The Service Organization Controls report is a commonly sought after security framework. What is it exactly, and how do you prepare for a SOC 2 audit? We cover this, and more, in this extensive SOC 2 audit guide.
"Will you safely store and manage my data appropriately?"
That’s a question that many companies are asking their service providers to answer with a SOC 2 audit. In our cloud-based society, SOC 2 is one of the more common compliance standards requested of service organizations today. In most cases, service organizations are required to obtain a SOC 2 compliance to partner or provide services, while some organizations see a SOC 2 certification as a business advantage. Whatever the reason, completing a SOC 2 audit is an important step in demonstrating information security and cybersecurity risk management.
This resource is designed for those new to SOC 2 audits, those organizations who are preparing for an upcoming audit or seeking a refresher on how to stay successfully pass a SOC 2 audit.
SOC 2 is a security framework developed by the AICPA (American Institute of Certified Public Accountants) with five areas called the Trust Services Criteria that demonstrates how a service organization protects customer information.
A SOC 2 always contains the “common criteria” which includes organizational controls, access management, risk management, change management, communications, and system operations.
It is quite unusual for a company to attempt all five Trust Services Criteria at once. Normally, businesses will start their SOC journey with a SOC 2 Type 2 audit covering the common criteria. and Type 2 reports. (More on the differences between SOC 2 Type 1 and Type 2 below).
SOC 2 stands for Systems and Organization Controls 2.
Cloud service providers, SaaS providers, and organizations that store customer data in the cloud should complete a SOC 2 report.
The most common, and most compelling reason a company would be asked to demonstrate SOC 2 compliance is because their customer base has a need to ensure their vendors are securing and managing data effectively. This applies to more companies as they use cloud technology to store customer information.
Unlike regulatory frameworks like HIPAA and GDPR that are less defined and don’t have a formal audit authority to determine compliance, SOC 2 is independently verified by the AICPA and is considered to be an industry-acceptable security accreditation.
A SOC 2 audit may take several months depending on the amount of controls and scope of the report. While the SOC 2 process can seem lengthy, your efforts don’t have to be complicated. With proper evidence collection and systems in place, preparing for a SOC 2 audit can be streamlined to make the process repeatable (easier to prepare for other compliance frameworks in the future).
Some companies claim to speed up this process and complete a SOC 2 in a matter of weeks vs. months.
Not so fast.
There are a couple reasons completing a SOC 2 in two weeks can be damaging to your overall compliance and security program. Rushing compliance sacrifices quality, leading to unsatisfactory audit results and wasted time for those involved. Secondly, completing a SOC 2 audit requires a human element that simply cannot be automated in a short amount of time. From documentation and evidence collection to employee training, a SOC 2 takes much longer than a couple weeks.
To understand the importance of the SOC report and why you should take special care to achieve SOC compliance, let’s go back to the beginning.
Hear from Maloney + Novotny Shareholder Dale Dresch on why automating your entire SOC 2 audit can be detrimental to your long-term security and compliance.
SOC (Service Organization Control) has evolved under the governing authority AICPA, an accounting organization that oversees tax and finance accountants. The evolution began in the early 2000s when people started to invest in more equipment - servers, computers, - that were occasionally hosted on external data centers. That equipment had a significant financial value.
SOC began as the Statement on Auditing Standards (SAS) 70, an accounting standard that required companies to safeguard the capital equipment because of the financial impact if it was lost, stolen, or damaged. They created rules around FARS (Fatality Analysis Reporting System) correction, flood damage, theft, etc. The data centers were under so much scrutiny that they needed ways to protect against information security and data loss.
Under pressure to find a measurable way to demonstrate effective data security, organizations started to see SAS 70 as an auditable way to achieve this. Many companies––especially those with large data centers that had significant financial outlay in this equipment––began using SAS 70 as an unofficial data security standard. AICPA recognized that this wasn’t the true intention for SAS 70, so in 2011 they replaced SAS 70 with a new framework called Statement on Standards for Attestation Engagements (SSAE) 16. SSAE 16 was a slightly modified version of SAS 70 and took into account more of the data security aspects of the protections and controls.
As pressure continued to grow for companies to provide auditable evidence that they were operating securely, and with the success of alternative data security frameworks, such as HITRUST, AICPA realized that there was a bigger market in pure data security. In 2010 they introduced the current Service and Organization Controls (SOC) reporting framework. This splits out the financial and security aspects between SOC 1 and SOC 2, with SOC 1 covering the financial aspects of SAS70 and SSAE 16 and SOC 2 the data security, information security, and privacy controls.
While it has evolved over time––and the origins of SOC 2 go back several decades––SOC 2 in its current format is still relatively new. However, over the last few years, it’s become an increasingly popular security framework.
