Common SOC 2 Questions Answered
If you’re new to cybersecurity compliance, you’re probably wondering, “what is SOC 2?” The first step is understanding what information will be audited, what employees are involved in the audit, and what is included in the overall audit process.
Undergoing a SOC 2 can be complex, so we have provided answers to eight common SOC 2 questions on auditing and reporting.
Whether you have just started your business or you’re running an established organization, you know that handling the data of your client is very important. A SOC 2 report provides information about how effectively you are managing the security, privacy, and integrity of a client’s sensitive information.
1. Why is SOC 2 compliance important?
As you know, data privacy and security have never been more important. When working with large customers or those in regulated industries, you will likely be asked to provide proof of your SOC 2 controls, especially if you operate a cloud or services business. Below is a list of common risks related to delaying compliance assessments:
- Less competitive position: Many organizations are required by laws or regulations to ensure the security of their data or their customers’ data. Organizations and customers will typically work with partners and vendors who can demonstrate security controls, practices and compliance over a period of time through industry standard reporting and recognized frameworks, such as SOC 2.
- Drawn out sales process: At some point, a prospect will probably ask for your SOC 2 report before moving any further. Since SOC 2 is a rigorous framework, it is not something that can be completed overnight. Most often, an established SOC 2 framework can take several weeks, from start to finish, to demonstrate evidence of controls and perform the audit. It requires planning, thought, ongoing cybersecurity controls, and the help of an external auditing partner.
- Lack of consumer trust: A SOC 2 report sends a signal to customers that your organization prioritizes IT risk, ethics, security, and the protection of their information and data in delivering services. Obtaining a SOC 2 report indicates a level of maturity around IT security, technology and business. Without a SOC 2 report from a licensed certified public accountant (CPA), customers have no way of verifying that their data is being secured and well-placed. Without this trust, it is very difficult to do business.
- Vulnerability to security threats: One of the most valuable outcomes of pursuing a SOC 2 attestation is improving and maintaining the strength of your own organization’s cybersecurity posture. SOC 2 is comprehensive and covers a wide range of controls. A SOC 2 report can be leveraged to identify new potential risks, threats, security controls or processes to implement at your organization. These new processes cannot only strengthen security controls at your organization, but can also improve metrics, operations and service delivery to customers.
2. What are the Trust Services Criteria?
The scope of your SOC 2 audit report is dependent on how many of the Trust Services Criteria (TSCs) your organization needs to focus on to fulfill your client requirements. The TSCs that you can choose from, include:
- Security (Common Criteria) – The protection of information, data or systems throughout their lifecycle. Security controls are in place to protect against unauthorized access, unauthorized disclosure, and damage to systems that could affect other criteria beyond the Security Category. Security controls are designed to include a wide array of risk-mitigating solutions, such as endpoint protection and network monitoring tools that prevent or detect unauthorized activity. Entity-level and control environment topics are also considered to provide that the necessary controls are in place to govern organization wide security. Each SOC 2 report issued covers the Security category at a minimum.
- Availability – Considers controls that demonstrate systems maintain operational uptime and performance to meet stated business objectives and service level agreements. Availability does not set a minimum acceptable performance level, but it does address whether systems include controls to support and maintain system operation, such as performance monitoring, sufficient data backups and disaster recovery plans.
- Processing Integrity – Ensuring that data is processed in a predictable manner, reasonably free of accidental or unexplained errors. In other words, the information produced or manipulated by your systems needs to be complete, accurate, valid and reliable, to meet stated business objectives and SLAs. Due to the number of systems used by an organization, processing integrity is usually only addressed at the system or functional level of an organization.
- Confidentiality – Requires companies to demonstrate the ability to protect confidential information throughout its lifecycle, including collection, processing and disposal. The specific requirements for Confidentiality related controls may be defined by laws and regulations, as well as internal management or stated business objectives and SLAs. Confidential information may include personal information, as well as other information, such as trade secrets and intellectual property. Controls for Confidentiality include encryption and identity and access management.
- Privacy – Covers communication, consent, and collection of personal information, and verifies appropriate parties have access to that information and what can be done with it. Controls for Privacy include privacy policies and consent management mechanisms.
3. What is the difference between SOC 1 and SOC 2?
A SOC 1 audit is the ideal audit for organizations that handle, process, store or transmit financial information. SOC 1 reports demonstrate that you have the necessary quality controls in place to protect your customers’ financial reporting. These industries may include payroll processors, collections organizations, data centers and software as a service (SaaS) organizations.
A SOC 2 report highlights the security controls in place that protect and secure an organization’s system or services used by its customers. Unlike a SOC 1, the scope of a SOC 2 attestation tests the design and implementation of controls to protect the processing and storage of data that does not directly impact the financial statements of user organizations. Organizations of many sizes and industries can benefit from a SOC 2 assessment, as the audit can be performed for any organization that provides a variety of services to its customers.
