A SOC 2 report is becoming a necessity for companies that handle customer data for others. Organizations have more flexibility in how a SOC 2 report is prepared than they do with some IT compliance audits. From choosing what is audited to who does the auditing, you control much of the process for a SOC 2 report. Such discretion provides opportunities for effectiveness, but it also presents challenging decisions.
Additional Reading: What is SOC 2?
Knowing what to audit, why, and how is crucial to getting a SOC 2 report that will allow your company to keep operating—and growing. If you don’t address the correct issues or engage the right auditor, you could fail to give customers and regulators the assurance that they desire.
Answering these key questions before you start your SOC 2 audit will help you maintain compliance and protect against a data breach.
1. What is a SOC 2 report?
One of three types of Service Organization Control (SOC) reports created by the American Institute of Certified Public Accountants (AICPA) in 2011, a SOC 2 report details the controls of the systems used to process data, and describes the security and privacy of that data.
A SOC 2 report is officially called a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
2. What is the purpose of a SOC 2 report?
A SOC 2 report helps an organization secure its data and show its customers that it has done so. Its uses include:
- Organizational oversight
- Vendor management
- Internal risk management
- Regulatory oversight
- Client obligations
It is a restricted use report, meaning it can only be used by the organization and its customers.
3. Why would I need a SOC 2 report?
As companies have moved customer data online, criminals have followed. Data breaches have cost organizations millions of dollars in damages—both directly through compensation and fines, as well as indirectly through lost business and tarnished reputations.
Protecting data has become paramount, particularly for retail, banking, healthcare, or software-as-a-service (SaaS) companies that are responsible for customers’ information. Many companies require vendors to provide SOC 2 reports as a condition of doing business.
4. What will a SOC 2 report focus on?
The AICPA has established Trust Services Principles for evaluating and reporting on controls over information and systems.
The scope of your SOC 2 report will depend on how many of the following five core Trust Service Principles you will need to focus on in order to meet your customer or compliance requirements.
- Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and malicious damage.
- Availability: Information and systems are available for operation and use.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of properly.
5. How many principles should I include in my SOC 2 report?
The AICPA only requires you to do Security. If this is your first audit, Security is all you should do so you can adjust to the process—unless you are contractually required to do another.
Customer demands may require you to do additional principle(s). If that is the case, you should work with customers to identify which principle(s) to add on top of security.
Consider which principles most closely relate to your customers’ concerns. For example, if you store data but don’t process it for clients then Availability may be applicable but Processing Integrity would not.
Compliance software provider Reciprocity also suggests that you consider how many systems, policies, and procedures you can effectively evaluate when scoping a SOC 2 audit.
6. Will I need a Type 1 or Type 2 report? Or both?
SOC 2 Type 1 and SOC 2 Type 2 reports are issued depending on your organization’s specific requirements and objectives.
- Type 1: A report on the organization’s description of their system and the suitability of that design
- Type 2: A report on the organization’s description of their system and the suitability of that design and operating effectiveness of the controls
Customers will usually require a SOC 2 Type 2 audit for the greater level of assurance it provides.
7. What time frames should I expect for a Type 1 and Type 2 report?
A Type 1 report describes systems as of a point in time. Think of it as a snapshot. Think of a Type 2 report as a movie. It covers systems over a period of time. Customers will commonly accept a Type 1 Report for your first report. You also will be allowed to remediate any gaps prior to the report’s issuance. A Type 2 report must cover at least six months, but customers often prefer a 12-month audit.
8. What should I look for in an auditing partner?
Given that your auditor will determine whether you meet the audit requirements, you should pick one with ample experience and a good reputation. Qualifications are especially important because your organization’s reputation is at risk.
Don’t pick based on price alone. The cheapest firm may be the least experienced and qualified.
9. How can I use a SOC 2 report to my benefit?
A company can remain in business without a SOC 2 audit, but customers want them for assurance of protection against data breaches.
A SOC 2 report can help your organization:
- Establish credibility
- Meet proposal requirements from potential customers
- Gain an advantage over competitors that lack a report
A SOC 2 report can also help you reduce your regulatory compliance efforts and improve your internal control environment.
If you keep sensitive data, customers and regulators want to know that it’s safe. Answering these questions before you start a SOC 2 audit will help you provide them with the assurance they seek.
Want to learn more about a SOC 2 audit for your organization? Contact us for a free consultation regarding your audit needs.