1. What is a SOC 2 Report

SOC 2 is a reporting framework developed and maintained by the American Institute of Certified Public Accountants (AICPA). The goal of a SOC 2 report is to help organizations demonstrate their security posture to relevant stakeholders such as customers, prospective customers, other auditors, or internal stakeholders.

If you are an organization that provides a service (e.g, SaaS, Cloud Service Providers, Managed Services Providers, etc.) SOC 2 is likely relevant to your organization.

2. Who does SOC 2 apply to?

A SOC 2 examination is a relevant consideration for any services organization with a hosted or cloud-based service, whereby their service is impacting the operations and compliance of their customers.

In reviewing risk3sixty’s SOC 2 customer base, nearly all of the clients deliver a traditional Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) solution.

3. Do I need a SOC 2 report?

There are no regulatory requirements to perform a SOC 2 examination; however, many organizations may be required to obtain a SOC 2 report due to contractual requirements. Traditionally, a service organization elects to pursue SOC 2 for one or more of the following reasons:

• Reason 1: An organization desires to improve its security posture.
• Reason 2: A prospect or client mandates it in a contractual agreement.
• Reason 3: Prospective clients are asking about security or official certification during the sales cycle.
• Reason 4: Your team is over-burdened with security questionnaires or customer audits.

If you are working with executives to communicate why your organization needs SOC 2, you can read our whitepaper on the business case for SOC 2 adoption.

4. What are Trust Service Criteria (TSC) and which apply?

There are five TSCs, and as a service organization you can elect which of the five (5) to incorporate into your SOC 2 examination. The TSCs are criteria that evaluate and report on controls operating effectiveness, and include:

Security (mandatory): Security refers to the protection of data creation, processing, transmission and storage, as well as the systems that enable each activity.

Availability: Generally speaking, if you’re making ‘up-time’ guarantees within your SLAs, the Availability TSC should be a consideration.

Processing Integrity: Stated simply, if you have a system that ‘inputs’ and ‘outputs’ data, Processing Integrity is intended to ensure the alignment and integrity of the systems to process the inputs and outputs.

Confidentiality: If you maintain data that is designated as ‘confidential’ through contracts, laws or regulations, the Confidentiality TSC should be a consideration.

Privacy: The distinction between Privacy and Confidentiality is, Privacy only applies to personal information. If you’re a service organization that handles consumer data, such as that of a healthcare patient, Privacy may be a consideration.

5. How often are SOC 2 reports required?

SOC 2 reports are most frequently done annually. However, some service organizations elect to do them twice-annually, with six month reporting periods.

6. Who performs SOC 2 audits?

You must be a CPA firm, such as risk3sixty, to perform and issue a SOC 2 report.

7. What’s the difference between SOC 1 and a SOC 2?

SOC 1 and SOC 2 are both audits of a service organization’s controls. SOC 1 is appropriate for service organizations whose controls impact their end customers’ financial reporting. SOC 2 is appropriate for service organizations whose controls impact their end customers’ operations and compliance.

8. What’s the difference between SOC 2 Type 1 and SOC 2 Type 2?

A SOC 2 Type 1 is a report on the fairness and presentation of the service organization’s control design at a point in time, but without testing of historical operating effectiveness.

A SOC 2 Type 2 includes testing of operating effectiveness over a period of time. Most service organizations first do a Type 1, and then after a period of six to 12 months, have their first annual Type 2 performed.

9. How long does it take to get a SOC 2 audit?

A tricky answer as no two service organizations are identical, but on average, it takes a service organization somewhere from three to six months to get a Type 1.

With the Type 1 complete, the AICPA suggests you wait at least six months prior to performance of the Type 2, as that allows for a suitable amount of time for the controls to be in place and operating effectively. As such, the Type 2 generally follows the Type 1 by six to 12 months.

10. How much does SOC 2 cost?

Also a tricky question, as no two service organizations are identical, and in the case of the SOC 2, there are any combination of the five TSCs that also impact the fees. In general, we suggest an organization budget somewhere between $40,000 – $80,000 for the performance of the SOC 2 Type 1 and Type 2.