With the proliferation of data breaches and hacks that occur today, it’s no wonder there is a greater focus on information security. SOC 2 reports are general use reports that provide assurance to user organizations and stakeholders that a particular service is being provided securely. A SOC 2 can also include criteria related to Availability, Confidentiality, Processing Integrity, and Privacy.
In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 does not have to be difficult although, with some of the terminology, it can initially be confusing. So what are SOC 2 reports? Let’s dive in!
What Is a SOC 2 Report?
So what exactly is a SOC 2 report? A SOC 2 report is a report that service organizations receive and share with stakeholders to demonstrate that general IT and business internal controls are in place to secure the service provided. SOC 2 differs from some other information security standards and frameworks because there is not a comprehensive list of “thou shalt” requirements. Instead, the AICPA provides criteria that may be selected by a service organization for inclusion in their SOC 2 report to demonstrate they have controls in place and operating effectively to mitigate risks to the service they provide.
What Is the Purpose of a SOC 2 Report?
A SOC 2 report shows stakeholders of service providers that they are following good security practices within their organization. In many cases, SOC 2s are required to do business with larger organizations such as financial institutions. Before a financial institution or other user organization will outsource a process to a service provider, they want to be sure that their client’s data will be adequately protected. SOC 2s can also answer questions about availability, confidentiality, processing integrity, and privacy.
Who Needs a SOC 2 Report & Why?
Service organizations that provide a critical service to their clients or possess sensitive data belonging to their clients may need a SOC 2 report to demonstrate that they are taking the appropriate care to secure their environment and safeguard sensitive data.
What Are the Key Components of a SOC 2 Report?
The SOC 2 compliance report structure is similar to a SOC 1 report structure, which we outlined in our article What is a SOC 1 Report?, and consists of:
- Other Information
- The Opinion Letter
- Management’s Assertion
- Description of the System
- Description of Tests of Controls and Results of Testing
What Are the Trust Services Criteria (TSCs) Within a SOC 2 Report? A Closer Look at the Trust Service Criteria.
Trust Services Criteria (TSC) are the domains or scope covered in a SOC 2 report. Not all TSCs are required. In fact, only the common criteria are required (also referred to as the Security TSC). Other TSCs should be added to a report to answer common risk-related questions received from clients or to address risks facing the company and its unique service offering. For example, if the availability of healthcare data is extremely important to a service offering, then the availability criteria may be included in the SOC 2 report in addition to the security criteria.
We have had prospective clients say they wanted all of the TSCs included within their SOC 2 report because they wanted it to be the strongest report possible to demonstrate maximum compliance. While the logic makes sense, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable.
We have heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that are applicable to your services and answer the risk-related questions you hear most from your clients and prospective clients.
The Trust Services Criteria are noted below:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Confidentiality – Information that is designated “confidential” is protected according to policy or agreement.
- Processing Integrity – System processing is complete, accurate, and authorized.
- Privacy – The privacy criteria should be considered when “personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”
How Can a SOC 2 Report Help My Organization?
SOC 2 Type II audit reports demonstrate that a company has IT general controls in place and operating to meet the AICPA’s Trust Services Criteria that are included in the scope of the report. A SOC 2 is a third-party attestation report. That means that an auditor provides an opinion on management’s assertion that they are meeting certain SOC 2 criteria. Since a SOC 2 comes from an independent third-party auditor, a SOC 2 is stronger than giving your word that you have strong internal controls in place to clients and stakeholders.
What Are the Benefits of SOC 2 Reports?
- Provide assurance to stakeholders that internal controls are in place to mitigate security, availability, confidentiality, processing integrity, and privacy risks.
- Reduce the number of security questionnaires being responded to by providing a SOC 2 report.
- Implement more secure processes and reduce the risk of costly data breaches.
- Reduce barriers to selling your product in certain highly regulated industries.
What Are the Consequences of Not Having a SOC 2 Report?
The main consequence of not having a SOC 2 report could be a loss of business and revenue for a service organization. Service organizations that do not have a SOC 2 report may not be able to do business with user organizations if they are in more regulated industries.
Also, security questionnaires can be long, and responding to them may start to take up too much of one person’s time. SOC 2s help when responding to user organization security queries and in some cases may be provided in place.
Other Common Questions About SOC 2 Reports
The following are some questions we hear often related to SOC 2 reports.
What is a Type 2 SOC 2 Report?
