Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Appraising Operating Effectiveness of Controls for Your SOC 1 or 2 Audit

Published 02/28/2022

Appraising Operating Effectiveness of Controls for Your SOC 1 or 2 Audit

This blog was originally published by CAS Assurance here.

Overview

Whether we are dealing with Service Organization Controls (SOC) 1 audit or talking about Service Organization Controls (SOC) 2 audit, the operating effectiveness of controls is of paramount importance. Not only for passing an audit (in a type 2 audit), but more importantly for benefiting from the existence of those controls. SOC 1 audit focuses on the controls at a Service Organization relevant to User Entities’ Internal Control Over Financial Reporting, while SOC 2 audit centers on the controls at a Service Organization relevant to security, availability, and processing integrity of the systems the Service Organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

Both SOC 1 and SOC 2 have type 1 and type 2 reports. In a SOC 1 type 1 report, the focus is on the fair presentation of a Service Organization’s description of its system and the suitability of the design of controls to achieve the related control objectives included in the description. SOC 1 type 2 report takes it a little further by reporting not only on the fair presentation of the Service Organization’s description of its system and the suitability of the design of controls, but also on the operating effectiveness of those controls. Similarly, in a SOC 2 type 1 audit, the focus is on the fair presentation of a Service Organization’s description of its system and the suitability of the design of controls. SOC 2 type 2 examines the fair presentation of system description, suitability of design of controls, and the operating effectiveness of those controls to meet the relevant trust services criteria.

For control (s) to achieve the desired purpose(s), a few things must happen:

  • The control (s) must be adequate for the purpose
  • The control (s) must be suitably designed and implemented (put into operation)
  • The control (s) must be operated properly as intended

Relationships between adequacy, suitability of design, and operating effectiveness of controls

The three are intertwined. Let us consider each of these in turn.

Adequacy

Adequacy of controls simply means that the control(s) address all the relevant risks inherent in a particular process, function, or system in the given environment. While there are situations where a single control may be sufficient to take care of a risk, in many cases, a combination of controls is necessary to achieve the desired purpose.

For example, consider the controls for physically protecting a data center from unauthorized access. You would need to have a combination of controls, including perimeter security measures such as fence, secured gate(s), security guards, surveillance cameras, etc. Further, you would need to have physical control measures such as doors, locks, cameras, etc. within the facility to limit and monitor access of people to specific areas. If any of those control measures that are necessary in the environment is missing, and without a compensating control, the controls for protecting the data center would not be seen as adequate.

To ensure adequacy of control(s) therefore, all relevant risks in the situation and environment must be considered and addressed by appropriate control measures. This explains why it is not sufficient for an organization preparing for an audit to only rely on generic control templates in a SaaS solution to design and implement its controls in readiness for audit. A thorough risk assessment needs to be done to identify relevant risks in the organization process, system, and unique environment to ensure that controls are specifically customized to address relevant risks.

Suitability of Design

A control is suitability designed if, when operated as intended individually or in combination with other controls, it will achieve the desired or intended purpose (i.e., achieve the control objective(s) or applicable trust service criteria, in the case of SOC 2 audit). You can see the link between adequacy and designing appropriate control(s) to mitigate applicable risks. Suitability of design also includes appropriate implementation of the designed control for the controls to operate as intended. The two elements of adequacy and suitability of design are intertwined and must be present in the control(s) before you can expect a valid operating effectiveness.

Operating Effectiveness

Operating effectiveness of control simply means that the control has been applied or operated consistently, either manually by competent personnel or automatically by a system, to provide a reasonably assurance that the control objective(s) (or the applicable trust services criteria) have been achieved. Again, you can see the connections between adequacy, suitability of design, and operating effectiveness. If a control is not adequate and suitably designed it would not achieve the desired objective, even if it was properly operated or applied.

In preparing for your type 2 of SOC 1 or 2 audit, it is of utmost importance that you have a reliable and efficient system of tracking and keeping records of the operations of your controls to enable you prove to the auditor the operating effectiveness of those controls over the scope period. Such records also serve as ingredient for reporting to senior management the progress and success of cybersecurity and compliance efforts. They can also become important source of defense before investigators and regulators in the unpleasant situation of any breach.

Conclusion

A lot of resources are often spent on designing, implementing, and operating security controls. The returns on such investments are realized only when the controls operated effectively and achieved the desired objectives (either by preventing bad things from happening or facilitating the achievement of some other good goals). Such good goals include passing your SOC 1 or 2 audit, giving confidence to your stakeholders concerning your systems.

Share this content on your favorite social network today!