What is SOC 2? An Expert’s Guide to Audits, Reports, Attestation, & Compliance

What is SOC 2?

With the proliferation of data breaches and hacks that occur today, it’s no wonder there is a greater focus on information security. SOC 2 reports are general use reports that provide assurance to user organizations and stakeholders that a particular service is being provided securely. A SOC 2 can also include criteria related to Availability, Confidentiality, Processing Integrity, and Privacy.

In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although, with some of the terminology, it can initially be confusing. So what are SOC 2 reports and examinations? Let’s dive in!

What is SOC 2? What Does it Stand For?

A SOC 2 is a System and Organization Control 2 report. There are three types of SOC reports. See the AICPA website comparing the reports. Some companies struggle with the differences between SOC 1 and 2 reports, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders asking for the report as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.

If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be the best report for the service organization’s clients.

Why is SOC 2 Important?

SOC 2 compliance demonstrates that your company has adequate controls in place governing information security in your environment. A SOC 2 is stronger than giving your word that you are compliant since it’s an independent audit performed by a third-party CPA firm.

What is SOC 2 Certification?

Although a SOC 2 is technically an attestation report, it’s very common for people to call a SOC 2 a certification. See the AICPA page related to attestation reports for more information, as well as this past blog post on qualified opinions.

 

Understanding SOC 2 reports?

What is a SOC 2 Report?

A SOC 2 report is a report that service organizations receive and share with stakeholders to demonstrate that general IT controls are in place to secure the service provided. SOC 2s differ from some other information security standards and frameworks because there is not a comprehensive list of “thou shalt” requirements. Instead, the AICPA provides criteria that may be selected by a service organization for inclusion in their SOC 2 report to demonstrate they have controls in place and operating effectively to mitigate risks to the service they provide.

 

SOC 2 Report Structure Infographic

Understanding SOC 2 Report Structure

The SOC 2 report structure is similar to a SOC 1 report structure, which we outlined in our article What is a SOC 1 Report?, and consists of:

Description of Tests of Controls and Results of Testing

 

SOC 2 compliance and the TSCs

What is SOC 2 Compliance? Understanding the Trust Services Criteria (TSCs)

Trust Services Criteria (TSC) are the domains or scope covered in a SOC 2 report. Not all TSCs are required. In fact, only the common criteria are required (also referred to as the Security TSC). Other TSCs should be added to a report to answer common risk-related questions received from clients or to address risks facing the company and its unique service offering. For example, if the availability of healthcare data is extremely important to a service offering, then the availability criteria may be included in the SOC 2 report in addition to the security criteria.

We have had prospective clients say they wanted all of the TSCs included within their SOC 2 report because they wanted it to be the strongest report possible. While the logic makes sense, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable.

We have heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that are applicable to your services and answer the risk-related questions you hear most from your clients and prospective clients.

 

SOC 2 Compliance & Trust Services Criteria (TSCs) - Security, Availability, Confidentiality, Processing Integrity, & Privacy

The Trust Services Criteria are noted below:

  • Security – The system is protected against unauthorized access (both physical and logical).
  • Availability – The system is available for operation and use as committed or agreed.
  • Confidentiality – Information that is designated “confidential” is protected according to policy or agreement.
  • Processing Integrity – System processing is complete, accurate, and authorized.
  • Privacy – The privacy criteria should be considered when “personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”

What Are the Benefits of SOC 2 Compliance?

  • Differentiate yourself from your competitors
  • Identify controls relevant to your clients and test those controls to validate the controls design and operation
  • Develop more controlled and consistent processes
  • In some cases you can’t enter a particular market without a SOC 2. For example, if you are selling to financial institutions, they will almost certainly require a Type II SOC 2 report.

 

Who should get a SOC 2?

Who Needs a SOC 2 Report?

Typically, service organizations that process or store sensitive data for their clients receive SOC 2 reports. Many SaaS companies, data centers, and managed service providers receive SOC 2 reports. SOC 2 has been widely accepted as a U.S. standard for information security. As a result, some non-traditional service providers are receiving SOC 2s. For example, law firms, consultancies, and cryptocurrency services are starting to receive SOC 2 reports.

What is the Purpose of a SOC 2 Report?

The trend towards cloud computing and outsourcing, in general, has fueled the need for SOC 2 reports in the U.S. SOC 2 reports allow a service organization to provide assurance to its stakeholders that the service is being provided in a secure and reliable manner.

Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.

 

SOC 2 audit facts and questions

Other Common Questions About SOC 2 Reports

The following are a couple of questions that we hear often related to SOC 2 reports.

Is There a SOC 2 Checklist or Shortcut?

There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria also went through a recent update.

What is a SOC 2 Type 2 Report?

SOC 2 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.

Type I SOC 2  reports are dated as of a particular date and are sometimes referred to as point-in-time reports. A Type I SOC 2 report includes a description of a service organization’s system and a test of the design of the service organization’s relevant controls. A Type I SOC 2 tests the design of a service organization’s controls, but not the operating effectiveness.

Type II SOC 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.

 

SOC 2 Audit Cost Factors

How Much Does a SOC 2 Report Cost?

SOC 2 examinations are not cheap and fees depend on a number of factors. Factors include the scope of services included within the report, the TSCs included, the size of the organization, and the number of in-scope systems and processes.

For example, if a company has 3 different patch management processes to ensure servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed to operate effectively. Learn more in our article, How Much Does A SOC Audit Cost?

Who Can Perform a SOC 2 Audit?

Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. See our article “Who Can Perform a SOC Audit?” to learn more.

How Do I Become SOC 2 Compliant?

SOC 2 compliance does not have to be difficult. If you have questions on which TSCs to include in your SOC 2 or what the process for receiving a SOC 1 audit or SOC 2 audit entails, please contact us to request a consultation.

This article was originally published on 11/22/2017 and was updated on 11/23/2022.

4 thoughts on “What is SOC 2? An Expert’s Guide to Audits, Reports, Attestation, & Compliance

  1. If our company’s systems houses customer data for our own business needs (but that obviously impact the customer’s financials and security), at what point are we considered a service provider and need to prepare a SOC1 or SOC2 to provide to the customer?

  2. It sounds like your company is a service provider since your systems impact your customer’s financials and security. That said, unless your clients (or you anticipate that your clients) are asking for a SOC report, I’m not sure I would go down the road in obtaining a one. Of course, this doesn’t diminish the need to have a robust internal control environment within your company. Not all, but virtually all, companies that go through a SOC examination do so at the behest of their clients or would-be clients. Hope this helps some.

  3. Is it possible to SOC 2 attest a service dependant on people-services? For example: a developing company.
    What systems should I “secure” in such scenario?
    I was thinking that only SaaS services can be SOC 2 reported.

  4. An organization does not have to be a SaaS to be evaluated against the SOC 2 criteria. If your “people”, processes, and technology can be evaluated against the SOC 2 criteria, then it may be possible for your organization to obtain a SOC 2 audit report.

Leave a Reply

Your email address will not be published. Required fields are marked *