Has one or more of your customers requested that you undergo a SOC 2 audit? If so, you may be asking yourself, what is a SOC 2 report and how do I become SOC 2 compliant? Is there a SOC 2 compliance checklist I can use to prepare? The answers are not as straightforward as you may have hoped as no SOC 2 report is the same.
While you may see other auditing firms providing a SOC 2 compliance checklist, it’s important to understand that there is no official SOC 2 compliance checklist issued by the AICPA that contains the requirements for what controls your organization needs to have in place to obtain a SOC 2 report. There are specific criteria that must be met, but how each organization satisfies those criteria is up to them and their service auditor. In the following blog, we will cover some basic information on SOC 2 reports and some questions that organizations need to ask themselves when they are starting the process of becoming SOC 2 compliant, including:
- What is a SOC 2 audit and who should have a SOC 2 audit?
- What are the SOC 2 requirements?
- Do you need a Type I or Type II SOC 2?
- Who can perform a SOC 2 audit?
- How much does a SOC 2 audit cost?
- What is a SOC 2 Readiness Assessment?
- How long does it take to become SOC 2 compliant?
What is a SOC 2 Audit & Who Should have a SOC 2 Audit?
A System and Organization Control 2 (SOC 2) report is an attestation report that organizations provide to their user organizations and stakeholders to demonstrate the controls the organization has in place to secure the system and/or services they provide. If your organization provides a system and/or service to user organizations, then a SOC 2 could be the report for you. A SOC 2 is a way for an organization to demonstrate the controls they have in place that address the security, confidentiality, availability, processing integrity, and privacy risks that are present with the use of their systems and/or services.
A SOC 2 differs from a SOC 1 report in that a SOC 1 report is needed if the organization provides a system and/or service that impacts user organizations’ internal controls over financial reporting (ICFR). If your organization’s system(s) and/or service(s) do not impact your user organizations’ ICFR, then a SOC 2 could be the right choice for your organization. Most companies are approached by their user organizations asking them for a SOC 2 report, which kicks off the process of the organization becoming SOC 2 compliant. Many user organizations utilize the SOC 2 reports provided by their service organizations for their own audits and to determine that their data is being handled in a secure manner.
What are the SOC 2 Requirements?
A SOC 2 report is an attestation report where management of the service organization asserts that they have controls in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and/or privacy. Within each TSC, are specific criteria or requirements that must be met by the organization in order for them to become SOC 2 compliant.
Not all the SOC 2 TSCs are applicable to every service organization. At a minimum, a service organization must include the Security or Common Criteria in their report, and then they can add on additional criteria from there depending on the services their organization provides and which criteria are relevant based on those services. An organization can do this by considering which risks are present as a result of the services they provide to their users and select which criteria best address these risks. For example, the processing integrity criteria would likely be applicable to a payroll processing platform but not a company providing a people management platform.
Additionally, there is no listing of specific controls that must be in place at the organization in order to meet these SOC 2 criteria/requirements. The controls in place at the organization that are mapped to the SOC 2 criteria are up to the discretion of the organization and service auditor. As such, no specific SOC 2 controls list exists, at least not one issued by the AICPA. This can make the process feel daunting for organizations looking to go through the SOC 2 audit process the first time. Many service auditors have a set of controls that they typically look to see are in place at an organization when performing a SOC 2 audit but those controls can be tailored to the organization and their control environment.
Do You Need a Type I or Type II SOC 2 Report?
Another decision your organization needs to make when starting the process is which type of SOC 2 report you will start with; Type I SOC 2 or a Type II SOC 2. The difference between a Type I SOC 2 and a Type II SOC 2 report is the period of time being covered by the report.
A Type I SOC 2 report is issued as of a specific date or point-in-time. A Type I report determines whether an organization’s controls are designed effectively as of a specific date. Oftentimes, a Type I report is a great option if you need to provide your customers with a report quickly and this is the first time you are going through a SOC 2 audit.
A Type II SOC 2 report covers a period of time and determines whether a service organization’s controls are designed and operating effectively for that period of time. Type II reports can cover anywhere between 3 to 12 months depending on the period that best suits the service organization and its customers. Most times, it makes sense to aim for a period of at least 6 months to provide more value to user organizations and avoid audit fatigue at the organization. This report is a great option if your organization has already undergone a Type I SOC 2 report, if your organization has the time to start with a Type II SOC 2, or if your user organizations require a report covering a period of time.
