SOC 2 Compliance: Q&A with an Audit Expert – David Barton

As part of Trustero’s “Everything Compliance” interview series, VP of Marketing and Business Development Kimberly Rose had a wide-ranging conversation with David Barton, Managing Director at UHY LLP. His firm is part of UHY International, a business accounting and advisory services provider in more than 100 countries.

David has more than three decades of experience with audits and compliance and is passionate about helping business leaders make well-informed decisions in those areas. Here are some questions and answers extracted from his discussion with Kimberly.

David, the SOC 2 framework is built atop five elements called the Trust Services Criteria. Can you help us understand exactly what those are and what they do?

Sure. The Trust Services Criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each is a category that includes multiple specific criteria.

• The Security category is the baseline. It includes 33 individual criteria that provide a foundation for the higher-level controls that create an effective security program.
• The Availability category makes sure systems are available when needed – things like redundant power and recovery controls and backups.
• Processing Integrity focuses on controls that make sure anything that goes into the production environment is authorized. So, if you’re a SaaS provider, for example, and you’re hosting an application, your service users want to know you’ve got good controls around developing that software and making sure it does what it says it does. One plus one equals two, according to the program.
• The Confidentiality category includes controls intended to prevent data from being unintentionally disclosed. And that can be any kind of data, from intellectual property to usernames and passwords.
• Privacy, on the other hand, has to do with personal information. The best example is electronically protected health information for those in healthcare.

So, do companies pursuing SOC 2 compliance have to address all five categories?

Well, everybody has to do security because, again, that’s the baseline. The other four are optional. You can choose one or all five together, depending on the nature of your business. For example, if you’re not a SaaS provider, or if you’re not providing any kind of application-level service, then Processing Integrity probably doesn’t make sense. But if you provide data center services and one of your benchmarks is 100% uptime, all the time, whatever, you’ll need to address Availability and maybe Confidentiality to some extent. But if you’re processing data for somebody else, Confidentiality and Security are probably the ones you will be focused on and want to include.

Now that we’ve got a more complete picture of what SOC 2 compliance entails, why would a company want to pursue it?

The purpose depends on the type of report a company wants to produce.

• SOC 1 is focused on financial statement audits. So, for example, if you’re processing transactions for another company, that company’s auditors need to understand the controls you have that affect financial statements and reporting, what the risks are, and perhaps do additional work if they can’t get comfort through the report.
• The SOC 2 audit produces more of a general-use report. It can be used for third-party risk management, GRC programs, cybersecurity programs, and any kind of compliance that has to be maintained. SOC 2 reports can also be used for due diligence if you’re getting ready to enter into a business relationship with a company. You want to make sure that you understand what kind of controls they’ve got in place to deal with the issues that you may encounter.
• A SOC 3 report is kind of a summary-level version of a SOC 2 report. The SOC 2 report is intended for users of the service and provider being audited. The SOC 3 report can be used as a general release. You can take a SOC 3 report and put it on your website, and anyone can review it.
• These are the main differences. The general purpose of a SOC 2 audit and report is to satisfy anybody who wants to understand the controls present in a service organization.

You’ve mentioned controls a few times now. What exactly is a control?

It’s important to understand a control is not a statement of fact, and a statement of fact is not necessarily a control. When you read in a report a statement that says backups are performed daily, well, that’s great, but that doesn’t tell me how they’re performed, used, monitored, or any of those kinds of things. That’s where the control part comes in. If you say backups of all critical data functions are performed daily, and a record is maintained to ensure that they are performed correctly, that’s a control.

David Barton
Managing Director, UHY LLP

David Barton is a Managing Director with UHY Advisors and is the practice leader of the Technology, Risk & Compliance practice focused on information technology. He has over 30 years of practical experience in information systems and technology risk and controls.

David is frequently asked to speak at national and regional events, such as SecureWorld and the Cloud Security Alliance Congress. He is the primary author of the CSA position paper on AICPA Service Organization Control Reports. In addition, he regularly provides his input and opinions for national publications such as Compliance Week, Accounting Today, and the Atlanta Journal-Constitution.

David holds an MBA and BS in Business Administration from Appalachian State University. He is Certified in Risk and Information Systems Control (CRISC), received the Certified Information Systems Auditor (CISA) designation in 1988, and is a member of the Atlanta chapter of the Cloud Security Alliance. David has active civic memberships with the Atlanta chapter of the Porsche Club of America and the Tire Rack Street Survival® program for teen driver education. He is also a certified high-performance driving instructor and former Porsche Club racer.

About UHY LLP

UHY LLP is a global provider of exceptional service and part of one of the largest accounting, tax, and consulting networks in the world. The company serves clients ranging from the dynamic middle-market to Fortune 500 companies. A licensed CPA firm, UHY LLP offers audit and other attestation services to public and private companies. UHY Advisors provides tax and consulting services to a variety of business sectors.