Are you feeling a little overwhelmed at the thought of a security audit? Have you heard the SOC 2 name mentioned in meetings but don’t understand what’s involved? Many people have questions about security audits so here is our quick overview to answer a few of your SOC 2 questions including background to SOC 2, how you should prepare for an audit and of course an important answer to the question about how long it will take and the cost involved. Whether you have been thinking about a SOC 2 audit for a while or you’re only just learning about them, this post will help you learn all you need to know to get started.
At Ostendio we make preparing and completing security audits simple. We have built the industry leading Ostendio MyVCM platform to help companies build, operate and showcase their data security and risk management programs. As experts in our field, let’s just say that we know a thing or two about SOC 2 audits. If you need crib notes on SOC 2 we are here to help.
Shown above: The Ostendio MyVCM organization dashboard view
So let’s get started on our top 10 Q&A about SOC 2 audits:
1. What is a SOC 2 report and who needs one?
SOC (Service Organization Control) has evolved under the governing authority AICPA (American Institute of Certified Public Accountants), an accounting organization that oversees tax and finance accountants. In 2016, they introduced the current Service and Organization Controls (SOC) reporting framework. This splits out the financial and security aspects between SOC 1 and SOC 2, with SOC 1 covering the financial aspects and SOC 2 the data security, information security, and privacy controls. The AICPA says: “These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
There are various reasons for undergoing a SOC audit. For most companies, it is driven by clients asking for a SOC 2. However, other companies also recognize the competitive advantage of having a SOC 2 in place and get ahead of the game by completing the audit process before it is requested. This applies to more and more companies as they use cloud technology to store customer information.
2. What’s the difference between SOC 1, SOC 2 and SOC 3?
SOC 1 is a report that’s financially focused and not able to verify at the level of big security, operations, and data compliance. It’s an audit of the internal controls at a service organization that’s relevant to financial reporting (ICFR). These reports are intended for auditor-to-auditor communication.
SOC 2 reports are specifically designed to report on the controls that make up the 5 categories of the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type I reports demonstrate that, at a particular moment in time, everything is correct and compliant and is, therefore, a report that’s recurring. They can be shared with customers, management, regulators and third parties. As they contain sensitive information, a Non-Disclosure Agreement may be necessary before sharing. SOC 2 Type II reports provide a historical record of execution, to demonstrate the control has in fact been operational for a period of time, often over 12 months.
A SOC 3 report requires a similar level of effort to the SOC 2 report because the same controls are reviewed. Organizations typically generate a SOC 2 and then pay for an extra SOC 3 report to be written by the auditor. The SOC 3 is used as a more public report, whereas the SOC 2 would have a limited distribution internally and to partners, as it might include confidential material. A SOC 2 report would require a Non-Disclosure Agreement before it was shared with a third party. Typically a SOC 3 report is not done as an independent document.
3. How fast can I get certified?
The speed of certification depends on the size of your organization and the scope of the audit. It also depends on whether you start with SOC 2 Type I or Type II. Obviously, preparation for these audits is key and that can be the time consuming part of the process. Some organizations will accept verification that you have started the process to be accredited. SOC 2 Type I may take 2-3 months to prepare and undergo the audit including fixing any issues raised by your auditor. SOC 2 Type II takes around 12 months to complete because you need months worth of evidence that your processes and systems are compliant over time before the audit can take place.
4. How much does a SOC 2 audit cost?
The scope of the audit and the size of the organization will affect the cost associated with the audit. There are costs associated with preparation as well as possible tools you may need to implement to meet specific requirements. There is also the cost associated with hiring a qualified CPA to complete the audit. You can reduce the cost of an audit through appropriate preparation using the Ostendio MyVCM platform and engaging with an auditor firm through the MyVCM Auditor Connect marketplace.
When you know you need a SOC 2 report start by conducting a readiness assessment so you can evaluate how much work you need to do to prepare for an audit. If you are not sure how to conduct a readiness assessment contact Ostendio and explain how to get started. Depending on the size of your organization and the maturity of your processes you will need to assess how many policies you have documented and how many you require in order to be ready. An expert from our Professional Services team could help.
6. Who can perform a SOC 2 audit?
Only CPA firms accredited with the AICPA are authorized to perform a SOC 2 audit.
7. What is the SOC 2 report and are SOC 2 reports public?
A SOC 2 report is written by the CPA firm who completes your audit. Organizations typically generate a SOC 2 and then pay for an extra SOC 3 report to be written by the auditor. The SOC 3 is used as a more public report, whereas the SOC 2 would have a limited distribution internally and to partners, as it might include confidential material. A SOC 2 report would require a Non-Disclosure Agreement before it was shared with a third party. Typically a SOC 3 report is not done as an independent document.
8. How often is a SOC 2 audit required?
A SOC 2 Type I is just a point in time audit and measures your compliance to the criteria on a certain date. It is therefore a one time audit. A SOC 2 Type II audit is conducted over a longer time period with a minimum of 4 months, but usually longer, of documentation required to show continued compliance to the criteria. It also requires ongoing renewal on an annual basis.
9. Why is SOC 2 popular?
There are a number of reasons why it's growing in popularity. First, the AICPA is the governing body which gives the perception of greater integrity because of the ethics associated with a financial auditing institution. Specifically, there's a set of ethical principles that auditors have to operate against, as well as a peer-review process. Other frameworks don't necessarily have that kind of ethical or moral authority.
Another key advantage of SOC 2 is that it is less prescriptive than some other frameworks. Not only is it comprised of 5 separate Trust Categories (Common core (includes Security), Availability, Confidentiality, Process Integrity, and Privacy) allowing organizations to select only one or two to start, but there is also greater flexibility in defining the overall scope of the engagement when drafting the management assertion.
10. How does SOC 2 compare with HIPAA and HITRUST?
Regulatory frameworks like HIPAA, GDPR, and CCPA don’t have a formal audit authority to determine compliance. Since SOC 2 is independently verified by the AICPA, it's considered to be an industry acceptable security accreditation. Other standards are also popular like HITRUST in the healthcare industry and ISO 27001.
It is easy to get distracted by false promises of SOC 2 certification in a week but the reason this certification is popular is because it is comprehensive and the final report attests to your organization's commitment to security. Of course, there are ways you can make it less time consuming and stressful - and dare we say it “easier”. The Ostendio MyVCM platform helps organizations organize and prepare for SOC 2 audits. And if you need more team members or experts to help, Ostendio Professional Services is a team of experts who are ready to help customers prepare to be SOC 2 ready. Our Ostendio MyVCM platform even has a selection of auditors available through the MyVCM Auditor Connect feature who can give you a quote for your SOC 2 audit. By completing an audit through the MyVCM Auditor Connect feature customers have saved over 50 percent in time and cost savings of a regular audit.
SOC 2 is fast becoming one of the most asked about security audits and Ostendio MyVCM is the industry leading platform to help you reach your SOC 2 certification goal. It’s time to find out how a SOC 2 audit could benefit your business.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
What do customers say?
Read reviews on Capterra from Ostendio customers who have prepared for and completed audits, including SOC 2.