This article is a follow-up to a previous article, “What is a Soc 1 Report?” Below I will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although with some of the terminology it can initially be confusing.
So what are SOC 2 reports and examinations? Let’s dive in!
What is SOC 2 Certification?
While there is no such thing as a SOC 2 certification, many still refer to a SOC 2 certification. One of our clients recently received a request from a prospective client asking whether they were a SOC 2 certified data center. Our client, being more savvy than most, said, “We don’t have a SOC 2 certification. We have a SOC 2 attestation.” Our client’s prospect, or user organization, in SOC language, wanted to jump on a call to discuss.
The prospect was considering backing out of the deal because our client was not SOC 2 “certified.” We jumped on the call and told our client’s prospect that our client did in fact have a SOC 2 report, but they were not SOC 2 “certified.” The prospect then said, “oh, so you are SOC 2 certified” and the deal moved forward. I chuckled afterwards with our client because some people hear what they want to hear and that’s about it.
What is a SOC 2 Report?
SOC 2 reports are actually attestation reports. What is an attestation report? For a SOC 2 attestation, management of a service organization attests that certain controls are in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC). Management also selects which of the five TSCs best address the risk of the services provided by the service organization.
See the AICPA page related to attestation reports for more information.
When a service organization completes a SOC 2 report, the report will contain an opinion from a CPA firm that states whether the CPA firm agrees with management’s assertion that the appropriate controls are in place to address the selected TSCs. In some cases, the opinion is positive and the CPA firm agrees with management’s assertion. In other cases, the CPA firm does not agree with management’s assertion and provides a qualified or adverse opinion. See past blog post on qualified opinions.
So the next time someone says do you have a SOC 2 certification, you can sound really smart and respond that there is no such thing, it’s actually an attestation. You may find you just sound nerdy, though.
What Does SOC 2 Stand For?
System and Organization Control 2 report. There are three types of SOC reports. See AICPA whitepaper comparing the reports. We have prospective clients that struggle with whether they should get a SOC 1, SOC 2, or SOC 3 report. We normally start by asking these prospective clients about the type of user organizations asking for the report as well as the type of services they provide to their clients. This allows us to assess whether our prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations. If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be the best report for the service organization’s clients.
SOC 2 Report Structure: The SOC 2 report structure is similar to a SOC 1 report structure which we outlined in the recent SOC 1 article.
Who Needs a SOC 2 Report?
Service organizations that do not materially impact the ICFR of their user organizations and provide services to user organizations need a SOC 2 report. Example – Many companies have been outsourcing their IT infrastructure to service organizations, such as data centers and cloud hosting providers (e.g., Amazon’s AWS). Rather than purchase, install, manage, and maintain IT infrastructure, user organizations leave it to an expert in the field and focus on providing their primary service. Makes sense, right? So what do these user organizations do to ensure that their cloud hosting provider is adequately protecting their servers and sensitive data? They will ask for some assurance that the service organization has certain controls in place that are designed and operating effectively. That’s where a SOC 2 report comes in.
Using AWS as an example, many companies will request assurance from AWS that they have certain controls in place to mitigate the risk of their systems and data being compromised. AWS could provide that assurance to every single client that asks for it, but that would take too much time and they would be responding to those requests all the time. Instead, AWS “picks their poison” so to speak and selects an independent auditor to perform a number of security and compliance examinations which include a SOC 2. Then, rather than respond to all the one off requests to prove their security posture, AWS just provides its SOC 2 report, which should answer many of the common questions asked by its user organizations related to security, availability, confidentiality, processing integrity, and privacy.
What is SOC 2 Compliance? The Trust Services Criteria (TSC)
A service organization should choose the SOC 2 TSCs that mitigate the risk of their user organizations use of the service organization’s services. At a minimum, SOC 2 reports must include the Security or Common Criteria. The other TSCs can be added depending on the needs of user organizations.
The Trust Services Criteria are noted below:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, and authorized.
- Confidentiality – Information that is designated “confidential” is protected according to policy or agreement.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.
Is There a SOC 2 Checklist?
There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria is also going through an update. See our blog post on the updated SOC 2 criteria which now more closely aligns with COSO.
Type 1 or Type 2 Report
SOC 2 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports. Type 1 reports are as of a particular date (sometimes referred to as point-in-time reports) that include a description of a service organization’s system as well as tests to help determine whether a service organization’s controls are designed appropriately. Type 1 reports test the design of a service organization’s controls, but not the operating effectiveness. Type 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.
How Much Does it Cost?
SOC examinations are not cheap, but cost depends on the scope of services included within the report, the TSCs included, the size of the organization, and the number of in scope systems and processes. For example, if you have 3 different patch management processes to ensure your servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed and select a firm that is qualified to do the work.
Choose a firm that has IT audit and information security experience and ask for the firm to identify which of their staff will be completing the audit and double check their backgrounds before engaging. Also, check references and ensure the firm you select has experience in the field you are in.