So you have begun to be asked by a current client or prospective client for a SOC 2 report. What now?
First, identify a firm with expertise in performing SOC 2 audits, not just a traditional CPA firm that moonlights when performing SOC 2 audits. Ensure the firm uses IT auditors with a background in information security. Common IT auditor certifications are the Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).
Next, determine whether your clients or prospective clients will accept a Type I report for the first report. A Type I report is a point in time report that allows some time to remediate any gaps prior to issuing the first report. A Type II report is a stronger report because it covers a period in time and tests controls operating effectiveness, however, if you need a Type II report immediately, you may not have a chance to remediate any gaps.
Most user organizations (SOC 2 report stakeholders) who request a SOC 2 report will accept a Type I report for the first year. If your user organization needs a Type II report immediately, engage a firm who can perform a pre-assessment right away to identify any gaps against the desired SOC 2 criteria for the desired AICPA Trust Services Principles (Security/Common Criteria, Availability, Confidentiality, Processing Integrity, Privacy). Once any gaps identified within the pre-assessment are remediated, a six month examination period can begin. Once the six months has passed and all of the controls tested as part of the audit are found to be operating effectively for the six month period, a six month Type II report with a clean audit opinion can be issued. For following years, the examination period is almost always adjusted to twelve months.
For the following example, let’s assume that your user organization will accept a Type I SOC 2 report for the first year. What can you expect next?
- Receive a letter from your firm that you can share with your user organization(s) letting them know the scope of the SOC 2 audit to be performed and when they can expect to receive the final report.
- Receive an initial request list, illustrative risk and control matrix to help facilitate completion of the pre-assessment and performance of walkthroughs to identify key controls within each in scope process.
- Schedule a week or more of on-site fieldwork. Length of fieldwork is dependent on the size of company and scope of the SOC 2 audit.
- Schedule a meeting (in person or remotely) with your audit firm to go through the initial request list and illustrative control matrix. The documents are used to generate conversation around the actual controls that are in place vs. the hypothetical controls in the illustrative risk and control matrix.
- Identify any gaps based on the discussions with your audit firm against the desired AICPA Trust Services Principles and Criteria.
- Remediate any identified gaps and provide evidence to your auditor that the gaps were remediated.
- Perform on-site audit fieldwork to ensure that controls are designed appropriately as of a point in time such as July 31, 2016.
- Discuss any potential issues identified in the report and gain agreement with your audit firm on any issues that are included in the report.
- Obtain and review the draft Type I SOC 2 report.
- Obtain the final Type I SOC 2 report after any feedback is incorporated.
- Obtain Type II SOC 2 reports for following years.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.