SOC 2+ FAQs: How to enhance SOC 2® compliance 

Baker Tilly’s webinar, SOC 2+: Enhancing SOC 2 compliance with additional frameworks, took a deep dive into extending SOC 2 compliance by integrating frameworks like (Health Information Portability Accountability Act (HIPAA), International Organization for Standardization (ISO), Health Information Trust Alliance (HITRUST) and National Institute of Standards and Technology (NIST). We hope the questions from attendees and our responses are insightful for everyone.

Have you performed SOC 2 + Family Educational Rights and Privacy Act (FERPA)?

• To date, we have not issued a SOC 2+ with FERPA as an additional framework. In order to do so, ideally your “base” SOC 2 report should include the privacy category, as that is the subject matter of the FERPA regulation. From there, you could identify the additional controls/requirements needed to meet the FERPA regulation.

Do you see SOC 2 report requests for Artificial Intelligence (AI) applications? Is the final SOC report different?

• Baker Tilly has not yet fielded many SOC 2 report requests for AI applications. However, with the rise of AI technologies, we anticipate engaging with organizations to perform SOC 2 services over AI applications. Whether an in-scope system is a claims processing platform or an AI-driven enterprise data warehouse, the SOC 2 criteria does not change unless the AICPA updates it. However, here are some specific control areas to focus on when scoping in an AI platform to the SOC 2 criteria

Risk management: Ensure that risk management functions include risk evaluation and regulatory compliance of the AI platform

Data governance: Implement measures to protect sensitive data and comply with relevant data protection regulations

Model management and integrity: Establish processes for ensuring AI model data is accurate and complete (this would be important if the processing integrity criteria was in-scope for the examination).

AI appears to be getting added to SOC 2 reports. Are there anticipated frameworks to be added later?

• Possibly. While several AI frameworks exist; none have risen to the top to reign supreme. However, should your organization utilize AI in a significant way, and should your customers be interested in understanding the controls you have in place related to AI, it is likely that existing AI frameworks could be included as a supplemental framework in a SOC 2+ report.

What type of organizations should provide a SOC 2 report?

• Any organization handling sensitive information (e.g., Personally Identifiable Information (PII), Protected Health Information (PHI)) on behalf of customers and whose customers either contractually require a SOC 2 report or are regularly requesting the completion of security or risk questionnaires should consider a SOC 2.

Is there any overlap between SOC 2 and New York State Department of Financial Services (NYDFS)?

• There are overlapping control areas and points of focus between the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500) and the SOC 2 Trust Service Criteria (TSC). Overlapping control areas include the following:
• Logical access
• Data encryption
• Security incident response operations
• Security risk assessment
• If your organization is preparing to perform a SOC 2 and must also adhere to 23 NYCRR Part 500 requirements, consider creating a control matrix that maps your controls to requirements in both SOC 2 and NYDFS. Identifying overlapping controls can help an organization reduce audit fatigue by applying the same evidence collected across both SOC 2 and 23NYCRR Part 500.  

What is Baker Tilly’s experience with Amazon Web Services (AWS) or Microsoft Azure supplying a SOC 2+ of their systems to their clients?

• AWS aligns their HIPAA risk management program with Federal Risk and Authorization Management Program (FedRAMP) and NIST 800-53, which are higher security standards that map to the HIPAA security rule. Microsoft Azure performs HIPAA risk assessments to help ensure their services can be used to process, maintain and store PHI in compliance with HIPAA. Azure adheres to the HIPAA security rule requirements. While neither specifically undergoes a SOC 2+, both cloud service providers perform SOC 2 audits on a semi-annual basis. Azure’s SOC 2 reports are over security, availability, processing integrity and confidentiality. AWS’ SOC 2 reports are over security, availability, confidentiality and privacy. You can find out more about Azure’s compliance program here.

Are there limitations to what frameworks can be added to the SOC 2+?

• Yes, there are limitations to what frameworks can be added to a SOC 2+. The framework being paired with SOC 2 must be relevant and compatible with the SOC 2 Trust Services Criteria (TSC)). In addition, a framework’s scope, focus and/or requirements need to be carefully considered when determining if it can be paired with SOC 2. For example, Sarbanes-Oxley (SOX) compliance is specifically focused on internal controls over financial reporting (ICFS) and thus, cannot be paired because a SOC 2 provides assurance over an organization’s controls as it relates to security, availability, confidentiality, processing integrity and/or privacy.

