Meeting AICPA SOC 2 Requirements for Third-Party Risk Management

This post reviews considerations for third-party risk management under AICPA SOC 2, and explains how you can meet SOC requirements through combined vendor risk assessment and third-party monitoring.

AICPA Trust Services Criteria and Third-Party Risk Management

The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) developed trust services criteria for organizations to use as a framework for demonstrating the confidentiality, integrity and availability of systems and data.

Organizations familiar with System and Organization Control (SOC) 2 audits will recognize that these trust services criteria are used to report on the effectiveness of their internal controls and safeguards over infrastructure, software, people, procedures, and data.

Trust Services Criteria in SOC 2

SOC 2 audits provide a comprehensive view into the following AICPA trust services categories:

• Security: Protecting information and systems against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
• Availability: Ensuring the availability of information and systems for operation and use to meet the entity’s objectives.
• Processing integrity: Ensuring that system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
• Confidentiality: Protecting information designated as confidential to meet the entity’s objectives.
• Privacy: Ensuring that personal information collected, used, retained, disclosed, and disposed meets the entity’s objectives.

Types of SOC Reports

Once the controls audit is complete, outputs can include two types of reports:

• Type 1 report: looks at a service provider’s system and the suitability of the design of controls at a point in time
• Type 2 report: adds to the Type 1 report by also looking at the operating effectiveness of controls over a period of time

How SOC Reports Are Used

Organizations across multiple industries use SOC 2 reports to demonstrate due diligence to clients, differentiate themselves from competitors based on their security posture, or be proactive with auditors in measuring compliance against data protection regulations.

Addressing SOC 2 with Prevalent

The AICPA SOC 2 report is an industry-standard framework for IT services companies to assess their controls over customer data. Since some organizations that lack internal resources for responding to security assessments will provide a SOC 2 report to their customers instead, it can be time-consuming and complex for teams to map SOC 2 report results into a risk management solution for proper risk tracking.

With Prevalent, you can address SOC 2 third-party risk management requirements by:

• Assessing third parties with a comprehensive SOC 2-based questionnaire
• Automatically generating a risk register upon survey completion to zero in on potential areas of concern
• Creating an audit trail that maps documentation and evidence to risks and vendors
• Reporting against SOC 2 compliance

We also offer a SOC 2 Exception Analysis Service, which is a managed service delivered by the Prevalent Risk Operations Center (ROC) that transposes SOC 2 report control exceptions into risks in the Prevalent Third-Party Risk Management Platform. The resulting unified risk register enables coordinated risk response and remediation following a standardized approach and ensures that you have a comprehensive profile of all vendors – even for those that submit a SOC 2 report in lieu of a full security assessment.

To learn more, visit our SOC 2 solutions page or request a demo today.