With the proliferation of data breaches and hacks that occur today, it’s no wonder there is a greater focus on information security. SOC 2 reports are general use reports that provide assurance to user organizations and stakeholders that a particular service is being provided securely. A SOC 2 can also include criteria related to Availability, Confidentiality, Processing Integrity, and Privacy.
In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although, with some of the terminology, it can initially be confusing. So what are SOC 2 reports and examinations? Let’s dive in!
What is SOC 2 Certification?
A SOC 2 is not a certification, but it’s commonly referred to as one. A clean report opinion indicates that the auditor firm agrees with management’s assertion related to the controls design (Type I and Type II) and operation (Type II only). A clean report is a “pass” and is sometimes referred to as a certification. In many cases, the opinion is positive and the CPA firm agrees with management’s assertion. In some cases, the CPA firm does not agree with management’s assertion and provides a qualified or adverse opinion. See this past blog post on qualified opinions. Although a SOC 2 is technically an attestation report, it’s very common for people to call a SOC 2 a certification. See the AICPA page related to attestation reports for more information.
What is a SOC 2 Report?
A SOC 2 report is a report that service organizations receive and share with stakeholders to demonstrate that general IT controls are in place to secure the service provided. SOC 2s differ from some other information security standards and frameworks because there is not a comprehensive list of “thou shalt” requirements. Instead, the AICPA provides general criteria that can be selected by a service organization to demonstrate they have controls in place to mitigate risks to the service they provide.
This can be a bit annoying for some first-time clients since there isn’t one right answer for how to address the applicable criteria. Instead, a good auditor’s job is to identify what is already being done by their clients to meet the applicable criteria. In some cases, there are gaps and clients must implement new controls. In other cases, existing controls need to be tweaked slightly to better address the criteria. Our goal is for our clients to meet the criteria selected, but to create the least impact and additional overhead when remediating controls as possible.
What is SOC 2 Compliance? The Trust Services Criteria (TSC)
Trust Services Criteria (TSC) are the domains or scope covered in a SOC 2 report. Not all TSCs are required. In fact, only the common criteria are required (also referred to as the Security TSC). Other TSCs should be added to a report to answer common risk-related questions received from clients or to address risks facing the company and its unique service offering. For example, if the availability of healthcare data is extremely important to a service offering, then the availability criteria may be included in the SOC 2 report in addition to the security criteria.
We have had prospective clients say they wanted all of the TSCs included within their SOC 2 report because they wanted it to be the strongest report possible. While the logic makes sense, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable.
We have heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that are applicable to your services and answer the risk-related questions you hear most from your clients and prospective clients.
The Trust Services Criteria are noted below:
- Security – The system is protected against unauthorized access (both physical and logical). Examples of commonly reviewed SOC 2 security controls relate to the restriction of logical access within the environment to authorized individuals. Also, security configurations such as password complexity, MFA, and branch protection rules.
- Availability – The system is available for operation and use as committed or agreed. The availability criteria require that a company documents a DR and BCP plan and procedures. In addition, it requires backups and recovery tests to be performed.
- Confidentiality – Information that is designated “confidential” is protected according to policy or agreement. In many cases, this covers business-to-business relationships and sharing of PII or sensitive data from one business to another.
- Processing Integrity – System processing is complete, accurate, and authorized. Processing integrity may be relevant to companies that process transactions such as payments or errors made by your company such as flawed calculations or processing could impact your clients’ financials or significant processes. If processing integrity is relevant and included in a SOC 2 report, the auditor will review evidence that processing is complete and accurate and errors related to processing are identified and corrected.
- Privacy – The privacy criteria should be considered when “personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.” It’s important to note that the privacy criteria apply to personal information. This differs from the confidentiality criteria which applies to other types of sensitive information.
Privacy Versus Confidentiality Criteria
There are numerous flavors of privacy requirements in place throughout the world. Some such as GDPR and CCPA apply to all citizens in a particular area and give protections to all citizens in that area. Currently, privacy requirements in the United States follow a sectoral approach where laws apply to industries or types of data rather than a standard approach for all citizens.
The AICPA’s privacy criteria are applicable only if your company deals directly with data subjects and collects data such as PII from those data subjects as part of the service.
The collection of email and contacts for marketing purposes by companies is not typically enough to warrant the inclusion of the privacy criteria. In many cases, a company is entrusted with PII or sensitive data by another company that is actually doing the data collection. This is considered confidentiality by the AICPA (B2B data sharing). If your company collects data directly from consumers the privacy criteria may be relevant. Processing integrity is unique to each company if it’s relevant because no two companies process their transactions in the exact same manner.
What Does SOC 2 Stand For?
A SOC 2 is a System and Organization Control 2 report. There are three types of SOC reports. See the AICPA website comparing the reports. Some companies struggle with the differences between SOC reports, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders asking for the report as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.
If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be the best report for the service organization’s clients.
Why is SOC 2 Important?
SOC 2 compliance demonstrates that your company has adequate controls in place governing information security in your environment. A SOC 2 is stronger than giving your word that you are compliant since it’s an independent audit performed by a third-party CPA firm.
Understanding SOC 2 Report Structure
The SOC 2 report structure is similar to a SOC 1 report structure, which we outlined in our SOC 1 article, and consists of:
- Other Information
- The Opinion Letter
- Management’s Assertion
- Description of the System
- Description of Tests of Controls and Results of Testing
What Are the Benefits of SOC 2 Compliance?
