Companies often align their controls with specific processes or frameworks such as the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST). When this occurs and the company receives a SOC 2 report, the service auditor should consider if:
- The process or framework used is required by law or regulation; and or
- The service organization establishes specific service commitments and system requirements regarding the requirements of the process or control framework.
If either of these two scenarios occurs, the requirements of the process or control framework are likely to be considered additional points of focus when using the trust services criteria in the SOC 2 report. This may require additional controls that are designed specifically to address the process or control framework. Luckily, management of the service organization has a few options to consider.
If an organization is not contractually obligated to follow a specific process or control framework, they may determine that providing supplemental information in the SOC 2 report is sufficient to meet their needs. If so, management would communicate how the controls implemented by the service organization address the requirements of the process or control framework in an unaudited section (typically section 5) of the SOC 2 report.
In other circumstances, management may have established specific service commitments or system requirements related to the process of the control framework and disclosed the controls they have implemented to address the requirements in the system description of the SOC 2 report. When the system description in the SOC 2 report includes information about how the service organization’s controls meet the requirements of a process or control framework like ISO or NIST, the users of the SOC 2 report may assume that the service auditor examined the service organization’s compliance with those frameworks. For that reason, the service auditor may decide to at add an emphasis-of-matter paragraph to the service auditor’s report drawing attention to the information in the SOC 2 report about the process or control framework and clarifying that they have not audited it and do not express an opinion on this information.
There may be instances where contractual obligations require that the service organization provide a SOC 2 report with a service auditor’s opinion on whether the service organization’s controls were implemented and meet the requirements of the process or control framework. In that case, management should engage the service auditor for a SOC 2 + examination that includes the requirements of the process or control framework as additional criteria.
Thanks for reading!