There are a number of reasons why it's growing in popularity. First, the AICPA is the governing body that gives the perception of greater integrity because of the ethics associated with a financial auditing institution. Specifically, there's a set of ethical principles that auditors have to operate against, as well as a peer-review process. Other frameworks don't necessarily have that kind of ethical or moral authority.
Hear from 360 Advanced Practice Director John Kadechka on how the SOC 2 audit changes year after year.
Want more advice from SOC 2 experts? Tune into the on-demand SOC 2 Master Class featuring all-star auditors.
With all this talk about SOC 2, you might be wondering about the other SOC reports.
The AICPA has defined three different types of SOC reports. All three reports are important but serve separate purposes around security. In this section, we’ll decipher the difference between SOC 1, SOC 2 (and the difference between SOC 2 Type 1 and SOC 2 Type 2), and SOC 3 reports.
A SOC 1 (Service Organization Control 1) report is more financially focused than SOC 2, and involves service organization controls relevant to the company’s customer financial information.
A SOC 2 helps service organizations demonstrate their cloud and data security controls. The SOC 2 includes the five areas called the Trust Services Criteria as mentioned previously in this guide.
The AICPA has identified two types of SOC 2 attestation reports, a SOC 2 Type 1 and SOC 2 Type 2. While both are very important frameworks, they service different purposes.
A SOC 2 Type 1 report centers around a ‘point in time’. It focuses on the description of the systems, controls, and the ability of these controls to obtain their objectives at a certain point in time, e.g. June 23rd, 2019. SOC 2 Type 1 does not show tests of controls or reports. It simply ensures that you have controls and processes in place.
A SOC 2 Type 1 report starts with the preparation required to build all the evidence you need. This can be done internally or with the assistance of professional services experts who will guide your company through the process and what is needed. When you believe you have all the processes in place you would then engage an auditor to conduct the audit. SOC 2 Type 1 might take 2-3 months to prepare, complete the audit and then fix any issues that were raised by the auditor.
The audit will go more smoothly if you gather all the information on the controls and processes in one place and show which employee owns each process and that they have been signed off. This will save your company time with the auditor.
The more insightful report is the SOC 2 Type 2. Because this is a more rigorous report it is the most commonly requested. SOC 2 Type 2 generally applies to 12 months of history. What you will demonstrate in a SOC 2 Type 2 is not only that the controls and processes are in place, (done in a SOC 2 Type 1), but that you can test these controls and procedures and show their results. This process makes a SOC 2 Type 2 a much more intense check for organizations to perform than a SOC 2 Type 1. Approximately 3 to 6 months after completion of the audit you are required to go through the SOC 2 Type 2 again because compliance requires an ongoing demonstration of security and procedures. This will continue to be an annual process to maintain your SOC 2 Type 2 certification.
A SOC 3 report requires a similar level of effort to the SOC 2 report because the same controls are reviewed. Organizations typically generate a SOC 2 and then pay for an extra SOC 3 report to be written by the auditor. The SOC 3 is used as a more public report, whereas the SOC 2 would have a limited distribution internally and to partners, as it might include confidential material. A SOC 2 report would require a Non-Disclosure Agreement before it was shared with a third party. Typically a SOC 3 report is not done as an independent document.
To confidently understand your SOC 2 requirements, it’s important to really understand the report itself, including the two types of SOC 2 reports. First, make sure you understand the difference between SOC 1, SOC 2, and SOC 3. Once you’ve determined that you need SOC 2, you’ll want to dig in on the two types: SOC 2 Type 1 and SOC 2 Type 2. All SOC reports are controlled by the AICPA (American Institute of CPAs).
Both Type 1 and Type 2 reports are Service Organization Control reports. They are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. Most organizations that require compliance validation eventually undergo a SOC 2 Type 2, however, it’s often recommended to start with SOC 2 Type 1.
There are various reasons why an organization should undergo a SOC 2 audit. In this section, we’ll cover some of the most common reasons companies choose to complete a SOC 2 report and why doing so is one of the most important measures you can take to demonstrate compliance and security.
Most companies choose to complete a SOC 2 audit simply because a client asks them to demonstrate their security parameters that are in place–while other companies recognize the competitive advantage of having a SOC 2 in place before a client or prospect asks. This allows them to get ahead of the game by completing the audit process before it is requested.
There are times in which internal management wants to see how their security posture is working and if upgrades are needed. In the event a client sends a very detailed security questionnaire, organizations can provide a SOC 2 to save time in completing the request. SOC 2 audit can also be a competitive differentiator and could help you win new business in a competitive situation.
Of course, there are other standards such as HIPAA, NIST, ISO27001, and HITRUST. If you are already doing another certification you may have many of the controls in place already making a SOC 2 easier to complete.
SOC 2 is also less prescriptive than some other frameworks. Not only is it comprised of 5 separate Trust Categories allowing organizations to select only one or two to start, but there is also greater flexibility in defining the overall scope of the engagement when drafting the management assertion. Of course, both these points could also be viewed as a negative if the intended recipient of the report subsequently concludes the scope is insufficient.
