With the proliferation of data breaches and hacks that occur today, it’s no wonder there is a greater focus on information security. SOC 2 reports are general use reports that provide assurance to user organizations and stakeholders that a particular service is being provided securely. A SOC 2 can also include criteria related to Availability, Confidentiality, Processing Integrity, and Privacy.
In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although, with some of the terminology, it can initially be confusing. So what are SOC 2 reports and examinations? Let’s dive in!
What is SOC 2 Certification?
While there is no such thing as a SOC 2 certification, many still refer to a clean SOC 2 report as a certification. A SOC 2 is actually an attestation report. A CPA firm attests that controls are in place and either designed effectively (Type I SOC 2), or designed effectively and operated effectively over a period of time (Type II SOC 2). Management asserts that controls are in place to meet the SOC 2 criteria and a CPA firm provides an opinion on whether or not they agree with management’s assertion.
In many cases, the opinion is positive and the CPA firm agrees with management’s assertion. In some cases, the CPA firm does not agree with management’s assertion and provides a qualified or adverse opinion. See this past blog post on qualified opinions. Although a SOC 2 is technically an attestation report, it’s very common for people to call a SOC 2 a certification. See the AICPA page related to attestation reports for more information.
What is a SOC 2 Report?
A SOC 2 report is a report that service organizations receive and share with stakeholders to demonstrate that general IT controls are in place to secure the service provided. SOC 2s differ from some other information security standards and frameworks because there is not a comprehensive list of “thou shalt” requirements. Instead, the AICPA provides general criteria that can be selected by a service organization to demonstrate they have controls in place to mitigate risks to the service they provide.
This can be a bit annoying for some first-time clients since there isn’t one right answer for how to address the applicable criteria. Instead, a good auditor’s job is to identify what is already being done by their clients to meet the applicable criteria. In some cases, there are gaps and clients must implement new controls. In other cases, existing controls need to be tweaked slightly to better address the criteria. Our goal is for our clients to meet the criteria selected, but to create the least impact and additional overhead when remediating controls as possible.
What is SOC 2 Compliance? The Trust Services Criteria (TSC)
A service organization selects the SOC 2 TSCs that address the security, availability, confidentiality, processing integrity, or privacy risks related to the use of the service organization’s services. At a minimum, SOC 2 reports must include the Security or Common Criteria. The other TSCs can be added depending on the needs of user organizations.
Recently we had a prospective client say they wanted all of the TSCs included within their report because they wanted it to be the strongest report possible. While the logic makes sense, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable. We have heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that are applicable to your services and answer the risk related questions you hear most from your clients and prospective clients.
The Trust Services Criteria are noted below:
- Security – The system is protected against unauthorized access (both physical and logical). Examples of commonly reviewed SOC 2 security controls are logical access to infrastructure and key systems such as source code repositories. Also, password parameters, firewalls, network devices configurations, and physical security controls that protect key infrastructure.
- Availability – The system is available for operation and use as committed or agreed. The availability criteria require that a company has a documented business continuity and disaster recovery plan and procedures. It also requires periodic backups and recovery tests.
- Confidentiality – Information that is designated “confidential” is protected according to policy or agreement. The confidentiality criteria are often confused with the privacy criteria. Most companies have a requirement to protect confidential information that is shared with them by other companies they do business with. Not all companies deal directly with data subjects and gather personal information directly. If a company agrees to control access to certain confidential information within an agreement with another company, a SOC 2 that includes confidentiality may be relevant. If your company deals directly with data subjects and you are gathering confidential information, then privacy may be more relevant to your SOC 2.
- Processing Integrity – System processing is complete, accurate, and authorized. Processing integrity is not included within SOC 2s as frequently as the availability and confidentiality TSCs. Processing integrity may be relevant to companies that process transactions such as payments. The auditor will review evidence that processing is complete and accurate and processing errors are captured and corrected.
- Privacy – Per the AICPA, the privacy criteria should be considered when “personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.” It’s important to note that the privacy criteria applies to personal information. This differs from the confidentiality criteria which applies to other types of sensitive information. The AICPA’s privacy criteria is not commonly included within SOC 2 reports. One reason is that privacy in the U.S. follows a sectoral approach where different industries have different privacy rules. This is unlike GDPR in the E.U. where there is a blanket privacy regulation that all companies must comply with. The AICPA’s privacy criteria may be relevant if your company deals directly with data subjects and you are gathering personal information from those subjects. Data subjects must have the ability to opt-in and opt-out of the service as well as have the ability to request all their data be provided and deleted when they opt-out.
What Does SOC 2 Stand For?
A SOC 2 is a System and Organization Control 2 report. There are three types of SOC reports. See the AICPA website comparing the reports. Some companies struggle with the differences between SOC reports, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders asking for the report as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.
If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be the best report for the service organization’s clients.
