A: If AWS has exceptions, those exceptions would not show up in your report. For those familiar with SOC reports in section 4, you have the objectives for the trust principles, the controls in place to meet those objectives, the auditors test of the controls, and then the results of tests and any exceptions noted. Most of the time the goal of whoever's being audited is to have no exceptions in that report.
Occasionally exceptions could come up. If there were exceptions in the AWS report, you would need to do an analysis of those exceptions to determine if they had a significant impact on your service and the service you're providing to customers. With that in mind, many times if there are exceptions in the report there is a management response to that, and you would have to take that into consideration as well. For example, let's say there was a background check test, and for the sample tested it's determined that there wasn't a background check performed on one person.
Management could say there was a reason for that, and here's the reason why. You can do an analysis of that and determine there was an exception but there was a legitimate reason for that and move on. A: Unfortunately, that answer depends. When we're on scoping calls and hear customers say that they leverage AWS, there certainly gives some comfort and it helps us to know what we're walking into.
Q9: If a company utilizes multiple cloud providers, will you need a SOC 2 report for each? A: I'll get into a little bit more depth here. When you're performing the planning of your engagement you're going to come up with a list of vendors. Then you determine what services those vendors are performing for you, and determine if they're a subservice organization or not. Ideally, you would want to get a SOC 2 report for each of those cloud providers if you determined that they're a subservice org.
If they don't get one, it's not the end of the world. You can get similar information from them via questionnaires, conducting an internal audit, you can go do your own inspection, etc. Coming back to SSAE 18 and the monitoring aspect of this, you would still have to do something in order to gain comfort that what you're subservice organization is doing is providing the service that you need to help meet your control objectives. Ideally getting the SOC 2 would be the best scenario because then you could look at the report, do an analysis of it, look for exceptions and make sure that it is okay.
If they don't have one, again, not the end of the world. You can do other procedures, but you would have to document those. That's part of SSAE 18 now that affects the service providers. A: Certainly penetration testing can be a control that's in your SOC 2 report. It's actually leveraged in a couple of different ways under the current criteria, so we recommend for any SaaS application, particularly if it's an external web application that the organization needs, to undergo penetration testing and report on that.
There is not a definitive requirement like PCI DSS where it says you must undergo penetration testing and test for segmentation on an annual basis. Q if I have a SOC 2 audit performed for my customer and they process transactions for their customers, do I have an obligation to provide my SOC 2 to my customer's customers? What's going to happen here is you're going to provide your SOC 2 to your customer. What they're going to do, if they're getting their own audit their own SOC 2 is they are going to list you as a subservice organization, and then they obtain your SOC report to do their monitoring of you.
If they intend to use your SOC report, you would have to come to an agreement with your customer because these reports are considered confidential and proprietary. Therefore, your customers shouldn't be just handing your report out to their customers without your permission. You would have to come to an agreement with your customer to say, yes, I'm okay with you providing this to XYZ Company who is your customer for this reason.
Q How long will it take to complete a SOC 2 type 2 report? A: It depends on where you're within your control framework and your internal compliance strategy. From start to finish, for a customer that is going through SOC and has never been through any type of compliance initiatives, our SOC gap assessment process can take anywhere from two to six months.
I would say the average is probably be around three months. Then you have to wait to let those controls operate effectively for six months, so then that obviously pushes you to at least nine months. A SOC 3 report is a general use report that is made publicly available by a service organization. It demonstrates at a high-level that a service organization, its system or hosting environment has met the TSPs and associated criteria.
A Type I focuses on the adequacy of the description of the service organization and the suitability of their design of controls to meet control objectives and criteria as of a specified point in time. Who should have one? Many service organizations seek to gain a competitive advantage by completing an independent assessment of their controls SOC audit in order to show their customers that they are serious about security and controls.
Many auditors and regulators also require service organizations to obtain a SOC audit. Who needs it? A company or organization that outsources services like those listed above to a third party benefits from obtaining a SOC report from their service organizations.
SOC 2 reports are also considered restricted use reports, used by company management, regulators, and customer user entities. These reports are generally based on demonstrated business need and provided by request only. Keeping this in mind, most bridge letters typically cover a period of no more than three months. SOC examinations are meant to recur on at least an annual basis, in order to provide user entities with continuous coverage.
We have seen both extremely complex bridge letters and ones that are so simple that they do not meet the requirements of user organizations. If service organizations are unsure of what to include in their bridge letter or what it should look like, they should consult their service auditor.
Additionally, to aid service organizations, we have put together a couple of example bridge letter templates for a Type II SOC 1 report that covers all of the key points in a bridge letter and should meet the requirements of discerning user organizations.
If you have them as a subservice organization and you're doing the carve out method, you would not have to go do your own data center visit. Megan started her career in January after completing her Masters of Accountancy with the University of Denver.
A Type I focuses on the adequacy of the description of the service organization and the suitability of their design of controls to meet control objectives and criteria as of a specified point in time. Q5: Are customers still insisting on questionnaires and audits even if their provider has a SOC report, or does the SOC report successfully avoid this? A company or organization that outsources services like those listed above to a third party benefits from obtaining a SOC report from their service organizations. There's a couple different layers, but if you need further clarification on that certainly we're happy to set up a scoping call so feel free to contact us and we can get that conversation going.
They're both lumped into SSAE