Understanding SOC 2 Audits
System and Organization Controls (SOC) 2 examinations or “SOC 2 audits” are relevant for software companies and service organizations that support critical business processes or store or process customer information. Below is an overview of the SOC 2 audit process along with answers to commonly asked questions.
Who Needs a SOC 2 Audit?
Although SOC 2 audits are not legally required, companies that provide software or services to enterprise customers, collect sensitive customer information, or who are in highly regulated industries often find that a SOC 2 audit is necessary to be marketable to prospective customers. A SOC 2 report from a reputable firm builds trust and confidence with customers, serving as a market differentiator for companies seeking to appeal to a broad range of high value customers.
Enterprise SaaS, FinTech, HealthTech, EdTech, and Artificial Intelligence companies, as well as security operations centers, hosting providers, and data centers are common candidates for a SOC 2 audit. Other signs that your company should consider a SOC 2 audit include: frequent requests to complete vendor security questionnaires; customer agreements that reference SOC 2, SSAE 18, or SSAE 16; difficulty navigating customer vendor management requirements; direct customer requests; or applicability of other security frameworks.
What is a SOC 2 Audit?
The SOC 2 audit process was created to decrease the audit burden on service providers by establishing a standardized report that can be issued to end users. The SOC 2 audit process is based on guidance from the American Institute of Certified Public Accountants (AICPA) and is tailored to your company based on industry, company size, and IT architecture.
SOC 2 audits focus on the technical details of the software or service you provide to customers and on the information technology controls in place to support the security and availability of the platform, underlying infrastructure, and supporting systems, and the security and confidentiality of data. Unlike SOC 1 audits, which include an assessment of financial controls and processes, SOC 2 audits are more technical in nature and exclusively address security, availability, integrity, privacy, and confidentiality.
SOC 2 reports cover one or more Trust Services Categories defined by the American Institute of Public Accountants (AICPA) – security, availability, processing integrity, confidentiality, and privacy. SOC 2 examinations always include security, while availability, processing integrity, confidentiality, and privacy can be added separately based on the specific software or services provided and the expectations of your customers. Our Risk Assurance & Advisory Team can also help you identify the categories that make the most sense for your organization. Trust Services Categories include:
- Security: Protection of information and systems against unauthorized access; disclosure of information; compromise of availability, integrity, confidentiality, or privacy; or other risks impacting the ability to support customer and meet company objectives
- Availability: Accessibility of information and systems in accordance with customer contracts and service level agreements
- Processing Integrity: Complete, accurate, timely, and authorized system processing
- Confidentiality: Protection of confidential information in accordance with laws and customer requirements
- Privacy: Collection, use, retention, disclosure, and disposal of personal information in accordance with privacy policies, laws, and customer requirements
Providing evidence of regular SOC 2 audits tells your customers that their sensitive information is secured in accordance with up-to-date information security standards. Upon successful completion of a SOC 2 audit, companies can easily obtain a SOC 3 report to more broadly communicate their focus on security.
- The SOC 2 Audit Process
Since a SOC 2 report filled with control deficiencies and failures does more harm than good, the SOC 2 audit process usually starts with a SOC 2 Readiness Assessment to evaluate how prepared your company is to undergo a SOC 2 audit. The SOC 2 Readiness Assessment provides an avenue to compare your company’s current policies, procedures, and controls against SOC 2 requirements and implement internal controls specifically designed to meet SOC requirements without being overly burdensome or time consuming. Assessments generally take two weeks and include discussions with relevant team members, review of internal operations, and observation of system configurations.
Each Trust Services Category includes a list of Criteria that must be addressed to meet SOC 2 requirements. For example, change management is addressed in the security category through criteria 8.1 which requires that “the entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” To determine if your organization adheres to the criteria, the SOC 2 audit process involves discussions with various team members, observation of security-related processes and procedures, and testing of control activities in place to support customers and protect their information.
Our team members are well-versed in the lengthy SOC 2 requirements and create a streamlined audit approach customized to each organization. Evidence collection and collaboration software and a streamlined reporting process reduce wasted time in the process – allowing our team and yours to focus on the activities that actually matter.
- The Difference Between SOC 2 Type 1 and SOC 2 Type 2 Reports
The difference between a Type 1 and Type 2 report generally comes down to the time frame and extent of testing.
SOC 2 Type 1 reports are limited to tests of design (commonly known as a ‘tests of one’) as of a specified date and are typically performed as the first SOC report. Issuing a Type 1 report first is not required but is often advisable as it allows companies to issue SOC reports to their customers or prospects faster and serves as an effective ‘trial run’ prior to completing a Type 2 audit. This report details the design of your organization’s controls and confirms that applicable processes, procedures, and controls are implemented as of a certain date. SOC 2 Type 1 reports do not include tests of operating effectiveness, only of the design of your organization’s controls.
SOC 2 Type 2 reports assess relevant processes and controls over a set period of time, generally 6 or 12 months, rather than as of a specific date. The reports include tests of operating effectiveness, including sample-based testing of relevant controls over the time frame covered by the report. Companies are expected to issue recurring SOC 2 Type 2 reports, as they are more comprehensive in nature than SOC 2 Type 1 reports. The majority of ML&R SOC clients obtain SOC compliance through the following services:
- SOC Readiness Assessment
- Type 1 Report
- Type 2 Report six or twelve months later
- Type 2 Reports annually thereafter
The Risk Assurance & Advisory Team can help you navigate the timing and process of becoming SOC 2 certified.
- How Often to Perform a SOC 2 Audit
Generally, SOC 2 Type 1 and SOC 2 Type 2 reports are valid for 12 months from the report date. SOC 2 audits should be performed annually, at a minimum. Companies can also issue a SOC 2 Type 2 report for a shorter time frame after the SOC 2 Type 1, such as 6 or 9 months, if a SOC 2 Type 2 report is required sooner.
- Who Can Perform a SOC 2 Audit
While SOC Readiness can be performed by a range of IT consulting firms, SOC audits can only be performed by licensed audit and IT professionals at an accredited Certified Public Accountant (CPA) firm, an accreditation designated by the AICPA.
SOC reports are trusted by stakeholders, customers, and auditors because they are held to a high standard established by the AICPA and performed exclusively by individuals that are licensed, trained, and independent. As a full-service CPA firm, Maxwell Locke & Ritter is able to perform both readiness assessment and audit / examination services.