4. What are the different types of SOC 2 reports?
When it comes to SOC 2 reports, two options are available: Type I and Type II. The best fit for your organization depends on your specific requirements.
- SOC 2 Type 1 – With this report, the service auditor can validate the presence of the organization’s description of their system and the sustainability of the design of control activities against the selected TSC. The auditor reviews and reports how well the organization has designed the system and its controls considering the selected TSCs as of a specific date in time.
- SOC 2 Type – With this report, the organization will receive a more comprehensive report as compared to Type 1. The report focuses on the description of your organization’s systems along with the operating effectiveness of controls with the service auditor’s test results included within the report. In addition, a Type 2 report gives a historical view of an organization’s environment to determine if the organization’s internal controls are designed and operating effectively over a defined period of time, ranging from three to twelve months typically.
5. What does a SOC 2 report focus on?
A SOC 2 report includes overall processes and controls as described by your organization and the auditor’s assessment either at a point in time (Type 1 Report), or over a period of time (Type 2 Report). This report will include a description of your system and the suitability of the design, and potentially the operating effectiveness of its controls relative to your security posture.
When you receive your SOC 2 report, you can share a version of the report with your customers, vendors, and stakeholders, when appropriate. This shows that your organization has the appropriate policies, procedures, and controls in place to manage and mitigate the key threats and vulnerabilities that pose a risk to their environment.
There are typically four sections to a SOC 2 report:
- Section 1: Assertion of Management – Management is attesting to the accuracy of information provided during the audit. This includes a summary of the details regarding the SOC 2 attestation.
- Section 2: Independent Service Auditor’s Report An independent, external Service Auditor provides an opinion, or summary, of the results of the audit performed.
- Section 3: Description of Client’s System Throughout the Review Period – Includes a number of descriptions about various organizational details associated with the system being reviewed, including but not limited to, company background, services provided, infrastructure, controls, processes, employees, policies and more.
- Section 4: Trust Services Category, Criteria, Related Controls and Test of Controls – Includes details of the organization-specific control activities specified by the service organization and tested by the Service Auditor.
- Section 5 (Optional): Other Information Provided by the Service Organization – Additional information provided by management, where applicable.
6. What areas are commonly reviewed during a SOC 2 assessment?
SOC 2 reports cover an assessment of an organization’s security controls against the in-scope TSC. The list of items and areas within your organization that will need to be reviewed typically requires the involvement of various organizational groups. Examples include entity-level, control environment, endpoint protection, network monitoring, unauthorized activity prevention controls and more. During a SOC 2 audit, document collection, review, and discussion can take several weeks from start to finish to demonstrate evidence of secure controls and perform the audit. The basic list below demonstrates the importance of starting your assessment preparation early as many different areas of your company will be involved and held accountable for providing their information.
For the requirements listed below, you will need to involve your human resources department:
- Organizational charts
- New hire processes
- Employee handbook
- Background checks
- Reporting relationships
- Service-level agreements (SLAs)
For other areas of the SOC 2 audit, the requirements will be the responsibility of your IT team, such as:
- Shared network drives
- Change approvals
- Master list of system components
- User access to systems
- VPN authentication
- Anti-virus software
- Network authentication and configuration
Many of your organization’s cybersecurity standards, settings and processes will also be evaluated, including:
- Information security policies
- The security of your company website
- Monitoring tools
- Incident response policy
- Risk assessment policy and risk assessment
- Network diagram and firewalls
- Encryption settings
- Internal controls matrix
- Third-party and vendor policy and assessment
7. What are some tips for companies as they prepare for an audit?
Before beginning the SOC 2 audit, it is important that your organization is well-prepared to avoid any delays in assessment or additional costs. To ensure you earn the SOC 2 report in a timely manner, it is important that you consider following a few basic guidelines
- Stay up-to-date on standards
- Review recent changes in organizational activity
- Create a timeline and delegate tasks
- Review prior audits (if applicable)
- Organize data and gather evidence ahead of fieldwork
- Review requests and ask questions
- Evaluate results
8. How do I select the right audit partner?
Ensure your audit partner has the right qualities and they:
- Are licensed
- Undergo audits themselves
- Are properly staffed
- Respond within 24 hours
- Offer premium audit software
- Provide a comprehensive suite of services
Next Steps
When beginning the SOC 2 compliance journey it is important to engage a professional and certified auditing firm to work with you.
Do you still have questions regarding a SOC 2 audit and report? Let our SOC 2 experts guide you through the process.
As a licensed CPA firm and one of the top issuers of SOC 2 reports in the world, A-LIGN has the people, process, and technology you need to help your organization reach the summit of your potential as it pertains to compliance.