Has one or more of your customers requested that you undergo a SOC 2 audit? If so, you may be asking yourself, what is a SOC 2 report and how do I become SOC 2 compliant? Is there a SOC 2 compliance checklist I can use to prepare? The answers are not as straightforward as you may have hoped as no SOC 2 report is the same.
While you may see other firms providing a SOC 2 compliance checklist, it’s important to understand that there is no official SOC 2 compliance checklist issued by the AICPA that contains the requirements for what controls your organization needs to have in place prior to undergoing a SOC 2 audit. There are specific Trust Services Criteria (TSCs) that are included in the scope of a SOC 2 audit, but how each organization satisfies those criteria is up to them and their service auditor. In the following blog, we will cover some basic information on SOC 2 reports and some questions that organizations should ask themselves when they are starting the process of becoming SOC 2 compliant, including:
- Who must be SOC 2 compliant?
- What are the SOC 2 requirements?
- Do you need a Type I or Type II SOC 2?
- Who can perform a SOC 2 audit and how much does it cost?
- How do I prepare for a SOC 2 audit?
- How long does it take to become SOC 2 compliant?
- How do you maintain SOC 2 compliance?
Who Must Be SOC 2 Compliant?
A System and Organization Control 2 (SOC 2) report is an attestation report that organizations provide to their user organizations and stakeholders to demonstrate the controls the organization has in place to secure the system and/or services they provide. If your organization provides a system and/or service to user organizations, then a SOC 2 could be the report for you. A SOC 2 report is an attestation report where the management of the service organization asserts that they have controls in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC):
A SOC 2 differs from a SOC 1 report in that a SOC 1 is needed if the organization provides a system and/or service that impacts user organizations’ internal controls over financial reporting (ICFR). If your systems and/or services do not impact your user organizations’ ICFR, then a SOC 2 could be the right choice for your organization.
Many organizations are also approached by their user organizations asking them for a SOC 2 report, which kicks off the process of the organization becoming SOC 2 compliant. Many user organizations utilize the SOC 2 reports provided by their service organizations for their own audits and to determine that their data is being handled in a secure manner.
What are the SOC 2 Requirements?
As mentioned above, the scope of a SOC 2 report includes one or more of the five TSCs: security, availability, processing integrity, confidentiality, and/or privacy. Within each TSC, are specific criteria or requirements that must be met by the organization in order for them to become SOC 2 compliant. How these criteria are met, is up to the organization and its service auditor to determine. The AICPA has provided points of focus to consider when trying to meet each criteria but they are just that – points of focus and a strict set of requirements.
Additionally, not all SOC 2 TSCs are applicable to every service organization. At a minimum, a service organization must include the Security or Common Criteria in its report, then additional criteria can be added on from there depending on the services the organization provides and which criteria are relevant based on those services. An organization may determine which criteria are relevant by considering which risks are present as a result of the services/systems provided to its users and selecting which criteria are relevant to address these risks. For example, the processing integrity criteria would likely be applicable to a payroll processing platform but not an organization providing a people management platform.
Finally, there is no listing of specific controls that must be in place at the organization in order to meet these SOC 2 criteria/requirements. The controls in place at the organization that are mapped to the SOC 2 criteria are up to the discretion of the organization and service auditor. As such, no specific list of SOC 2 controls exists that must be met to be SOC 2 compliant – at least not one issued by the AICPA. This can make the process feel daunting for organizations looking to go through the SOC 2 audit process for the first time. Many service auditors have a set of general controls that they typically look to see are in place at an organization when performing a SOC 2 audit but those controls can be tailored to the organization and its control environment.
Do You Need a Type I or Type II SOC 2 Report?
Another decision your organization needs to make when starting the SOC 2 audit process is which type of SOC 2 report to start with; a Type I SOC 2 or a Type II SOC 2. The difference between a Type I SOC 2 and a Type II SOC 2 report is the period of time being covered by the report.
A Type I SOC 2 report is issued “as of” a specific date or point in time. A Type I report determines whether an organization’s controls are designed effectively as of a specific date. Oftentimes, a Type I report is a great option if an organization needs to provide its customers with a report quickly and this is the first time the organization is going through a SOC 2 audit.
A Type II SOC 2 report covers a period of time and determines whether a service organization’s controls were designed AND operating effectively during the period. A Type II SOC 2 report can have a period of anywhere between 3 to 12 months depending on the period that best suits the service organization and its customers. Most times, it makes sense to aim for a period of at least 6 months to provide an accurate depiction of the operating effectiveness of the controls, which in turn provides more value to user organizations, and helps to avoid audit fatigue at the organization. A Type II SOC 2 report is typically the right choice if an organization has already undergone a Type I SOC 2 report, if the organization has the time to start with a Type II SOC 2, or if the organization’s user organizations are requesting a report that covers a period of time.
