In recent years, as the digital landscape has evolved with the growth of cloud-based environments and tools, SOC 2 Type 2 (also written as Type II) reports have emerged as a basis of trust and assurance for organizations and their stakeholders. But what exactly constitutes a SOC 2 Type 2 report, and why is it important in today’s business landscape? This article aims to shed light on these questions, as well as provide answers to other common and frequent questions we receive related to SOC 2 Type 2 reports.
What is a SOC 2 Type 2 Report?
A SOC 2 Type 2 report provides an assessment of a service organization’s internal controls based on the applicable trust services criteria – security, availability, processing integrity, confidentiality, and privacy. The report demonstrates to customers and other stakeholders that controls are suitably designed and operating effectively to achieve the specified criteria. The key differentiators for a SOC 2 Type 2 report are that the assessment covers a period of time and addresses the operating effectiveness of controls.
The term SOC, system and organization controls, refers to the suite of services developed by the American Institute of Certified Public Accountants (AICPA), which includes SOC 1, SOC 2, and SOC 3 reports.
What is the Scope of a SOC 2 Type 2 Report?
The audit scope of a SOC 2 Type 2 report is twofold. The first consideration is the subject matter being audited. For a SOC 2, this is the system or service that is provided to customers or user entities. For example, for a company providing a SaaS application, the scope of the audit will address the specified application as well as the IT infrastructure, systems, and other internal controls used to support the application, and the services related to providing the application.
The second consideration is determining the applicable AICPA trust services criteria to include in the report. All SOC 2 Type 2 reports cover the security criteria which is known as the common criteria. Additional criteria may be selected which include availability, confidentiality, processing integrity, and privacy. The trust services criteria are classified as follows:
- Security – “Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.”
- Availability – “Information and systems are available for operation and use to meet the entity’s objectives.”
- Processing integrity – “System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
- Confidentiality – “Information designated as confidential is protected to meet the entity’s objectives.”
- Privacy – “Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”
Which Criteria Should Be Included in a SOC 2 Type 2 Report?
The determination of the applicable trust services criteria for SOC 2 Type 2 is largely based on the system or service being provided and the service commitments the service organization provides to its user entities. As an example, a company dealing with healthcare data may consider including confidentiality and privacy criteria, in addition to security, based on the sensitivity of the data being dealt with.
What Controls Are Included in a SOC 2 Type 2 Report?
Controls in a SOC 2 Type 2 report are determined by the selected trust service criteria. However, while the trust service criteria are prescribed, the controls to meet those criteria are not prescribed, and organizations can utilize a variety of different controls that are specific to and tailored to their organization and environment.
What is the Content of a SOC 2 Type 2 Report?
The look and feel of a SOC 2 Type 2 report, as well as the specific controls and procedures, will vary between organizations and audit firms, but the general content and structure of SOC 2 Type 2 reports are the same. The following are the various sections you will find in the report:
- Service Auditor’s Report – provides an overview of their assessment and expresses an opinion on the description of controls and the design and operating effectiveness of the controls stated in the description.
- Management Assertion – a written assertion by management about whether the system description aligns with defined criteria and if controls were designed and operated effectively to meet service commitments and system requirements based on the applicable trust services criteria.
- System Description – describes the service organization’s system of controls and procedures related to the in-scope service and criteria.
- Tests of Controls – describes the auditor’s tests of controls and results.
Some reports may contain additional sections to show the mapping of controls to criteria or other frameworks and include a section for management responses to control issues that were noted in the report.
What Are Complementary Subservice Organization Controls (CSOCs)?
Third parties may be used (e.g., provide a service, software, etc.) by a service organization to achieve their service commitments and system requirements. The service organization will rely on these third parties, also known as subservice organizations, to perform specific controls related to the services provided. For example, a service organization that uses a colocation data center would rely on physical security controls that are the responsibility of the organization managing the colocation data center. Those controls that the service organization expects to be in place at the subservice organization are the CSOCs. The CSOCs are documented as part of the system description in a SOC 2 Type 2 report.
See our article Monitoring Controls at Subservice Organizations for more information regarding service organizations’ responsibility to monitor controls at their subservice organizations.
What Are Complementary User Entity Controls (CUECs)?
Similar to CSOCs, CUECs are those controls that the service organization expects the user entity to perform in order for the trust service criteria to be performed. For example, for a SaaS application where user entities are given the ability to add and remove their own users, the service organization would expect user entities to have controls in place to monitor and secure access to the application. The CUECs are also documented as part of the system description within the SOC 2 Type 2 report.
How Do I Get a SOC 2 Type 2 Report?
A SOC 2 Type 2 report can only be issued by a certified public accountant (CPA) or CPA firm. For those seeking to obtain a SOC 2 Type 2 report for their organization/product, they will need to engage with a licensed CPA firm to perform the audit. The auditor will assist the organization with drafting the management assertion and system description which describe the scope and controls that are evaluated as part of the SOC 2.
How Much Does a SOC 2 Type 2 Cost?