- Differentiate yourself from your competitors
- Identify controls relevant to your clients and test those controls to validate the controls design and operation
- Develop more controlled and consistent processes
- In some cases you can’t enter a particular market without a SOC 2. For example, if you are selling to financial institutions, they will almost certainly require a Type II SOC 2 report.
Who Needs a SOC 2 Report?
Typically, service organizations that process or store sensitive data for their clients receive SOC 2 reports. Many SaaS companies, data centers, and manage service providers receive SOC 2 reports. The SOC 2 has been widely accepted as a U.S. standard for information security. As a result, some non-traditional service providers are receiving SOC 2s. For example, law firms, consultancies, and cryptocurrency services are starting to receive SOC 2 reports more frequently. The SOC 2 is a way to demonstrate to your clients that you have a base-level set of information security controls in place in your environment.
What is the Purpose of a SOC 2 Report?
The trend towards cloud computing and outsourcing, in general, has fueled the need for SOC 2 reports in the U.S. SOC 2 reports allow a service organization to provide assurance to its stakeholders that the service is being provided in a secure and reliable manner. Think of a data center company that provides services to hundreds of clients across a variety of industries. The data center could receive a SOC 2 report to provide assurance to its stakeholders that certain controls are in place and were operating effectively to meet applicable SOC 2 criteria. Without the SOC 2 report, the same data center may open itself up to hundreds of audits from its clients. Multiple audits from clients may not be supportable by the data centers staff and resources. The data center “picks their poison” so to speak and selects their own auditor rather than opening themselves up to hundreds of potential audits. This is the purpose of receiving a SOC 2 report.
SOC 2 Report Example
Many companies outsource IT infrastructure to service organizations, such as data centers and cloud hosting providers (e.g., Amazon’s AWS). What do these service organizations do to prove to clients and stakeholders that they are adequately protecting their servers and sensitive data? Service organizations receive SOC 2 reports to demonstrate they have certain controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks. A SOC 2 report will include a CPA firm’s opinion on controls design and potential operating effectiveness over a period of time.
Using AWS as an example, many companies use AWS and request assurance from AWS that there are controls in place to mitigate the risk of AWS’ systems and data being compromised. AWS could attempt to provide different answers to every single client that asks security-related questions, but that would take too much time. Instead, AWS has selected an independent CPA firm to perform a SOC 2 examination (among many other AWS compliance exams). Then, rather than respond to all the questions regarding AWS’ security posture, AWS provides its SOC 2 report, which answers many of the common questions asked by its user organizations related to security, availability, confidentiality, processing integrity, and privacy.
Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.
What about Automated SOC 2 Compliance Tools?
There is not a one size fits all approach to information security. Thorough risk analysis needs to be performed to identify any unique risks related to a given service and identify the controls that are in place to mitigate those risks.
That said, if your company uses a standard set of cloud tools such as AWS, Azure, Google Cloud Platform, GitHub, or GSuite, it’s possible to integrate many of those tools with a SOC 2 automation platform and give your auditor visibility into the operation of some key controls in your environment. Some of these tools continuously monitor controls’ operations that are relevant to the SOC 2 report and alert users of the tool when issues arise related to control activities.
There are risks related to the use of such tools. One example is that the auditor may place over-reliance on the tool without having an adequate understanding of the information represented by the tool. A good auditor needs to understand how the tools’ queries or continuous checks work in order to place reliance on them during testing.
Examples of workstation controls that are monitored by SOC 2 compliance automation tools include hard drive encryption, operating system level, antivirus installation status, and screensaver lockout enabled.
Other Common Questions About SOC 2 Reports
Is There a SOC 2 Checklist or Shortcut?
There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria also went through a recent update. See our blog post on the updated SOC 2 criteria which now more closely aligns with COSO.
What is a SOC 2 Type 2 Report?
Type I SOC 2 reports are dated as of a particular date and are sometimes referred to as point-in-time reports. A Type I SOC 2 report includes a description of a service organization’s system and a test of design of the service organization’s relevant controls. A Type I SOC 2 tests the design of a service organization’s controls, but not the operating effectiveness.
Type II SOC 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.
How Much Does a SOC 2 Report Cost?
SOC 2 examinations are not cheap and fees depend on a number of factors. Factors include the scope of services included within the report, the TSCs included, the size of the organization, and the number of in-scope systems and processes.
For example, if a company has 3 different patch management processes to ensure servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed to operate effectively. Learn more in our article, How Much Does A SOC Audit Cost?
Who Can Perform a SOC 2 Audit?
Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. There are some companies that perform SOC 2 audits and have a CPA firm sign off on their report even though the CPA firm did not perform the audit. We recommend staying away from that approach. We also recommend selecting a firm that has experienced IT auditors and not financial audit CPAs only. When selecting a firm to perform a SOC 2, we recommend asking for the resumes or bios of any of the auditors that will complete the work. Then, ensure the firm you select has auditors with the appropriate skills and expertise. Certifications such as CISA or CISSP are good to look for. Also, check references and ensure the firm you select has experience in the field you are in.
Updated SOC 2 Guidance
On December 15, 2018, new SOC 2 guidance went into effect and all reports following that date must include the updated SOC 2 criteria.
How Do I Become SOC 2 Compliant?
SOC 2 compliance does not have to be difficult. If you have questions about SOC 1 audits and compliance, see our article, What is a SOC 1 Report? Expert Advice You Need to Know.
This article was originally published on 11/22/2017, and updated on 2/8/2022.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.