SOC 2 Report Structure
The SOC 2 report structure is similar to a SOC 1 report structure, which we outlined in our SOC 1 article, and consists of:
- Other Information
- The Opinion Letter
- Management’s Assertion
- Description of the System
- Description of Tests of Controls and Results of Testing
Who Needs a SOC 2 Report?
Service organizations that do not materially impact the ICFR of their user organizations, but do provide key services to user organizations may need a SOC 2 report.
What is the Purpose of a SOC 2 Report?
The trend towards cloud computing and outsourcing in general has fueled the need for SOC 2 reports in the U.S. SOC 2 reports allow a service organization to provide assurance to its stakeholders that the service is being provided in a secure and reliable manner. Think of a data center company that provides services to hundreds of clients across a variety of industries. The data center could receive a SOC 2 report to provide assurance to its stakeholders that certain controls are in place and were operating effectively to meet applicable SOC 2 criteria. Without the SOC 2 report, the same data center may open itself up to hundreds of audits from its clients. Multiple audits from clients may not be supportable by the data centers staff and resources. The data center “picks their poison” so to speak and selects their own auditor rather than opening themselves up to hundreds of potential audits. This is the purpose of receiving a SOC 2 report.
SOC 2 Report Example
Many companies outsource IT infrastructure to service organizations, such as data centers and cloud hosting providers (e.g., Amazon’s AWS). What do these service organizations do to prove to clients and stakeholders that they are adequately protecting their servers and sensitive data? Service organizations receive SOC 2 reports to demonstrate they have certain controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks. A SOC 2 report will include a CPA firm’s opinion on controls design and potential operating effectiveness over a period of time.
Using AWS as an example, many companies use AWS and request assurance from AWS that there are controls in place to mitigate the risk of AWS’ systems and data being compromised. AWS could attempt to provide different answers to every single client that asks security-related questions, but that would take too much time. Instead, AWS has selected an independent CPA firm to perform a SOC 2 examination (among many other AWS compliance exams). Then, rather than respond to all the questions regarding AWS’ security posture, AWS provides its SOC 2 report, which answers many of the common questions asked by its user organizations related to security, availability, confidentiality, processing integrity, and privacy.
Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.
Other Common Questions About SOC 2 Reports
Is There a SOC 2 Checklist or Shortcut?
There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria also went through a recent update. See our blog post on the updated SOC 2 criteria which now more closely aligns with COSO.
What about Automated SOC 2 Compliance Tools?
Many of our current clients are finding benefits in using automated SOC 2 compliance tools to help manage their SOC 2 compliance. In some cases, the tools are continuously monitoring controls relevant to a company’s SOC 2 compliance posture. Then, when it’s time to go through a SOC 2, the company’s auditor can log into the tool and see independently how the controls have been operating over a period of time. Some tools use agents installed on servers and workstations that report back to the tool continuously on relevant SOC 2 controls.
Examples of workstation controls that are monitored include hard drive encryption, operating system level, antivirus installed, and screensaver lockout enabled. While there is no one size fits all approach to SOC 2 compliance (all companies are different), compliance tools can help make a first-time audit more manageable by listing a finite set of tasks required for remediation. Once the remediation tasks are completed, a company has reasonable certainty they will be successful in a first time SOC 2.
What is a SOC 2 Type 2 Report?
SOC 2 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.
Type I SOC 2 reports are dated as of a particular date and are sometimes referred to as point-in-time reports. A Type I SOC 2 report includes a description of a service organization’s system and a test of design of the service organization’s relevant controls. A Type I SOC 2 tests the design of a service organization’s controls, but not the operating effectiveness.
Type II SOC 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.
Learn more in our article, SOC Report Types: Type I vs Type II.
How Much Does a SOC 2 Report Cost?
SOC 2 examinations are not cheap and fees depend on a number of factors. Factors include the scope of services included within the report, the TSCs included, the size of the organization, and the number of in-scope systems and processes. For example, if a company has 3 different patch management processes to ensure servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed to operate effectively. Learn more in our article, How Much Does A SOC Audit Cost?
Who Can Perform a SOC 2 Audit?
Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. There are some companies that perform SOC 2 audits and have a CPA firm sign off on their report even though the CPA firm did not perform the audit. We recommend staying away from that approach. We also recommend selecting a firm that has experienced IT auditors and not financial audit CPAs only. When selecting a firm to perform a SOC 2, we recommend asking for the resumes or bios for any of the auditors that will complete the work. Then, ensure the firm you select has auditors with the appropriate skills and expertise. Certifications such as CISA or CISSP are good to look for. Also, check references and ensure the firm you select has experience in the field you are in.
Updated SOC 2 Guidance
On December 15, 2018, new SOC 2 guidance went into effect and all reports following that date must include the updated criteria. See our previous blog post related to the latest SOC 2 criteria update.
How Do I Become SOC 2 Compliant?
SOC 2 compliance does not have to be difficult. If you have questions about SOC 1 reports and compliance, see our article, What is a SOC 1 Report? Expert Advice You Need to Know.
This article was originally published on 11/22/2017, and updated on 4/13/2020.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.