CISO communities are available around the world for cybersecurity leaders to collaborate with other professionals.
SOC 2 attestation, explained
Breaking it down into definitions, an ‘attestation’ is defined as “a declaration that something exists”, and “evidence or proof of something”. A synonym for attestation is the word ‘vouch’. That is the best way to simplify this.
What is a SOC 2 attestation report in the compliance and audit world?
Well, it is a report that represents the conclusion/outcome of audit procedures and testing performed by an independent CPA or audit body.
Basically, it says “We [Company X] performed an audit on [Customer Y], and the report provided herein is accurate, independently constructed, and reliable”.
Attestation (services) are broken down into three main areas of focus:
- Review, and
Compilation refers to a business that outsources the preparation of their financial statements. This is done usually due to budget and resource constraints within the organization.
Logically, compliance and review processes are much quicker, and a lot less costly. An audit process will require an independent auditor (and auditing company), and therefore commands a much higher price.
The above-mentioned review process resembles a full audit process, but the scope is somewhat reduced, and so the assurance and covered elements are not the same.
The audit step is the full process. Completing an audit process will provide an attestation report to interested parties (potential customers, investors, etc.) assuring them of your system, processes, and practices in place.
SOC 1, SOC 2, and SOC 3 reports are all attestation reports.
SOC 1 report
An assurance/attestation report that provides assurance on a service organization’s system of internal controls, that are relevant to the internal controls over financial reporting of a user organization.
SOC 2 and SOC 3 report
Attestation reports that focus on an organization’s non-financial reporting controls, and relate to the TSC – Security (common criteria), Availability, Confidentiality, Processing Integrity, and Privacy. Take a look at this blog to understand the difference between SOC 2 and SOC 3 reports.
There is a bit of confusion around three similar, but different, terms, namely:
Attestation is a review process. It examines and compares data and evidence to a control or process, and determines whether it is aligned, appropriate, and true.
Assurance is exactly as the name suggests – proving data or processes that are presented.
Auditing is defined and implemented to examine, and detect any gaps, risks, or non-compliance issues that were not known before the audit took place.
Attestation and auditing are often confused. To clear this up, attestation begins with a baseline i.e. There is a defined control list, purpose, and definition of a process, and information is compared to it, determining how appropriately it meets these agreed upon procedures. Auditing, on the other hand, seeks to expose or uncover issues, risks, or non-compliance that were not present prior to the commencement of the audit process.
An organization is seeking to become SOC 2 compliant. They would prepare evidence to prove that they have alignment to control requirements. One such control could be the ‘board meeting control’. The audit may identify that the organization does have appropriate processes in place for this control, and then the outcome of the audit process would be issuing of an attestation report to corroborate this (and all other relevant controls to the organization).