What is a SOC 2?
SOC 2 (System and Organizational Controls) was developed by the American Institute of Certified Public Accountants (AICPA) and produces an examination report based upon the AICPA’s AT-C Section 205 and selected Trust Services Criteria (formerly known as Principles). In plain English, the SOC 2 report is an audit report written based upon predefined criteria related to security, availability, confidentiality, processing integrity and/or privacy.
Who Should Get a SOC 2?
Almost any organization can get a SOC 2 report, however, we’ve found that the following business types are most common:
- Cloud Service Providers
- SaaS Providers
- IaaS Providers
- Outsourced IT Services
- Healthcare IT Platform Providers
How Often Do Businesses Get a SOC 2?
The frequency is driven by the businesses’ customers’ requirements. Typically, businesses receive audits and updated reports on an annual basis.
Is SOC 2 a Certification?
Contrary to popular belief, a SOC 2 examination is not a certification, but rather an examination that states whether specific criteria were met at a given point or period of time.
Trust Services Criteria
There are five different Trust Services Criteria (formerly known as Trust Services Principles) to chose from to have included within your report. The five Criteria are Security, Availability, Confidentiality, Processing Integrity and Privacy. Selecting the correct Principles for your report involves some art and some science. The selection relates to the types of services that you offer, the commitments that you make to your customers as well as what your customers want to have assurance of you performing.
The system is protected against unauthorized access (both physical and logical).
The Security Criteria is inherent to all of the Trust Services Criteria as it is comprised of nine common criteria that are also evaluated for Confidentiality, Availability and Processing Integrity. If you are getting a SOC 2 report, then it will minimally contain the Security Principle.
Information designated as confidential is protected as committed or agreed.
The Confidentiality Criteria is selected when your company obtains access to your customer’s confidential information as part of the services that you perform. One of the main review areas for this Criteria are related to having an information classification program, a data retention policy and following data disposal procedures.
The system is available for operation as committed or agreed.
The Availability Criteria is selected when your company has significant commitments to the availability of its services to your customers. Review areas include your company’s monitoring processes for system availability, your Business Continuity and Disaster Recovery Planning processes, data backup and restoration processes and the design and implementation of a resilient system design.
System processing is complete, accurate, timely and authorized.
The Processing Integrity Criteria is selected when your company processes transactions on behalf of your customers and they have an interest in the completeness, accuracy and timeliness of your transaction processing services. Review areas are typically tailored to the types of transactions that you are processing on your customer’s behalf, and will typically include inputs to the system, processing steps performed by the system and system outputs.
Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Acceptable Privacy Principles (GAPP).
The Privacy Criteria is selected when your company collects Personally Identifiable Information (PII) from users of its services. As this Principle aligns with GAPP, it is approached in a very different manner than the other Principles. One of the common misconceptions in wanting to select Privacy is that the scope of the Principle is intended to address data that your company collects directly from individuals. If your company is receiving PII from your customer (that is a business), then the PII is considered confidential information and is more appropriate to be reviewed using the Security and Confidentiality Criteria.
The correct report for your company depends on the needs of your customers. Active consultation with your customers and auditor allows you to select the best option to meet their needs.
Should I chose a Type 1 or Type 2 SOC 2?
What is a SOC 2 Type 1?
A SOC 2 Type 1 report is an examination performed as of a specific point in time. We think of this as something like taking a picture of the family at a holiday. Once you wrangle all of the kids into one place and pose them, you can just keep taking the picture until everyone happens to be smiling. It’s often the starting place for companies going through SOC 2 for the first time and helps to set the stage for the Type 2 examination.
What is a SOC 2 Type 2?
A SOC 2 Type 2 report is an examination performed over a period of time. Going back to the picture analogy, instead of taking a posed picture, you would instead take a video of everyone posing which would allow you to identify who was making funny faces. This provides a much higher level of assurance to your customers and is most likely what they are expecting when asking you for your SOC 2 report. As a service organization, we have found that the biggest leap between the Type 1 and Type 2 reports is the ability to document and evidence what the service organization is doing in a way that it can be reviewed afterward.
What’s the best Type for me?
At the end of the day, it really boils down to what your customer requires you to get. We’ve generally found that a Type 2 is the ultimate destination and about half the time, a Type 1 will be a stop on that journey. We do have a few clients that stick to the Type 1 report, however, that’s more the exception than the rule. Read more in our blog post about it.
Our professionals have years of experience in both preparing companies for and performing SOC 2 audits. We are able to walk you through the entire process from start to finish to help achieve results that are representative of how you do business.
We are able to assist through each step of the audit process:
- Conduct a pre-assessment to identify areas that may need improvement prior to your audit
- Assist you with interpreting your customers’ assurance needs and determine what (if any) reports would be appropriate to pursue
- Perform the audit and arrange for the delivery of the final report from a licensed CPA firm
The Audit Experience
We aim to make the audit experience as pain free as possible for you. Our professionals will work with you to customize our process to help you meet the needs of your business.
- Once engaged, we will work with you to determine your needs for timing and schedule our activities accordingly. The audit fieldwork process typically takes about 2-3 weeks from start to finish, with our draft report being issued about 3-4 weeks after fieldwork has started.
- Prior to our visit, we will talk through the audit with you to make sure that your expectations are set, and we will send an initial information request list that will allow us to be prepared for our onsite visit. We have found that clients who do their best with this initial information request have a much quicker and easier on site visit than those who do not.
- A large portion of our work can be completed during a 1-2 day trip to your primary business location. During the visit, we will need to speak to process owners for each of the areas within scope of the report and have time to walk through and understand your business and IT processes.
- After our visit to your business location, we continue working on your audit remotely by documenting our visit, asking follow up questions and gathering additional audit evidence from you (if needed).
- Once we have completed fieldwork, your report will then go through our quality control processes and quality control processes at a licensed CPA firm. Once that is complete, the CPA firm will send you a draft of the report for your review.
How Much Does a SOC 2 Cost?
Without discussing your business with you, it is very difficult to provide an accurate price estimate that will meet your business’s requirements for its audit. However, everyone is always curious about what price should be expected for a quality audit to be performed by professionals, so we have made a few assumptions geared towards smaller businesses to come up with the below costs. Please keep in mind that these are not quoted prices for your business, but if you fit into many of the assumptions we have made, they will typically be accurate.
- One business location is in scope, and that location is within the continental United States (not in a high hotel cost location)
- One to two major business processes are in scope
- Less than 100 employees
SOC 2 Prices
The prices below are based upon the scope assumptions noted above.
- Type 1 – $16,900 for the Security Principle
- Add Availability or Confidentiality for $2,200 each
- Add Processing Integrity or Privacy for $4,300 each
- Type 2 – $20,900 for the Security Principle
- Add Availability or Confidentiality for $2,700 each
- Add Processing Integrity or Privacy for $5,500 each
- Pre-Assessment – $11,000 (incremental to the audit cost)