With the proliferation of data breaches and hacks that occur today, it’s no wonder there is a greater focus on information security. SOC 2 reports are general use reports that provide assurance to user organizations and stakeholders that a particular service is being provided securely. A SOC 2 can also include criteria related to Availability, Confidentiality, Processing Integrity, and Privacy.
In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although, with some of the terminology, it can initially be confusing. So what are SOC 2 reports and examinations? Let’s dive in!
What is SOC 2? What Does it Stand For?
A SOC 2 is a System and Organization Control 2 report. There are three types of SOC reports. See the AICPA website comparing the reports. Some companies struggle with the differences between SOC 1 and 2 reports, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders asking for the report as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.
If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be the best report for the service organization’s clients.
Why is SOC 2 Important?
SOC 2 compliance demonstrates that your company has adequate controls in place governing information security in your environment. A SOC 2 is stronger than giving your word that you are compliant since it’s an independent audit performed by a third-party CPA firm.
What is SOC 2 Certification?
Although a SOC 2 is technically an attestation report, it’s very common for people to call a SOC 2 a certification. See the AICPA page related to attestation reports for more information, as well as this past blog post on qualified opinions.
What is a SOC 2 Report?
A SOC 2 report is a report that service organizations receive and share with stakeholders to demonstrate that general IT controls are in place to secure the service provided. SOC 2s differ from some other information security standards and frameworks because there is not a comprehensive list of “thou shalt” requirements. Instead, the AICPA provides criteria that may be selected by a service organization for inclusion in their SOC 2 report to demonstrate they have controls in place and operating effectively to mitigate risks to the service they provide.
Understanding SOC 2 Report Structure
The SOC 2 report structure is similar to a SOC 1 report structure, which we outlined in our article What is a SOC 1 Report?, and consists of:
- Other Information
- The Opinion Letter
- Management’s Assertion
- Description of the System
Description of Tests of Controls and Results of Testing
What is SOC 2 Compliance? Understanding the Trust Services Criteria (TSCs)
Trust Services Criteria (TSC) are the domains or scope covered in a SOC 2 report. Not all TSCs are required. In fact, only the common criteria are required (also referred to as the Security TSC). Other TSCs should be added to a report to answer common risk-related questions received from clients or to address risks facing the company and its unique service offering. For example, if the availability of healthcare data is extremely important to a service offering, then the availability criteria may be included in the SOC 2 report in addition to the security criteria.
We have had prospective clients say they wanted all of the TSCs included within their SOC 2 report because they wanted it to be the strongest report possible. While the logic makes sense, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable.
We have heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that are applicable to your services and answer the risk-related questions you hear most from your clients and prospective clients.
The Trust Services Criteria are noted below:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Confidentiality – Information that is designated “confidential” is protected according to policy or agreement.
- Processing Integrity – System processing is complete, accurate, and authorized.
- Privacy – The privacy criteria should be considered when “personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”
What Are the Benefits of SOC 2 Compliance?
- Differentiate yourself from your competitors
- Identify controls relevant to your clients and test those controls to validate the controls design and operation
- Develop more controlled and consistent processes
- In some cases you can’t enter a particular market without a SOC 2. For example, if you are selling to financial institutions, they will almost certainly require a Type II SOC 2 report.
Who Needs a SOC 2 Report?
Typically, service organizations that process or store sensitive data for their clients receive SOC 2 reports. Many SaaS companies, data centers, and managed service providers receive SOC 2 reports. SOC 2 has been widely accepted as a U.S. standard for information security. As a result, some non-traditional service providers are receiving SOC 2s. For example, law firms, consultancies, and cryptocurrency services are starting to receive SOC 2 reports.
What is the Purpose of a SOC 2 Report?
The trend towards cloud computing and outsourcing, in general, has fueled the need for SOC 2 reports in the U.S. SOC 2 reports allow a service organization to provide assurance to its stakeholders that the service is being provided in a secure and reliable manner.
Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.
Other Common Questions About SOC 2 Reports
The following are a couple of questions that we hear often related to SOC 2 reports.
Is There a SOC 2 Checklist or Shortcut?
There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria also went through a recent update.
What is a SOC 2 Type 2 Report?
SOC 2 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.
Type I SOC 2 reports are dated as of a particular date and are sometimes referred to as point-in-time reports. A Type I SOC 2 report includes a description of a service organization’s system and a test of the design of the service organization’s relevant controls. A Type I SOC 2 tests the design of a service organization’s controls, but not the operating effectiveness.
Type II SOC 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.
How Much Does a SOC 2 Report Cost?
SOC 2 examinations are not cheap and fees depend on a number of factors. Factors include the scope of services included within the report, the TSCs included, the size of the organization, and the number of in-scope systems and processes.
For example, if a company has 3 different patch management processes to ensure servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed to operate effectively. Learn more in our article, How Much Does A SOC Audit Cost?
Who Can Perform a SOC 2 Audit?
Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. See our article “Who Can Perform a SOC Audit?” to learn more.
How Do I Become SOC 2 Compliant?
SOC 2 compliance does not have to be difficult. If you have questions on which TSCs to include in your SOC 2 or what the process for receiving a SOC 1 audit or SOC 2 audit entails, please contact us to request a consultation.
This article was originally published on 11/22/2017 and was updated on 11/23/2022.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.