Who Can Perform A SOC 2 Audit and How Much Does It Cost?
Licensed CPA firms are the only organizations that can issue a SOC report. Organizations will typically want to select a CPA firm that specializes in information security audits to conduct its SOC 2 audit. Additionally, the organization should select a firm that has not only licensed CPAs but also a team of auditors with IT audit experience, typically CISAs and/or CISSPs. When selecting the firm the organization will use, resumes or bios of the personnel that will be working on the report can also be requested to validate their experience and level of expertise.
When selecting an audit firm to perform a SOC 2 audit, cost will also likely be a factor. Pricing for different firms will vary widely when it comes to SOC 2 reports. Many factors go into pricing a SOC 2 report, including the scope of the audit, the number of TSCs being covered, whether infrastructure is hosted in the cloud, by a colocation facility, or in-house, and the size of the organization. Typically, as the scope of the audit and organization grows, so does the cost of the audit.
Additionally, if an organization is undergoing a SOC 2 audit for the first time, performing a readiness assessment prior to undergoing the actual audit would be beneficial and is typical when preparing for the audit. When selecting an audit firm, organizations should inquire if a readiness assessment is offered by the firm and included in the quote for the SOC 2 report or if that will be an additional fee.
How Do I Prepare for a SOC 2 Audit?
Since there is no SOC 2 audit checklist issued by the AICPA for organizations to use when preparing for a SOC 2 audit, a readiness assessment is the next best thing. A readiness assessment, or gap analysis, is used by the service auditor to assess an organization’s preparedness for a SOC 2 examination. It also helps to identify any potential gaps for remediation prior to starting the period or fieldwork for the audit.
Every readiness assessment is different depending on the service auditor completing it, as there is no specific SOC 2 audit checklist or listing of required security controls issued by the AICPA. The purpose of the readiness assessment is for the organization to identify processes and controls that will mitigate the risks relevant to the scope of the SOC 2 report and identify any gaps requiring remediation. This allows the organization to resolve any identified gaps prior to starting their SOC 2 examination and hopefully will result in a surprise-free audit with little to no findings.
Additionally, the readiness assessment will give the organization an idea of the controls and processes that will be covered, questions that will be asked, procedures performed, and the evidence that will be requested by their service auditor when fieldwork for the SOC 2 audit is conducted. The readiness assessment can be considered a practice run or dress rehearsal for the actual SOC 2 audit itself and an important step in an organization’s compliance journey.
By performing a readiness assessment prior to starting the SOC 2 audit fieldwork or period (depending on if the first report is a Type I or Type II report), the organization will hopefully be set up for success.
How Long Does it Take to Become SOC 2 Compliant?
The answer to how long it will take to become SOC 2 compliant is dependent on several things. Some of these factors include whether the organization is completing a Type I or a Type II report, the resources available to support the audit at the organization, and the results of the readiness assessment. If the organization has decided to start with a Type I SOC 2 report, the process is typically faster than starting with a Type II SOC 2. Since a Type I report only covers a point in time and the design of controls, depending on service auditor availability and their method for conducting fieldwork, an organization may be able to complete the first-time audit process and have an audit report in hand within a couple of months.
If the organization has decided to go with a Type II report first, meaning a period of time is being covered, the organization will need to wait the length of the period before a report can be issued. Additionally, if gaps/weaknesses are identified in the readiness assessment, then the organization will need to remediate them prior to starting the period for the Type II or fieldwork for a Type I report.
How Do You Maintain SOC 2 Compliance?
Once an organization completes its first SOC 2 report, it doesn’t end there. The organization will then need to maintain its internal controls to demonstrate the operating effectiveness of the controls for its next SOC 2 audit. There are many ways in which an organization can maintain its controls to make sure that they maintain compliance with the SOC 2 criteria. Methods vary from basic to more complex, such as documenting objectives and control processes in policies that are followed by employees and maintained by process owners, to implementing compliance monitoring tools. Organizations have many options available to them and can turn to their service auditor for recommendations appropriate for their control environment.
Even though there isn’t an official SOC 2 audit checklist issued by the AICPA, this blog covered the several categories to consider prior to undergoing a SOC 2 audit and procedures to take to get the process started:
- Why do you need a SOC 2? Are your customers asking you for one?
- What is included in the scope of a SOC 2 audit?
- Do you need a Type I or Type II?
- What kind of firm can perform a SOC 2 audit and how much does it?
- What do you need to do to prepare for a SOC 2 audit and how long will it take?
- How do you maintain SOC 2 compliance?
Every organization and its objectives are different, which makes every SOC 2 report and preparation for it different. Answering the questions above and working with a quality CPA firm like Linford & Company will help set the organization up for success when starting the SOC 2 compliance journey.
For further questions on how to become SOC 2 compliant please contact us to request a consultation.
This article was originally published on 4/20/2021 and was updated on 4/19/2023.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.