Video: Evaluating a Service Organization's Security Commitments and System Requirements in a SOC 2 Engagement

In this lesson, Nick Palazzolo, CPA, elaborates on the detailed process of examining and testing security protocols within a Service Organization Control (SOC) 2 engagement. Centering on the organization’s commitments regarding data confidentiality, integrity, availability, and privacy, he delves into understanding service level agreements and other related documentation. Nick guides through evaluating system requirements to ensure these commitments align with security practices. Further, he explores how to assess these systems using the trust services criteria, including risk management, control monitoring, access control, and network security, followed by conducting incident response assessments and gap analysis. Throughout the lesson, Nick emphasizes the importance of repetition in the learning process and highlights common procedures like interviews, control testing, and documentation specific to SOC 2 engagements. This structured approach ensures a thorough understanding and effective evaluation of an organization’s adherence to security standards.

"Examprep.ai helped me pass all 4 CPA exams on the first try. I highly recommend. I especially like the feedback and ratings the software provides so I know where to focus my time."

Daniel H., CPA

"I can't recommend ExamPrep.ai enough. Nick's lessons turned concepts I struggled with into strengths. I was able to pass FAR right before other exams expired!"

Andrew K, CPA

"I just want to say thank you for the great lesson videos. I couldn't stay awake through lectures of another course. After watching all your FAR lessons I was finally able to pass!"

Alyssa M., CPA Candidate

Video Transcript

Instructor: Nick Palazzolo

Nick Palazzolo is head instructor of ExamPrep.ai CPA Review. Nick's teaching style is engaging & upbeat, combining practical Big 4 tax & assurance expertise with years of 1-on-1 coaching. His lessons are concise and emphasize what you need to know to pass. Whether you're a recent grad or working full-time, we’re confident you can conquer your CPA exams with Nick’s review.

Cite this lesson

Link to this page

[[ citeExample ]]

Copy to clipboard

Copy URL to clipboard

Copy HTML to clipboard

All right, diving back into our SOC 2, how this specifically deals with SOC 2. Now, again, SOC 2, based on the trust services criteria, this is going to be an engagement where we're essentially examining, testing our security protocols and everything like that. You want to understand the organization's service commitments, so review service level agreements and other contractual documents to understand the security commitments that are made to customers. You want to focus on commitments related to data confidentiality, integrity, availability, and privacy. We see these attributes assigned to SOC 2 a lot, so obviously you want to know those in conjunction with SOC 2. And then you want to evaluate system requirements, so analyze the documentation of the organization's information systems, understand all of it, and then align with the service commitments. So again, you're making sure any promises you're making to customers that will keep your data safe and secure are actually being followed through. Next up, assessment using the trust services criteria. So common criteria, we want to assess the organization against the common criteria of the security category, which does include aspects like risk management, communication of objectives, and monitoring of controls. We have additional criteria for security, so we have access control. We want to evaluate controls over access to systems and data. We have network and information security, so examining the protection mechanisms against unauthorized access to systems and data. Next, unauthorized access, malware, and attacks. And then we want to assess the incident response. And then we do a gap analysis here. Kind of talked about that earlier. Again, we see the process. Very similar for all of these processes. Interviews and observation, test of controls, document, findings, and recommendations. Again, this is kind of just repetition is how you learn.

Unlock the full video transcript and subtitles support with a free account!

Get more from this lesson

Create an account 7-day free trial. No credit card required.

Security

Module: 3 Concepts, 30 Videos

Threats and Attacks - Overview

0:45

Introduction to Threats and Attacks

3:57

Threat Agents

9:08

Types of Attacks