Type I SOC 2 reports are dated as of a particular date and are sometimes referred to as point-in-time reports. A Type I SOC 2 report includes a description of a service organization’s system and a test of the design of the service organization’s relevant controls. A Type I SOC 2 tests the design of a service organization’s controls, but not the operating effectiveness.
Type II SOC 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.
How Much Does a SOC 2 Report Cost?
SOC 2 examinations are not cheap and fees depend on a number of factors. Factors include the scope of services included within the report, the TSCs included, the size of the organization, and the number of in-scope systems and processes.
For example, if a company has 3 different patch management processes to ensure servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed to operate effectively. Learn more in our article, How Much Does A SOC Audit Cost?
Who Can Perform a SOC 2 Audit?
Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. See our article “Who Can Perform a SOC Audit?” to learn more.
How Long Does a SOC 2 Audit Take?
There are several factors that determine how long a SOC 2 audit might take. First, if you have strong internal controls already in place or if you have been through another compliance audit, that will certainly speed up the process. There are companies that promise SOC 2 compliance in a short period of time (e.g. two weeks). While going through a SOC 2 audit in two weeks is possible, it’s not likely you could have a SOC 2 report in as little as two weeks because it takes time to complete the testing and issue the report. See our past posts related to how long it takes to get a SOC report and how long it will take to get your first SOC report.
Another factor is whether the audit firm has the availability to perform the audit. Some audit firms book up almost a year in advance and it takes time to make it on their schedule. Another factor is competing priorities within the service organization. Approximately 40-80 hours may need to be dedicated to complete a first-year SOC 2 audit. If a service organization is heads down working on the product they are creating, a 40-80 hour impact may not be tolerable. Clients have to dedicate the time to complete the process, and if they can’t dedicate the time, that can slow things down.
How Often Are SOC 2 Reports Updated?
Type II SOC 2 reports are generally received on an annual basis and cover a twelve-month period. The first year some companies choose to receive a Type I SOC 2 since the report can be delivered faster generally (e.g. readiness assessment, remediation, issue Type I SOC 2). Also, some companies have to get a Type II SOC 2 for the first report to satisfy a client obligation or contract. In those cases, a company may choose to receive a report with a shorter examination period (e.g., readiness, remediation, wait six months, perform the SOC 2 audit).
How Can I Ensure My SOC 2 Report is Accurate?
It is up to both the audit firm performing the SOC 2 as well as the company receiving the SOC 2 to confirm the accuracy of the report prior to issuance. Potential issues should be confirmed by the auditor with the client and management prior to issuing the draft report. Management should read the report carefully and confirm both the language in Section III (process narratives) as well as the controls identified in Section IV are accurate.
Who Should Review the SOC 2 Report?
It’s up to the auditor to develop the test procedures to confirm the controls are operating, however, management should review the test procedures for each control and confirm that they address the correct control and that there was no better evidence that could have been provided to strengthen the test of the control (e.g. auditor confirmed via inquiry that a review took place, but there is a documented memo that the review took place, so the auditor could use an inspection test procedure which is stronger).
Who Will Be Held Accountable if There Are Inaccuracies in the SOC 2 Report?
It is up to both clients and their auditors to confirm the accuracy of the SOC 2 report prior to issuance. There are different types of inaccuracies that could make it into a SOC 2 report.
- One type is if the client overstates a control or provides evidence that is inaccurate to justify the performance of a control.
- Another type is if the audit firm doesn’t adequately understand the internal controls and processes that are in place. In that case, they could look at the wrong evidence in an attempt to test the control.
- A third type of inaccuracy in the report could be that the audit firm did not follow the appropriate AICPA guidance for compiling the report. That type of inaccuracy may be more difficult for a client to identify, but SOC audit firms are required to go through a peer review process every three years. This process includes reviewing a sample of reports, as well as the underlying evidence to confirm that the firm followed the appropriate guidance and there were no inaccuracies in reporting
In summary, a SOC 2 report is a report that a service organization receives related to Security, Availability, Confidentiality, Privacy, or Processing Integrity. All SOC 2s include the common criteria, which covers Security and then optionally may add additional criteria that are relevant to the service organization’s user organizations. SOC 2s are needed when a service organization provides a critical service to its customers and mistakes by the service organization could result in data breaches of sensitive information or loss of revenue.
This article was originally published on 11/22/2017 (as part of another article) and was updated on 8/21/2023.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.