Has one or more of your customers requested that you undergo a SOC 2 audit? If so, you may be asking yourself, what is a SOC 2 report and how do I become SOC 2 compliant? The answers are not as straightforward as you may have hoped as no SOC 2 report is the same.
While you may see other auditing firms providing a SOC 2 compliance checklist, it’s important to understand that there is no official SOC 2 compliance checklist with requirements for what you need to obtain a SOC 2 report. There are specific criteria that must be met, but how each company satisfies those criteria is up to them and their service auditor. We will cover some of the questions that you will need to ask yourself in order to get going in the right direction, including:
- What is a SOC 2 audit and who needs one?
- What is included in a SOC 2 report?
- Do you need a SOC 2 Type I or Type II?
- Who can perform a SOC 2 audit?
- How much does a SOC 2 audit cost?
- How do I prepare for a SOC 2 audit?
- How long does it take to become SOC 2 compliant?
What is a SOC 2 Audit & Who Needs One?
A SOC 2 is a System and Organization Control 2 report. If you are a company that provides services to user organizations and your services impact the security, availability, processing integrity, confidentiality and/or privacy of the user organizations, then a SOC 2 could be the report for you.
A SOC 2 differs from a SOC 1 report in that a SOC 1 report is needed if your service impacts your users’ internal controls over financial reporting (ICFR). If your organization’s service cannot impact your users’ ICFR, then a SOC 2 is most likely the report for you. Additionally, most companies are approached by their user organizations asking them to obtain a SOC 2 report and that is what kicks off the process of becoming SOC 2 compliant.
What is Included in a SOC 2 Report?
A SOC 2 report is an attestation report where management of the service organization asserts that they have controls in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and/or privacy.
There is not a “SOC 2 audit checklist” listing which of these criteria a service organization must include in their SOC 2 report. Rather, the user organization must select which criteria are relevant to them.
Additionally, there is no listing of controls that must be in place at the organization in order to meet these SOC 2 criteria. The controls in place at the organization that are mapped to the SOC 2 criteria are up to the discretion of the organization and service auditor. As such, no specific SOC 2 controls list exists.
At a minimum, a service organization must include the Security or Common Criteria in their report and then they can add on criteria from there depending on the services their company provides and which criteria are relevant based on those services. A user organization can do this by considering which risks are present as a result of the services they provide and then they select which criteria best address these risks.
Learn more in our article, What is a SOC 2 Report? Expert Advice You Need to Know.
Do You Require a SOC 2 Type I or Type II?
Another decision your organization needs to make is which kind of SOC 2 report will meet the needs of your customer, a SOC 2 Type I or a SOC 2 Type II report? The difference between a SOC 2 Type I and a SOC 2 Type II report is the period of time being covered by the report.
A SOC 2 Type I report is issued as of a specific date or point-in-time. A Type I report determines whether a service organization’s controls are designed effectively as of a specific date. Often times, a Type I report is a great option if you need to provide your customers with a report quickly and this is the first time you are going through a SOC 2 audit.
A SOC 2 Type II report covers a period of time and determines whether a service organization’s controls are designed and operating effectively for that period of time. Type II reports can cover anywhere between 6 to 12 months depending on the period that best suits the service organization and its customers. This report is a great option if your organization has already undergone a SOC 2 Type I report, if your organization has the time to start with a SOC 2 Type II, or if your customers require a report covering a period of time. Refer to our article on SOC Report Types for further details on Type I and Type II reports.
Who Can Perform A SOC 2 Audit?
Licensed CPA firms are the only organizations that can perform a SOC audit. You will want to select a CPA firm that specializes in information security audits to perform a SOC 2. Additionally, you will want to select a firm that has not only licensed CPAs but also auditors with IT audit experience, typically CISAs and/or CISSPs. We recommend you request the resumes or bios of the auditors that will be working on your report to validate their experience as well.
When selecting an auditor to perform your SOC 2, the cost of the report will also be a factor. Firm’s prices vary widely when it comes to a SOC 2 report.
How Much does a SOC 2 Audit Cost?
As we stated above, prices vary widely when it comes to a SOC 2 report. Many factors go into pricing a SOC 2 report, including the scope of the audit, the number of TSC’s being covered, the number of locations and the size of the organization. Additionally, if this is the first time your organization is going through a SOC 2 audit you will also want to perform a readiness assessment. Inquire with the firm if a readiness assessment is included in their quote for the SOC 2 report or if that will be an additional fee.
For more information on the cost of a SOC 2 report see our article, How Much Does a SOC Audit Cost? Continue reading for further information on readiness assessments.
How Do I Prepare for a SOC 2 Audit?
If this is the first time your organization is undergoing a SOC 2 audit, you will want to prepare by having your service auditor perform a readiness assessment. Since there is no SOC 2 audit checklist issued by the AICPA for organizations to use when preparing for a SOC 2 audit, a readiness assessment is the next best thing. A readiness assessment is used to assess an organization’s preparedness for a SOC 2 examination and identify any potential gaps for remediation prior to starting fieldwork for the audit.
Every readiness assessment is different, as there is also no SOC 2 readiness assessment checklist. The goal of the readiness assessment is for the organization to identify processes’ and controls that will be relevant to the SOC 2 report and identify any associated weaknesses requiring remediation. This allows the organization to resolve any identified issues prior to starting their SOC 2 examination and hopefully will result in a surprise free audit.
Additionally, the readiness assessment will give the organization an idea of the processes that will be covered, questions that will be asked and evidence that will be requested by their service auditor when they come back to perform the fieldwork for the SOC 2 audit.
By performing a readiness assessment prior to starting your SOC 2 examination you will be setting your organization up for success. For further information on readiness assessments refer to our article, Readiness Assessments – Preparing for your SOC Audit.
How Long Does it Take to Become SOC 2 Compliant?
The answer to how long it will take to become SOC 2 compliant is dependent on whether you are doing a SOC 2 Type I or a SOC 2 Type II report and the results of your organization’s risk assessment. If your organization has decided to do a Type I report, this process is typically much faster than a Type II. Since a Type I report covers a point in time, depending on service auditor availability and their method/timeline for fieldwork, you may be able to get a SOC 2 Type I report in your hands within a couple of months.
If your organization has decided to go with a Type II report, meaning a period of time is being covered, your organization will need to wait the length of the period before a report can be issued. Additionally, if gaps/weaknesses are identified in the risk assessment, then your organization will need to remediate them prior to starting the period for a Type II or fieldwork for a Type I report.
Even though there isn’t an official SOC 2 audit checklist, we have tried to educate you on what you will need to consider prior to undergoing a SOC 2 audit:
- Why do you need a SOC 2? Are your customers asking you for one?
- What exactly is included in a SOC 2?
- Do you need a SOC 2 Type I or Type II?
- What kind of firm can perform a SOC 2 audit?
- How much does obtaining a SOC 2 report cost?
- What do you need to do to prepare for a SOC 2 audit and how long will it take?
Every organization is different, which makes every SOC 2 report and preparing for the audit different. Answering the questions above and working with a quality CPA firm like Linford & Company will help set you up for success when starting the journey to becoming SOC 2 compliant.
For further questions on how to become SOC 2 compliant please contact us to request a consultation.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.