SOC reports simplified with our top 10 questions and answers
One of the most popular frameworks we get questions about is the SOC 2 report. Companies often get an unexpected request from a customer or prospect who is seeking verification of their data security and risk management programs, specifically with a request for a SOC 2 Type I or Type II report. These audits are a great way to show that you take information security seriously - but what does it entail and how do you get one? At Ostendio, we help customers every day prepare and undergo audits related to SOC 2 Type I and Type II as well as SOC 3, so here are our top 10 questions and answers about SOC reports.
We’ve got you covered with all you need to know about SOC audits. Here are the top 10 questions and answers about SOC reports:
1. What is a SOC report?
The AICPA (American Institute of CPAs) created the SOC (Service Organizational Controls) framework to cater to the growing trend of outsourcing business operations. This framework provides guidance on standards that should be used for reports covering operational and technological business risks – not just financial controls as was the case before the SOC framework. SOC reports can be applied to virtually any industry or business sector.
2. Why do I need a SOC report?
By completing a SOC 2 Type II audit, you will be able to share with customers the steps you have taken to protect sensitive data and show that you have an established information security program.
3. Why would I choose SOC over other standards like ISO 27001 or HITRUST?
There are several standards that companies choose to show their data security and risk management programs. SOC has been one of the most popular in recent years but other standards are also common depending on the industry. ISO 27001 demonstrates that your organization has invested in the people, processes, and technology (e.g. tools and systems) to protect your organization's data and provides an independent, expert assessment of whether your data is sufficiently protected. It is assessed by an accredited company. HITRUST is a framework from the HITRUST Alliance that is more popular in healthcare but also used in some other industries. It assesses companies’ data security programs based on the HITRUST CSF (Common Security Framework). Ostendio MyVCM maps to over 100 standards and regulations. It includes the popular MyVCM CrossWalk feature allowing you to crosswalk, or map, evidence from one standard to another making the process of preparing for multiple audits simpler and more cost-effective.
SOC 2 reports are specifically designed to report on the controls that make up the Trust Services Criteria. The Trust Services Criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
5. What’s the difference between SOC 1 vs. SOC 2 vs. SOC 3?
In summary here’s an overview of each:
SOC 1 is a report that’s financially focused and not able to verify at the level of big security, operations, and data compliance. It’s an audit of the internal controls at a service organization that’s relevant to financial reporting (ICFR). These reports are intended for auditor-to-auditor communication.
SOC 2 reports are specifically designed to report on the controls that make up the 5 categories of the Trust Services Criteria. SOC 2 reports demonstrate that, at a particular moment in time, everything is correct and compliant and is, therefore, a report that’s recurring. They can be shared with customers, management, regulators, and third parties. As they contain sensitive information, a Non-Disclosure Agreement may be necessary before sharing.
SOC 3 reports also focus on the Trust Services Criteria controls. However, unlike SOC 2 reports, SOC 3 reports are certified and can be widely shared. They’re considered “General Use” reports and offer a less detailed summary of the information. The same information as in a SOC 2 report needs to be considered, so it’s not uncommon for organizations to do a SOC 2 and then have the auditors write the SOC 3 summarizing the SOC 2 report.
6. How long does it take to prepare for a SOC 2 audit?
It typically takes anywhere from 1 to 2 months to prepare for the audit but this assumes your security program is mature and already meets most of the SOC 2 criteria. If you have significant gaps in your security program then it can take longer. The audit process usually follows an approach of planning, fieldwork, and reporting.
7. How much does it cost?
There is no set cost for a SOC 2 audit. It will depend on several factors including:
- The type and number of Trust Categories you want in the scope of your audit
- The size of the environment
- The type of report (SOC 2 Type I or Type II)
- The number of applications
- The number of employees at your organization
Remember, this is an annual recurring report, so the upfront cost is always higher. You can expect costs to lower by 10 - 20% in subsequent years. That said, we typically advise customers to budget up to 6 figures for the total cost of achieving SOC compliance. This includes your internal costs for time invested, preparation costs, the cost of the audits itself, and incremental technology costs required to meet security requirements and possibly support the process.
8. Who completes the audit?
Qualified auditors will complete the SOC audit. They must be AICPA certified auditors.
You can easily find a qualified auditor through the Ostendio MyVCM Auditor Connect feature. This ensures that the auditor you choose will also be using the Ostendio MyVCM platform. This will save you time and money when completing an audit. By sharing evidence in the Ostendio MyVCM platform you will eliminate the need to email spreadsheets and documents and find it easier to keep track of how your audit is progressing. The auditor can also communicate with the client through the platform to ask for clarification if necessary. Auditors and customers have found that using the Ostendio MyVCM platform for a SOC audit can cut time and cost by over 50%.
10. I don’t think I have enough staff with the right skill set - what can I do?
Many Ostendio customers use the Ostendio Professional Services team of experts for additional help during the preparation of a SOC audit. They can help you understand the scope of your SOC 2 audit, prepare documentation and policies, collect evidence and help you choose the right auditor for your company. In addition, the advantage of a platform like Ostendio MyVCM is that it performs much of the heavy lifting for you i.e. tracking activity, scheduling reminders, and performing follow-up.
Get advice from an experienced SOC preparer
And finally, a valuable piece of advice we give all customers: Document, document, document! We can’t stress this enough. Everything needs to be documented and tracked. If you didn’t record it, it didn’t happen in the eyes of an auditor. Ostendio MyVCM significantly eases the collection, management, and mapping of evidence across all required controls. Evidence is kept current ensuring it is always up to date, and all communications, changes, and mitigations are fully tracked and stored within the Ostendio MyVCM platform. This will make life so much easier when you start preparing for your SOC 2 audit. As an experienced SOC 2 preparer, we can provide a better estimate about cost and timing after a scoping discussion.
If you are ready to get started or just want to find out more, contact an expert at Ostendio who is happy to talk about your organization’s data security needs. They can also give you a quick tour of the Ostendio MyVCM platform so you can see how easy it is to use for your SOC journey.