This article was updated in December 2020.
Data is the lifeblood of your business. Your clients must be confident that their information is safe. They trust you to maintain it. If you fail, you will lose your clients’ trust.
Reassuring clients is the goal of SOC 2 compliance and certification. The integrity, confidentiality, and privacy of your clients’ data are at stake. Potential clients will want proof that you have measures in place to protect them. The SOC 2 compliance audit provides it.
What is SOC 2?
SOC stands for “System and Organization Controls” and is the agreed upon procedures of controls set by the American Institute of Certified Public Accountants (AICPA).
These defined controls are a series of standards designed to help measure how well a given service organization conducts and regulates its information. They are designed to provide clients confidence that an organization can be trusted to keep their data secure.
The purpose of an audit is to achieve SOC attestation or SOC certification.
Who can perform a SOC 2 audit?
This attestation can only be given after the organization is audited by an independent certified public accountant or CPA Firm who determines if the appropriate safeguards and procedures are in place.
Three Report Types An Organization Can Choose
The first is type 1.
These reports show the service organization’s controls over its client’s financial reporting standards. The organization being audited defines the objectives that are important to its business, and the controls it follows to achieve those objectives. Since the scope of the audit objective is self-defined, this is a very flexible standard and can be customized to each service provider.
The second is the type 2 report.
It focuses on five trust principals: security, availability, integrity, confidentiality, and privacy. Each trust principal has a standard set of controls and testing criteria for all service providers. When undergoing a Service Organization Control Type 2, the service organization selects which principals are relevant to their business.
The third is the type 3 report.
It is a simplified version of the SOC 2 report and was designed to attest that the service provider has completed a SOC 2 assessment, while also limiting the information to what is relevant to public parties.
SOC 1 and 2 also come in two report types.
Type 1 reports review the policies and procedures that are in operation at a specific moment in time.
The SOC Type II examines the policies and procedures over a period of time no less than six months. Since the Type II report takes into account the historical processes, it is a more accurate and comprehensive audit.
What Is Included in a SOC 2 Certification Report?
What the SOC 2 reports contain depends on the type of service the organization provides.
A service organization can be evaluated on one or more of the following trust services criteria (TSC) categories:
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information and damage to systems that could compromise security availability confidentiality, integrity, and privacy of data or systems and affect the entity’s ability to meet its objectives.
- Availability – Information and organizational systems are available for operation and use to meet the entity’s objective requirements.
- Processing Integrity – System processing is complete, valid, accurate, timely and authorized to meet the entity’s objectives.
- Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
- Privacy – Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.
The categories above all share a set of trust services criteria known as the standard criteria.
The common principles are:
- Control environment
- Communication and information
- Risk assessment
- Monitoring activities
- Control activities – which are further broken out by:
- Logical and physical access
- System Operational Effectiveness
- Change Management
- Risk Mitigation
These criteria must be addressed in every SOC audit. Depending on which TSC categories are being assessed, there may be more TSC’s which needed to be evaluated in addition to the standard criteria.
With the changes made in 2017, organizations can also get a SOC 2+ report which allows the services organization to address additional criteria from other compliance standards such as HITECH, HIPAA compliance, ISO 27001, Cloud Security Alliance (CSA), NIST 800-53 or COBIT 5.
When you order your compliance audit, you can decide which TSC categories are the most important. Base your decisions on what clients are most likely to want. Doing so will ensure that clients get the information they need. They will be less likely to come back to you with questions if they are addressed in the SOC 2 report.
Prepare with a SOC Audit Checklist
There are standard sense steps you can take. Being prepared will make the auditor’s job as comfortable as possible.
Your goal is to anticipate issues and try to resolve them beforehand.
Here are six steps you can take to prepare.
- Define the operating goals of your audit. You should ask yourself what your clients are most likely to want to know. You know the parameters of the SOC 2 audit. If you handle financial information, you may need a SOC 1 audit, as well.
- Define the scope of your SOC 2 audits. They typically address infrastructure, software, data, risk management, procedures, and people. You will also need to decide which trust principles to include. Any TSC you add will increase the scope of your audit. Again, choose the TSCs that are most likely to concern your clients.
- Address regulatory and compliance requirements. Every industry has regulations. For example, healthcare providers must comply with HIPAA compliance while those handling credit cards require PCI compliance. Doing a review of your enterprise’s compliance will help streamline the audit.
