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. It involves two types of reports: Type 1 evaluates the design of controls at a specific point in time, while Type 2 assesses the operational effectiveness of those controls over a period of time. The examination requires a detailed system description and an assertion from management about the system’s effectiveness. SOC 2 is essential for organizations handling sensitive data, providing assurance to clients and stakeholders about their data security and management practices.

GCC’s knowledgeable and experienced CA/CPA’s are members of AICPA and are authorised to conduct SOC 2 examinations and sign off your attestation reports.

Quick Quote

Fill out the form below to find out more

  • This field is for validation purposes and should be left unchanged.

SOC 2® Examination Process by GCC

1. Engagement and Contract Agreement

  • Application review: Assess the application including the preliminary information which is provided by the client consist of the service organization’s scope of the system and examination specifications.
  • Initial Contact and Agreement: Engage with the client and agree on the terms of the examination. This includes defining the scope, objectives, and timelines.

2. Planning and Pre-Assessment

  • Pre-Assessment Meeting: Conduct a preliminary meeting with the client to understand their systems, processes, and controls.
  • Planning the Examination: Develop a detailed examination plan.

3. SOC 2® Gap Analysis and Preparation

Surveillance Audits

  • Gap Analysis: Identifying gaps between an organization’s current control environment and the SOC 2® Trust Services Criteria and providing recommendations for addressing those gaps.
  • Remediation Plan: Implementing controls and processes that meet the SOC 2® Trust Services Criteria and addressing any gaps identified during a gap analysis process.
  • Preparation: Preparation of Management’s Assertion and System Descriptions of service organization (regarding the sample files provided by GCC) by the client.

4. SOC 2® – Type1 Examination

  • Conducting examination: Execute the planned procedures, which may include suitability of design of controls at a specific point in time, inspecting documents, and interviewing personnel.
  • Gathering Evidence: Collect evidence that supports the functioning of controls through continuous communicating with client. Discuss any issues or findings with the organization and provide guidance on addressing them.
  • Finalization and Delivery of Report: Perform a final review of the report and obtain approval from a senior CPA or the responsible party.
  • Issuing the Report: Formally deliver the finalized report to the client.

5. SOC 2® – Type2 Examination

  • Conducting examination: Execute the planned procedures, which may include operational effectiveness of controls over a specified period. Continuous or periodic testing of controls throughout the period.
  • Gathering Evidence: Collect evidence that supports the functioning of controls through continuous communicating with client. Discuss any issues or findings with the organization and provide guidance on addressing them.
  • Finalization and Delivery of Report: Perform a final review of the report and obtain approval from a senior CPA or the responsible party.
  • Issuing the Report: Formally deliver the finalized report to the client.

6. Maintenance

Surveillance Audits

  • Renewal Annually: Service organizations often undergo SOC 2 examinations on an annual basis for continuous assurance, adapting to changes, managing risks, and meeting client expectations.

Why do organisations need to have SOC 2 Reports?

Increased Trust

SOC 2 compliance builds trust with clients and partners by demonstrating a commitment to the highest standards of data security and privacy.

Improved Security

Enhance overall cybersecurity measures, protecting your organization and its stakeholders from potential threats.

Competitive Advantage
Achieving SOC 2 compliance gives your business a competitive edge, reassuring clients that their data is handled with the utmost care and security.

Which of the Trust Service Categories are you required to perform SOC 2 examination?

 

Security

Measures are in place to safeguard information and systems from unauthorized access, unauthorized information disclosure, and potential harm to systems. These measures aim to ensure the preservation of availability, integrity, confidentiality, and privacy of information or systems, thereby safeguarding the entity’s ability to achieve its objectives.

Availability

Information and systems are accessible and operational, serving the purpose of meeting the entity’s objectives.

Processing Integrity

System processing is carried out in a manner that ensures completeness, validity, accuracy, timeliness, and authorization, all aligned with the entity’s objectives.

Confidentiality

Protection is afforded to information identified as confidential, with the goal of fulfilling the entity’s objectives.

044 - online security Created with Sketch.
Privacy

Personal information undergoes collection, utilization, retention, disclosure, and disposal processes in accordance with the entity’s objectives.

What should organisations do before a SOC 2 examination?

The examination requires a detailed system description and an assertion from management about the system’s effectiveness. Well-documented policies and procedures are crucial for SOC2 examination. Keep comprehensive records to demonstrate adherence to the framework.