Who Can Perform A SOC 2 Audit?
Licensed CPA firms are the only organizations that can issue a SOC report. You will want to select a CPA firm that specializes in information security audits to perform a SOC 2 audit for your organization. Additionally, you will want to select a firm that has not only licensed CPAs but also auditors with IT audit experience, typically CISAs and/or CISSPs. When selecting the firm you will use, you can also request the resumes or bios of the auditors that will be working on your report to validate their experience.
How Much does a SOC 2 Audit Cost?
When selecting an auditor to perform your SOC 2, the cost of the report will also be a factor. Firm’s prices vary widely when it comes to a SOC 2 report. Many factors go into pricing a SOC 2 report, including the scope of the audit, the number of TSC’s being covered, whether infrastructure is hosted in the cloud, by a colocation facility, or in-house, and the size of the organization. Additionally, if this is the first time your organization is going through a SOC 2 audit you will also want to perform a readiness assessment. Inquire with the firm if a readiness assessment is included in their quote for the SOC 2 report or if that will be an additional fee.
For more information on the cost of a SOC 2 report see our article, How Much Does a SOC Audit Cost? Continue reading for further information on readiness assessments.
What is a SOC 2 Readiness Assessment?
If this is the first time your organization is undergoing a SOC 2 audit, you will want to prepare by having your service auditor perform a readiness assessment. Since there is no SOC 2 audit checklist issued by the AICPA for organizations to use when preparing for a SOC 2 audit, a readiness assessment is the next best thing. A readiness assessment is used by the service auditor to assess an organization’s preparedness for a SOC 2 examination and identify any potential gaps for remediation prior to starting the period or fieldwork for the audit.
Every readiness assessment is different depending on the service auditor performing it, as there is no specific SOC 2 audit checklist. The goal of the readiness assessment is for the organization to identify processes and controls that will mitigate the risks relevant to the scope of the SOC 2 report and identify any gaps requiring remediation. This allows the organization to resolve any identified gaps prior to starting their SOC 2 examination and hopefully will result in a surprise-free audit.
Additionally, the readiness assessment will give the organization an idea of the controls and processes that will be covered, questions that will be asked, and evidence that will be requested by their service auditor when they perform the fieldwork for the SOC 2 audit.
By performing a readiness assessment prior to starting your SOC 2 examination you will be setting your organization up for success. For further information on readiness assessments refer to our article, Readiness Assessments – Recommended Guidance for Audit Readiness.
How Long Does it Take to Become SOC 2 Compliant?
The answer to how long it will take to become SOC 2 compliant is dependent on whether you are completing a Type I SOC 2 or a Type II SOC 2 report and the results of your organization’s readiness assessment. If your organization has decided to do a Type I report, this process is typically faster than starting with a Type II. Since a Type I report covers a point in time, depending on service auditor availability and their method/timeline for fieldwork, you may be able to get a Type I SOC 2 report in your hands within a couple of months.
If your organization has decided to go with a Type II report first, meaning a period of time is being covered, your organization will need to wait the length of the period before a report can be issued. Additionally, if gaps/weaknesses are identified in the readiness assessment, then your organization will need to remediate them prior to starting the period for a Type II or fieldwork for a Type I report.
Even though there isn’t an official SOC 2 audit checklist, we educated you on what your organization will need to consider prior to undergoing a SOC 2 audit:
- Why do you need a SOC 2? Are your customers asking you for one?
- What exactly is included in a SOC 2?
- Do you need a SOC 2 Type I or Type II?
- What kind of firm can perform a SOC 2 audit?
- How much does obtaining a SOC 2 report cost?
- What do you need to do to prepare for a SOC 2 audit and how long will it take?
Every organization is different, which makes every SOC 2 report and preparing for the audit different. Answering the questions above and working with a quality CPA firm like Linford & Company will help set your organization up for success when starting the journey to becoming SOC 2 compliant.
For further questions on how to become SOC 2 compliant please contact us to request a consultation.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.