A SOC 2 report is becoming a necessity for companies that handle customer data for others....
What is SOC 2?
Protecting against data breaches and maintaining compliance require constant vigilance and consistent analysis.
A SOC 2 report can help your organization protect and comply by confirming that you handle customer data properly. Aimed at companies that store sensitive information for other organizations, SOC 2 reports detail the controls of the systems used to process data and the security and privacy of that data.
With damages from cyber crimes mounting, customers are requiring vendors to provide SOC 2 reports to better protect against the type of data breaches that extract significant costs financially and reputationally. A SOC 2 report could be especially beneficial to you if you operate security and compliance for a large retail, banking, healthcare, or software-as-a-service (SaaS) company that is responsible for its clients’ data. Passing a SOC 2 audit will help your company continue to serve its customers.
Origin
The American Institute of Certified Public Accountants (AICPA) introduced Service Organization Control (SOC) reports in 2011. SOC 1, SOC 2, and SOC 3 reports vary in focus and purpose. For example, a SOC 1 report covers an organization’s financial controls, while a SOC 3 report is for public use, meaning that it can be viewed by others besides the company and its customers.
A SOC 2 report is a detailed analysis of the operational or compliance controls at a service organization. It is officially known as a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
Intent
SOC 2 reports are intended to detail the controls of the systems used to process data and the security and privacy of that data. They address the sort of evaluations that were lumped into the old SAS 70 reports but should not have been.
SAS 70 was the standard for assessing a vendor’s internal financial controls for almost 20 years. Before SOC 2, companies used SAS 70 to evaluate data security as well, but this didn’t work as hoped because data security issues don’t necessarily relate to internal financial controls.
Usage
SOC 2 reports are “restricted use” reports, which means they can be accessed only by the organization and its existing customers.
SOC 2 reports are used in:
- Organizational oversight
- Vendor management
- Internal risk management
- Regulatory oversight
- Contractual obligations (client obligations)
Reports
Type 1 and Type 2 reports can be issued.
- Type 1: a report on the organization’s description of its system and the suitability of that system’s design. (Think of this as a snapshot.)
- Type 2: a report on the organization’s description of its system, the suitability of that system’s design, and the operating effectiveness of its controls. (Think of this as a movie.)
SOC 2 Type 1 and SOC 2 Type 2 reports can be issued depending on the specific requirements and objectives of the service organization. Most user organizations require their service provider to undergo the Type 2 audit for the greater level of assurance it provides.
Coverage
SOC 2 audits focus on controls at a service organization relevant to the following five Trust Services Principles:
- Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability: Information and systems are available for operation and used to meet the entity’s objectives.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.
Scoping
The bare minimum for a SOC 2 audit is to do security only. That’s the only requirement from the AICPA.
If your company is doing an audit for the first time, you should just audit security unless you are contractually required to include another category. Otherwise, you will have too much to deal with the first time through the process.
An audit of a six-month period is often sufficient to start. But 12 months is ideal.
Auditing
Choosing an auditor with a good reputation is particularly important for SOC 2 reporting because your auditor decides how your organization’s controls fit the requirements based on his or her experience.
Also, your company’s reputational risk is on the line, so you should use a qualified auditor instead of picking by price alone. Some companies don’t have experience with a SOC 2 audit, so they offer the lowest price. Then they provide poor service.
A readiness assessment should precede the report to increase effectiveness. Following the assessment with a Type 1 report and then finishing with a Type 2 audit is optimal.
When it comes to protecting your customers’ data, a SOC 2 report can help you satisfy contractual requirements and reduce regulatory compliance efforts. It also can assist you in mitigating risk and increasing trust by improving your service organization’s internal control environment.
Want to learn more about a SOC 2 audit for your organization? Contact us for a free consultation regarding your audit needs.