- Review and write security procedures. The auditor you hire will use your written policies as a guideline. Many companies fall behind. If your systems are out of date, you should update them. If you lack written procedures for anything covered by the audit, you should create them now. Written policies will help your employees adhere to internal rules.
- Perform a readiness assessment. A readiness assessment is your final chance to prepare. You can do the evaluation yourself. Alternatively, you can hire an auditing firm to do it for you as they abide by strict auditing standards. Think of it as a dress rehearsal. You can use the results to fill in holes in your audit prep.
- Evaluate and hire a certified auditor. As I mentioned before, hire someone with experience in your industry. The auditor will:
- Work with you to choose agreed-upon testing dates
- Give you a list of required documentation in advance of the audit
- Visit your site for document reviews, employee interviews, and walk-throughs
- Document the test results and review any issues with you
- Provide you with a completed type II report to share with your clients
Following these six steps of our SOC 2 compliance checklist will ensure that you have a smooth audit process. It is your job to do as much as you can to prepare. Even if you think your company is in good shape, periodic reviews are a must.
You may want to put a system in place to review written procedures. Doing so on a regular basis will make sure your next audit is without problems.
Who Can Request SOC 2 Compliance Reports?
Any organization contracting with a service provider should be concerned about security. That is true regardless of industry. However, it is not necessary to get a new audit every time.
SOC 1 and SOC 2 reports are meant to be confidential, limited-use documents for the service provider and its customers; however, they were often distributed publicly. The SOC 3 report was created as a result of the growing demand for a public facing report.
Now, any party who is knowledgeable about the services provided may request one. Parties who need to know how the entity’s system interacts with others may also get the report. These include user entities, sub-service user organizations, and other parties.
Of course, those interested in the internal controls may also request SOC reports. Before you entrust your data to anyone, requiring a SOC compliance audit is a good idea.
Many companies order SOC 2 audits. Then, they provide a report to prospective clients and other qualified parties.
Of course, it is possible that a client might have questions not covered by the SOC 2 report. In that case, you will need to decide how to respond. The report includes many of the most common questions and concerns clients will have.
How Have SOC Audits Changed?
The standards used for auditing have evolved over the years. Up until 2011, AICPA applied the SAS 70 standard. The SAS 70 standard became extremely popular, and subsequently, it was being used too broadly, and it started to lose the desired focus. In response, AICPA replaced SAS 70 with the Statement on Standards for Attestation Engagements (SSAE) No. 16 in 2011 and recently updated to version SSAE 18, in May of 2017.
The new requirements for the SSAE 18 are as follows.
- IPE, or Information Produced by the Entity. Companies must get evidence of the accuracy of any information provided. Examples might include standard queries or report parameters.
- Vendor management and monitoring of sub-service organizations. Service providers or data centers must include controls for sub-service organizations. The goal is to ensure that anybody with access to the data is adhering to control standards.
- CUECs or Complementary User Entity Controls must be in place. They should be limited to controls that are needed to achieve the stated control objectives
- Internal audit and regulatory examinations. SSAE 18 requires service organizations to read specific reports. Specifically, they relate to internal and regulatory examinations.
The SSAE will continue to evolve as new security risks come to light. Keeping up with risks can feel a bit like a game of Whack-A-Mole.
One example is the new SOC Cybersecurity examination and updated trust services principles that went into effect on December 15th, 2018. AICPA’s goal is to stay abreast of information security needs and respond accordingly.
How Much Does SOC 2 Auditing Cost?
The expense can vary depending on what is included.
Some of the things that can affect the cost include:
- The scope of services included in the report
- The TSCs you choose to add
- The size of your organization
- The number of in-scope systems and processes
In other words, if you have multiple systems and methods to include, the price will increase. Any system that affects the security of clients’ sensitive data must be audited. That is the only way to reassure clients to trust you with their data.
For the best result, choose a firm with IT auditing experience. They should identify the employees who will complete your audit. It is essential to ensure that the firm does background checks on anyone who will have access to your customer data.
Finally, make sure that you ask for (and check) references before hiring an audit firm. Ideally, the firm you choose should have experience in your industry.
Understand The Importance of SOC Compliance Audits
Compliance with SOC 2 reassures clients. Upon auditing, you can provide them with the reports for their records. Having a current report on hand will ensure that prospective clients know they can trust you. Use our SOC 2 compliance checklist to prepare for an audit.