A SOC 2 Compliance Checklist Doesn’t Exist, But Guidance Does

SOC 2 Compliance Checklist

Has one or more of your customers requested that you undergo a SOC 2 audit? If so you may be asking yourself, what is a SOC 2 report and how do I become SOC 2 compliant? The answers are not as straightforward as you may have hoped as no SOC 2 report is the same.

While you may see other auditing firms providing a SOC 2 compliance checklist, it’s important to understand that there is no official checklist with requirements for what you need to obtain in a SOC 2 report. We will cover some of the questions that you will need to ask yourself in order to get going in the right direction, including:

  • What is a SOC 2 audit?
  • Do you need a SOC 2 Type I or Type II?
  • Who can perform a SOC 2 audit and how much does it cost?
  • Do you need a readiness assessment?

What is a SOC 2 Audit?

A SOC 2 is a System and Organization Control 2 report. If you are a company that provides services to user organizations and your services impact the security, availability, processing integrity, confidentiality and/or privacy of the user organizations, then a SOC 2 could be the report for you.

A SOC 2 differs from a SOC 1 report in that a SOC 1 report is needed if your service impacts your users’ internal controls over financial reporting (ICFR). If your organization’s service can not impact your users ICFR, then a SOC 2 is most likely the report for you. Additionally, most companies are approached by their user organizations asking them to obtain a SOC 2 report and that is what kicks off the process of becoming SOC 2 compliant.

A SOC 2 report is an attestation report where management of the service organization asserts that they have controls in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and/or privacy.

There is not a “SOC 2 audit checklist” listing which of these criteria a service organization must include in their SOC 2 report. Rather, the user organization must select which criteria are relevant to them.

At a minimum, a service organization must include the Security or Common Criteria in their report and then they can add on criteria from there depending on their needs. A user organization can do this by considering which risks are present as a result of the services they provide and then they select which criteria best address these risks.

Learn more in our article, What is a SOC 2 Report? Expert Advice You Need to Know.

Do you require a SOC 2 type I or type II?

Do You Require a SOC 2 Type I or Type II?

Another decision your organization needs to make is which kind of SOC 2 report will meet the needs of your customer, a Type I or a Type II report? The difference between a Type I and a Type II report is the period of time being covered by the report.

A SOC 2 Type I report is issued as of a specific date or point-in-time. A Type I report determines whether a service organization’s controls are designed effectively as of a specific date. Often times, a Type I report is a great option if you need to provide your customers with a report quickly or this is the first time you are obtaining a SOC 2 report.

A SOC 2 Type II report covers a period of time (most reports cover 12 months) and determines whether a service organization’s controls are designed and operating effectively for that period of time. This report is a great option if you have already undergone a SOC 2 Type I report or if your customers require a report covering a period of time. Refer to our article on SOC Report Types for further details on Type I and Type II reports.

Who can perform a SOC 2 audit?

Who Can Perform A SOC 2 Audit and How Much Does a SOC 2 Report Cost?

Licensed CPA firms are the only organizations that can perform a SOC audit. You will want to select a CPA firm that specializes in information security audits to perform a SOC 2. Additionally, you will want to select a firm that has not only licensed CPA’s but also auditors with IT audit experience, typically CISA’s and/or CISSP’s. We recommend you request the resumes or bios of the auditors that will be working on your report to validate their experience as well.

When selecting an auditor to perform your SOC 2, cost of the report will also be a factor. Firm’s prices vary widely when it comes to a SOC 2 report.

Many factors go into pricing a SOC 2 report, including the scope of the audit, the number of TSC’s being covered, the number of locations and the size of the organization. Additionally, if this is the first time you are going through a SOC 2 audit you will also want a readiness assessment. Inquire with the firm if a readiness assessment is included in their quote for the SOC 2 report or if that will be an additional fee.

For more information on the cost of a SOC 2 report see our article, How Much Does a SOC Audit Cost? Continue reading for further information on readiness assessments.

Do you need a readiness assessment?

Do You Need a Readiness Assessment?

If this is the first time you are becoming SOC 2 compliant, the answer is yes. A readiness assessment is used to assess an organization’s preparedness for a SOC 2 examination.

Prior to getting a SOC 2 report, it is important for the organization to identify process and controls that will be relevant to the SOC 2 report and identify any weaknesses for remediation. This allows the organization to resolve any identified issues prior to starting their SOC 2 examination.

By performing a readiness assessment prior to starting your SOC 2 examination you will be setting your organization up for success.

For further information on readiness assessments refer to our article, Readiness Assessments – Preparing for your SOC Audit.

Summary

Even though there isn’t an official SOC 2 checklist, we have tried to educate you on what you will need to consider prior to undergoing a SOC 2 audit:

  • Why do you need a SOC 2? Are your customers asking you for one?
  • Do you need a SOC 2 Type I or Type II?
  • What kind of firm can perform a SOC 2 audit?
  • How much does obtaining a SOC 2 report cost?
  • Do you need a readiness assessment?

Every organization is different, which makes every SOC 2 report different. Answering the questions above and working with a quality CPA firm like Linford & Company will help set you up for success when starting the journey to becoming SOC 2 compliant.

For further questions on how to become SOC 2 compliant please contact us to request a consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *