SOC 2 engagements use the TSC as well as the requirements and guidance in AT Section 101, attest engagements, of SSAEs (AICPA, professional standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.
Executive Team for SOC 2 Audits
If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.
What is a SOC 2® Report?
A SOC 2 is a report on controls at a SO relevant to security, availability, processing integrity, confidentiality, and privacy in alignment with the AICPA Trust Services Criteria (TSC). While a SOC 1 report addresses a service organization’s impact on financial transactions, a SOC 2 report addresses the risks arising from interactions with service organizations and their systems.
The report is intended to meet the needs of a broad range of users that require information and assurance about the SO’s controls as they relate to:
- The security, availability, and processing integrity of the systems used by the SO to process users’ data,
- The confidentiality and privacy of the information processed by these systems.
Below are a few examples of companies that may need a SOC 2 Report:
- Providing medical providers, employers, and third-party administrators and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentially
- Managing, operating, and maintaining user entities’ IT data centers, infrastructure, and application systems and related functions that support IT activities, such as network, production, security, and environmental control activities
- Managing access to networks and computing systems for user entities (for example, granting access to a system and preventing, detecting, and mitigating, system intrusion)
As with the SOC 1 report, there are two report types for this engagement – type 1 and type 2.
Use of SOC 2 reports is generally restricted to those who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services.
How to Prepare for a SOC 2 Audit
There are four major steps you should follow to prepare for a SOC 2 audit. (You can even start the first one today.)
1. Find a reputable CPA firm.
“Wait a minute. I thought SOC 2 focused on information security. Why are you telling me to find a CPA firm?” Great question. The AICPA (American Institute of Certified Public Accountants) developed the SOC 2 framework, so your auditor will have to be a CPA firm to issue a SOC 2 report. Technically, any CPA firm can issue one. But, not any CPA firm can do it the right way. Because SOC 2 focuses specifically on security, you want a firm that understands security and the ins and outs of the AICPA guidance. So, in this case, a “reputable” CPA firm should meet as many of these qualifications as possible:
- You have a trusted relationship with them.
- They have a large information security practice.
- They demonstrate information security thought leadership by regularly creating content around relevant information security topics.
- They have the AICPA’s Cybersecurity Advisory Services Certificate.
- They have extensive experience with SOC 2 reporting.
2. Work with the firm to develop a deeper understanding of SOC 2.
Security
Official text
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
Translation
Are information and systems appropriately secured? This requirement is included in every SOC 2 assessment and is not optional.
Availability
Official text
“Information and systems are available for operation and use to meet the entity’s objectives.”
Translation
Are information and systems appropriately available for use?
Processing Integrity
Official text
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
Translation
Is information processed appropriately by your systems?
Confidentiality
Official text
“Information designated as confidential is protected to meet the entity’s objectives.”
Translation
Is confidential information adequately protected?
Privacy
Official text
“Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.”
Translation
Is personal information adequately protected? It is common to confuse the privacy and confidentiality criteria. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.) and confidentiality protects non-personal information and data that is still classified as “confidential.”
The most important thing to know is this: The criteria you’re assessed against should make sense according to the services you provide. At the end of the day, the CPA firm must provide an opinion on the effectiveness of the controls suited to the operational environment. So, they should verify that the criteria they’re assessing you against makes sense according to the services you provide.
3. Perform a full readiness assessment with the firm you select.
During this process, the firm will educate you on the requirements of all the framework’s criteria and help you understand any control gaps your organization has related to those criteria and points of focus. A point of focus (POF) is a supporting control that offers considerations and guidance. POFs are not requirements but rather serve as clarifications to criteria and assisting an organization as they create controls. A firm will work with you to help you understand the controls you’ll need to implement to receive a favorable report.
It’s important to know that your organization must create the controls. While the CPA firm can provide guidance around the types of controls you’ll need, they can’t create any controls for you. The end result of the readiness assessment is essentially a report that says something to the effect of: “Here are the controls that would be in your SOC 2 report. Here is how they map back to each criterion relevant to your business. And, here is where you have gaps that need remediation.”
Note: If this is your first SOC 2 assessment, you will almost definitely have a fair amount of control gaps and areas to remediate.
4. Engage the CPA firm for a complete SOC 2 audit.
Remember how there are multiple types of SOC audits? Well, to further complicate things, there are also multiple types of SOC 2 audits. Here they are:
- SOC 2, Type I: This type of SOC 2 reports on the design effectiveness of controls at a specific point in time.
- SOC 2, Type II: This type of SOC 2 reports on both the design and operating effectiveness of a controlled environment over a period of time (minimum of 6 months and usually up to 9 months to a full year). A Type I audit is generally used as a stepping-stone to a Type II audit. So, what does the audit process actually look like? It varies by firm, but there are a few things you can count on.
There’s going to be an on-site visit. Someone from the CPA firm (the assessor) will visit your facility to review evidence for the controls you’ve implemented to meet the requirements of the trust services criteria applicable to your organization. This generally occurs toward the end of the assessment period. So, if your assessment period ends in December, the on-site visit will likely occur during November and/or December. The assessing firm will perform testing that covers the entirety of the reporting period to ensure your controls have been operating effectively the whole time. So, while they may only be on-site toward the end of the audit period, their testing will cover the entire audit period (if you’re receiving a SOC 2, Type II report). During this on-site visit, their goal is to test the controls you have defined and make sure they effectively address the requirements and criteria of the SOC 2 framework.
Management will need to present an accurate description of controls. Remember—the CPA firm is not responsible for helping you implement controls—only assessing them. Therefore, in the report, your company’s management is responsible for presenting an accurate description of the control environment.
The CPA firm will issue a report after your report period’s end date. This is important. Regardless of when your assessment is completed, you won’t receive your report until after the assessment period’s end date (generally 45 – 60 days). In this report, the CPA firm issues its opinion on the design (SOC 2, Type I) or design and operating effectiveness (SOC 2, Type II) of your organization’s control environment.
Other Things You Should Know About Your SOC 2 Audit
Here are some of the other things you should know before getting into your audit.
- Compliance is not quick. It takes a lot of time and effort. Resist the urge to view it as a short-term project. Take a long-term approach. Achieving SOC 2 compliance will improve your organization’s security and help you become a better steward of customer data. The requirement for strong information security controls isn’t going anywhere. Play the long game. Build a strong foundation that will help you for years to come.
- Be completely honest during the readiness assessment. Sometimes, organizations going through the readiness process don’t tell the whole truth. Or, the CPA firm doesn’t do enough to confirm that the control would actually work. So, be completely honest with the CPA firm—because if they know there’s a gap, they can help you understand how to fix it. But, if they don’t know there’s a gap—you’ll be in for an unpleasant surprise when it’s time for your real audit.
- Exceptions are not the end of the world. An exception communicates: “Yes, there were issues here. But, overall, the company is still meeting the overall objective of the framework, etc.” …or something along those lines. Exceptions are not the end of the world, and they should not be viewed as such. It’s very rare for a report to have no exceptions at all. Do what you can to avoid them, but don’t view them as the sky caving in on your business. What you really want to avoid are these:
- Qualified Opinion, which effectively says, “Everything looks good, except for (insert large area of control gaps).”
- Adverse Opinion, which effectively says, “This company isn’t doing what they’re supposed to be doing. Buyer beware.”
- Policies are simple. Implementation is hard. It’s easy to write a policy, but it’s hard to actually implement those policies and make sure the processes are followed. While paperwork is a good place to start, make sure your controls exist in real-life—not just on the page.
- Self-monitoring is valuable. Self-monitoring is when you test your own controls. The goal is to ensure that, when the assessor performs testing, you won’t be surprised by the results. This is a challenging process, but it can give you a great indication of how your control environment is functioning before the assessor comes in.
- If your control environment changes, understand what those changes are, and make sure your CPA firm understands that, too. For example: If you know there are certain old systems that will be replaced before the end of your audit period, alert your CPA firm, so they can audit those systems before they’re gone forever.