A SOC 2 audit can cost an organization upwards of tens of thousands of dollars. But that’s nothing compared to the cost consequences of not having a SOC 2. In 2021, the average data breach cost $4.24 million. One cannot simply ignore the security and and ROI of a SOC 2 audit.
If your company needs to prepare a SOC 2 Type 2 report and you need to demonstrate compliance to a partner company, for example, you’ll need to start the process quickly. Although your partner might understand the time and resources involved with obtaining a SOC 2 report, they will most likely require verification that you have at least started the process. Some partners may even require a way to check in regularly to see how you are progressing towards the end goal of the audit.
SOC 2 Type 2 takes time because you need to put effective programs in place that allow you to be compliant and you also need to go through the verification process. Typically, the process to go through a SOC 2 Type 2 takes around 12 months due to the requirement to display months worth of evidence that your processes and systems are properly managed and secured.
The size of your company can play a role in determining how complex it will be to conduct a SOC report. For less mature companies that do not have any processes already in place, there could be more documentation to do compared to a larger organization with many procedures and processes already in place. If you're protecting health information, managing credit card information, or any type of sensitive government information, a SOC 2 Type 2 or equivalent is likely in your future regardless of your company size.
If, for example, the information you're tracking and managing is reasonably benign with little personal information, the level of security you have to put in place to protect it is less. An organization with relatively benign data may have more leeway regarding SOC reports. The smaller the organization means the less data they're handling typically. For example, if you have a small organization of twenty employees you may have less of a need to potentially segment your data into who's able to access complex information. In this case you may have more data that is available to the majority of your employees with little risk.
A larger organization becomes more complex with a larger volume of data and a broader range of data types. Depending on the maturity of programs in place, it can take anywhere from 1 year to 18 months to complete an audit including the preparation. For example, if you're going through a risk assessment and you identify that the systems you have in place aren't sufficient, you may have to implement something more complex therefore slowing down your assessment timeline. However, once the heavy-lifting is done to prepare for a SOC 2 report the first time, there are ways to make your recurring audits simpler.
You should be able to easily note that you have updated the processes, if your organization hasn’t changed, or there are no regulatory changes. You still have to do a risk assessment on a regular basis and using a document management software will simplify the process because all policies and procedures are sent to the owner to confirm they are active. Instead of reinventing a process every year it just needs to be verified that it is up to date by the owner.
It is important to remember when considering your timeline to complete an audit that there is a remediation time required, after the audit, of approximately 6-8 weeks to remediate any gaps that have been identified by the auditor.
With all this talk about SOC audits, you might be wondering: how much does a SOC 2 audit cost? Budgeting for a SOC 2 is incredibly important. Not only is it a huge undertaking, it’s a process that you want to make sure results in quality. The last thing you want to do is devalue your SOC 2 report by rushing the time or discounting the funds that go into it. Accelerating the SOC 2 audit process could mean missing crucial security criteria, creating a weak link in an organization’s compliance.
The cost of a SOC 2 audit may vary depending on the scope of the project, ranging from auditor fees to the use of internal team productivity.
When it’s all said and done, we estimate that a proper SOC 2 (including Type 1 and Type 2) can cost an organization between $140,000 - $150,000.
SOC 2 compliance doesn't happen overnight. It takes time, resources, and some helpful insight. Below are some fast tips that we recommend following on your journey to preparing for a SOC 2 audit.
The #1 rule in SOC 2–if it’s not documented, it didn’t happen. From hiring paperwork to security documents and incident response plans–it’s absolutely important to have evidence backed up and easily retrievable for your SOC 2 audit. This also demonstrates that your organization has property security controls in place and these processes can be easily shared with employees and management.
When it comes to SOC 2, it takes a village. The first step towards SOC 2 success is gaining the support from C-level executives and management. You will need this management support for your SOC 2 audit as it will require participation from the whole organization and the allocation of time and budget resources.
When you know you need a SOC 2 report, start by conducting a readiness assessment so you can evaluate how much work you need to do to prepare for an audit.
As mentioned at the beginning of this guide, there are five key areas involved in the SOC 2 audit. In most cases, organizations will choose the “common criteria” but be sure to do your research on which criteria to include beyond the initial scope: availability, confidentiality, privacy and processing integrity. Know which criteria your customers will care about the most and be sure to report on them. You can always expand your SOC 2 report to include more in the future.
SOC 2 audits aren’t a “one and done” thing. In general, customers request updates to SOC 2 once a year to make sure you’re up to date on compliance. Thankfully, there are integrated risk management tools on the market that help you build an ongoing compliance and security program to make this a repeatable process so when it comes time to renew your SOC 2, you can save time and money in the long run.
Copyright ©2022 Ostendio, Inc.
All rights reserved