Systems and Organizational Controls (SOC) is an auditing standard that has its roots in financial systems and auditing. SOC audits come in three (3) flavors with SOC Type 1 being the simplest form of SOC audit. SOC Type 1 audits are third-party audits of accounting and financial controls at an organization. It provides an independent opinion on how well a company keeps their financial house in order. SOC 2 audits can get into other controls around security, availability, process integrity, confidentiality or privacy.
SOC 1 is further broken down into two forms of audits: a SOC 1 Type I and SOC 1 Type II. Type I audits are performed at a particular point in time and date whereas a SOC 1 Type II report is based on testing controls over a period of time (most typically 9 to 12 months). Type II report’s are viewed as more reliable in general.
Criticism of SOC Audits:
All organizations are different and unique. SOC auditing does not specify a minimum set of Organizational Controls to be created and tested. Good audit firms will provide suggestions on improvements for additional controls if they are missing, however the organization itself generally sets the controls to be reviewed in a 3rd party audit. The general criticism here is that if a control is not specified by the company under audit, perhaps it is because they are failing at that control. Yet, they will pass an audit without the control included. Therefore, it is always important to review a SOC audit with an eye to what controls should be expected and to hold a company accountable for missing controls in their SOC audits.
Source: InfoSecurity Magazine
What does this mean for an SMB?
. Yet, there are ways SMBs can begin to build their formal processes and perform a minimal internal Risk Assessment. CyberHoot has helped many businesses identify the gaps in their security programs through our assessments module which contains cybersecurity, PCI, and HIPAA based assessment questionnaires. Risk Assessments and SOC audits are strong ways to start securing your business. CyberHoot can play a pivotal role in preparing companies for such auditing through its policy and process management, training programs, and phish testing. Email firstname.lastname@example.org to get more information!