Selecting SOC 2 Trust Service Criteria

This SOC2 video on selecting Trust Service Criteria provides guidance on how organisations can navigate data security and compliance by choosing the right SOC 2 criteria. It begins by introducing the five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The video explains that Security is mandatory and serves as the Common Criteria, while the other criteria are optional and should be selected based on the organisation’s specific needs.

Preparing for SOC2 Examination

This SOC2 video provides a comprehensive guide for organisations preparing for a SOC 2 examination. It begins by explaining the importance of understanding the SOC 2 framework and its five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The video then outlines essential steps, including defining the scope of the examination, identifying key stakeholders, and selecting the appropriate examination type. It emphasises the importance of conducting a gap analysis, updating policies and procedures, implementing security controls, and performing internal audits. The video also advises engaging with auditors like GCC, gathering evidence, preparing audit documentation, and drafting a system description and management assertion. Finally, it highlights the need for cooperation during the audit process to ensure compliance and security.

SOC2 Examination Type1 vs Type2

This SOC 2 video provides a concise overview of the differences between SOC 2 Type 1 and Type 2 reports. It begins by explaining that SOC 2 reports assess a service organisation’s controls related to security, availability, processing integrity, confidentiality, and privacy. The video highlights that a SOC 2 Type 1 report evaluates the design and implementation of controls at a specific point in time, acting as a “snapshot” of the organisation’s control environment. In contrast, a SOC 2 Type 2 report goes further by assessing not only the design and implementation but also the operational effectiveness of these controls over a period of time, typically three to twelve months. The video provides a quick comparison between the two report types, covering aspects such as time frame, assessment scope, audit duration, and the details included..
Download SOC2 Introduction Guide

Frequently Asked Questions

SOC 2 examinations and reports are not certifications. These reports are specifically intended for use by knowledgeable entities, including the service organisation, user entities, and user auditors.

SOC 2 reports are attestation examinations conducted in accordance with the SSAE 18 standard, which is governed by the AICPA. They are reports on controls at a service organisation relevant to security, availability, processing integrity, confidentiality, or privacy. 

A SOC 2 Type 1 examination evaluates the design and implementation of controls at a specific point in time, while a SOC 2 Type 2 examination assesses the operational effectiveness of these controls over a period, typically at least six months.

The key trust service categories in a SOC 2 examination are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The scope of a SOC 2 examination is determined based on the systems and processes that are relevant to the security, availability, processing integrity, confidentiality, and privacy of the organization’s services. It is often defined in collaboration with the auditing firm.

Management is responsible for implementing and maintaining effective controls. During a SOC 2 examination, management provides documentation, supports testing, and addresses any identified deficiencies.

Yes, a service organization can select specific trust service criteria based on its business needs and objectives. However, the Security criteria category is essential for all SOC 2 examinations. The selection of trust service categories depends on the services provided and the areas of focus relevant to the organization’s operations.

The duration of a SOC 2 examination varies based on factors such as the type of examination (Type-1 or Type-2), organization’s complexity, its readiness, the scope of the audit, frequency of control activities, findings, and coordination with subservice organizations. A Type 1 examination is generally shorter than a Type 2 examination.

The frequency of SOC 2 examinations depends on various factors, but it’s common for organizations to undergo an annual examination to demonstrate ongoing commitment to security and compliance.

GCC provides competitive pricing for SOC 2 examinations, taking into consideration various factors provided by the client. These factors encompass the scope of the system, the complexity of the organization, the preferred type of SOC 2 examination (Type 1 or Type 2), and the chosen trust service categories for the examination. This personalized approach guarantees that the quoted price is in harmony with the distinct needs and requirements of each client, delivering a thorough estimate that considers the intricacies of their unique circumstances.

GCC Training

Empower your team with our self-paced efficient training.

Quality Management System - ISO 9001 Courses

Find out more

Environment Management System - ISO 14001 Courses

Find out more

OHS Management System - ISO 45001 Courses

Find out more

Integrated Management Systems (IMS) -ISO 9001, ISO 14001 and ISO 45001 Courses

Find out more

Latest News and Updates

Managing Conflict of Interest as a NDIS Provider
14/11/2024
GCC Certification Marks Transition Policy
29/10/2024
Global Compliance Certification (GCC) - October is National Cybersecurity Awareness Month
October is Cybersecurity Awareness Month
08/10/2024
Accredited vs Non-Accredited Certification
23/08/2024