Does a standard SOC 2 report that has availability, confidentiality or process integrity count as a SOC 2+?

• It does not. The security category, along with availability, confidentiality, processing integrity and privacy, are all included as elements of the AICPA’s SOC 2 framework. A SOC 2 report can include any combination of these categories (but must include, at a minimum, security), whereas a SOC 2+ would include any of the above categories plus an unaffiliated framework, such as NIST 800-53.

What is the main difference between HITRUST and SOC 2? With HIPAA information as a factor, how should an organization determine if they should do a HITRUST assessment or a SOC 2 assessment?

• There are many differences between HITRUST and SOC 2. For instance, HITRUST is a certifiable framework whereas SOC 2 is an attestation report. In addition, HITRUST integrates multiple frameworks and regulations whereas SOC 2 is based on the Trust Service Criteria from the AICPA. As for determining whether to perform a HITRUST assessment or a SOC 2 assessment, it will vary from organization to organization. An organization should take into consideration contractual agreements in place with clients and third parties, as well as state, federal and international regulatory requirements. The HITRUST framework was initially developed for organizations that have to comply with HIPAA. A HITRUST validated assessment may be the right answer in this case because the HITRUST framework has become industry agnostic, HIPAA requirements can still be selected as in-scope for an assessment. For help navigating these complexities, contact us.

Can a HITRUST assessment be performed by a professional other than a CPA?

• HITRUST assessments do not have to be performed by CPAs. However, 50% of the hours worked on HITRUST validated assessments must be performed by a HITRUST Certified CSP Practitioner (CCSFP) or a Certified HITRUST Quality Professional (CHQP). Individuals can be certified through training and successful completion of an exam provided by HITRUST.

Is there a framework that an organization can implement that covers or maps to all other frameworks?

• Generally, NIST 800-53 is among the most comprehensive of the established information security frameworks. However, the chosen framework may not address all matters your customers or regulators deem relevant. The opposite may also be true: the chosen framework may be too comprehensive. Whichever framework your organization selects, customization may be required. For help navigating these complexities, contact us.

Similar to fintechs, can SOC 1 and SOC 2 be combined into one report?

• Not always. Each report has its own purpose—a SOC 1 report is intended to include only those controls which are relevant to user entities’ internal control over financial reporting (ICFR). A SOC 2 report is intended to include the controls relevant to security, availability, confidentiality, processing integrity and/or privacy. While often similar, “business” or “operational” controls necessary in a SOC 1 do not always translate completely to the controls needed to meet the processing integrity criteria in a SOC 2. Said differently, the purpose of a SOC 1 report is to ensure user entities’ financial statements have correct numbers reported. Conversely, the purpose of a SOC 2 report with processing integrity is to ensure data processing integrity is in place; this may not translate to user entities’ ICFR accuracy. In addition, different user entities may have different contractual requirements. Lastly, financial statement auditors who are auditing the service organizations’ financial statements require a SOC 1 for their audit procedures and will not be able to leverage a SOC 2 (even with processing integrity included) for those purposes.

Is there a requirement that auditors have a CISA or other IT certification?

• No, but to sign the opinion in a SOC report, the practitioner must be a Certified Public Accountant (CPA). However, in addition to the CPA credential, many Baker Tilly practitioners are Certified Information Systems Auditors (CISA), Certified Information Technology Professionals (CITP) or hold another IT or information systems-focused credential. Connect with us.

Why would I need a SOC 2 for a financial support system that is already accredited by a Certified Third-Party Assessor Organization (C3PAO) at the moderate level under NIST 800-171 requirements?

• While there are many overlapping control areas (e.g., access controls, risk assessment, security operations) between NIST 800-171 and SOC 2, the key difference between the two engagements is a SOC 2 requires an independent CPA firm to perform an examination and the resulting SOC 2 report contains the CPA firm’s audit opinion. Whereas the NIST 800-171 special publication being assessed by the C3PAO is just that; an assessment and does not include a formal audit opinion. Understanding what your organization, as well as your organization's clients (including government entities), prospective clients and vendors are requiring will help determine whether a SOC 2 examination is needed in addition to a NIST 800-171 assessment.