SOC 2 Type 2 audit costs vary, but audits typically range from $20,000 to $100,000. The fee will vary based on factors such as the following:
- The trust service criteria selected for the report
- The number of in-scope applications, tools, and services
- The complexity of the control environment
- The number of employees/contractors in the organization
- The number of physical locations and if they require site visits for review of relevant controls
Refer to our article How Much Does a SOC Audit Cost for more detailed information regarding the factors that influence the cost.
What Does a SOC 2 Type 2 Audit Look Like?
For a SOC 2 Type 2 audit, the service auditor will meet with responsible parties to walkthrough and understand the controls and related processes described in the report. In addition, the auditor will request documentation that supports the performance of the control activities throughout the period under review. Depending on the frequency or occurrence of the control activities, samples will be selected across the period under review. Following the completion of the audit testing, the auditor will compile the results and draft the report. The audit process can take anywhere from a week to a month or more depending on the complexity of the audit and the responsiveness of the organization.
How Long Does a SOC 2 Type 2 Take to Complete?
A SOC 2 Type 2 report covers a period of time, generally 6, 9, or 12 months, with 12-month reports being the most common. However, while the audit will be performed over controls and procedures that occurred within the specific timeframe, the audit itself will typically only last a few weeks, depending on the complexity of the service and the number of different components that are in scope. The audit may be broken up into separate touchpoints during the year or done close to the period’s end. The final SOC 2 Type 2 report is made available following the end of the audit period, generally within a month or two after the period end date. See our article How Long Does a SOC Examination Take for more details regarding the length of time to complete a SOC 2 Type 2 audit.
How Long Does a SOC 2 Type 2 Certification Last?
There technically is not a SOC 2 Type 2 certification, although it is commonly referred to as a “certification”; rather, a SOC 2 Type 2 is an attestation report that can be provided to user entities to demonstrate the controls that are in place at a service organization. In general, the expectation is that a report be reproduced annually, or more frequently for a shorter report period, so that there is no gap between the reporting periods. For example, if a 12-month report is performed for January through December, it is expected that a new SOC 2 Type 2 report be issued covering January through December of each subsequent year.
Why Do You Need a SOC 2 Type 2 Report?
Here are some main reasons service organizations obtain a SOC 2 Type 2 report:
Customer Assurance/Requirements
A SOC 2 Type 2 report demonstrates an organization’s commitment to security and other selected criteria and provides assurance to customers that adequate controls are in place and operating effectively for a period of time. Further, many more customers and potential customers in the marketplace today are asking for security assurances which is often satisfied with a SOC 2 Type 2 report. Additionally, instead of responding to several different security questionnaires or audit inquiries of user entities, a SOC 2 Type 2 report can be provided to fulfill those requests.
Compliance
Similar to customers requiring assurance, regulators and business partners may request SOC 2 Type 2 reports to satisfy legal or regulatory obligations or requirements.
Risk Management/Internal Reviews
By undergoing annual audits, organizations may identify risks or weaknesses within their environment that they can proactively mitigate as part of the audit cycle. Further, ongoing audits tend to promote more consistency and attention to detail related to key processes and controls and provide a purpose for internal reviews and evaluations.
Operating Effectiveness
As compared to a SOC 2 Type 1 report, the Type 2 report assesses the operating effectiveness of controls which can be seen as more useful for user entities and other stakeholders.
See our article on SOC Benefits Beyond Compliance for more information regarding the benefits of a SOC 2 Type 2 report.
Who Can I Share My SOC 2 Type 2 Report With?
SOC 2 Type 2 reports are intended for service organization management and other parties who have sufficient knowledge and understanding of the system. In general, the report is restricted to service organization management, user entities, business partners, practitioners providing services to user entities and business partners (such as auditors), prospective user entities and business partners, and regulators. A SOC 2 Type 2 report is not a general-use report and should not be made publicly available.
How Can I Prepare For a SOC 2 Type 2 Report?
Once the scope of the SOC 2 Type 2 report has been determined, organizations will need to identify, and in some cases, design and implement, control procedures that address the applicable trust services criteria. Further, consideration will need to be given to control documentation and how organizations will evidence that the control activity was performed. Depending on the maturity of the control environment at the organization, preparing for a SOC 2 Type 2 examination can require significant work in preparing policies and documentation standards, implementing and refining control activities, and training personnel.
An audit firm, such as Linford & Co., may perform a SOC readiness assessment to help you identify gaps in your control environment as well as control issues as they relate to the applicable trust services criteria.
Summary
The responses within the article address frequently asked questions we have received related to SOC 2 Type 2 compliance. If you have questions about this article or would like to learn more about how to get started with a SOC2 Type 2 report, please contact us.
Linford & Company is an independent CPA firm with a team of external auditors specializing in SOC 2 assessments and other various audit services. Linford & Company has helped many new clients start their SOC 2 journey including identifying the boundaries of their system, determining the criteria needed in their examination, and identifying relevant controls. All clients are provided these services as part of the readiness assessment.
Kevin has over ten years of experience in internal controls, audit, and advisory work. Kevin started his career in public accounting at Deloitte focusing on internal controls, SOC audits, and IT assurance work. After Deloitte, Kevin filled a leadership role in the SOX Compliance group at a financial services company. Kevin is a CPA and holds a Bachelor of Science degree in Accounting from Brigham Young University and a Master of Business Administration degree from Ohio University.