top of page

SOC 2

SOC_CPA_Blue2.png
What is SOC 2?

A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

​

There are two types of SOC 2 reports that can be issued:

A SOC 2 Type 1 report attests to the design of your controls at a point in time.  This is a valuable tool to get a SOC 2 report available to your business faster, and gauge your readiness for a SOC 2 Type 2.

There are five (5) Trust Service Criteria that can be included in the scope of your SOC 2 Report:

  • Security (Common Criteria)

    • The Security Trust Service Criteria or Common Criteria as it is often referred, is the only one of the five Trust Service Criteria that is required in a SOC 2 report.  The Security criteria includes controls that protect information and systems from unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.

  • Processing Integrity

    • The Trust Service Criteria Processing Integrity is an optional criteria to include in your report that provides customers comfort that system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

  • Availability

    • The Trust Service Criteria Availability is an optional criteria to include in your report that provides customers comfort that information and systems are available for operation and use to meet the entity’s objectives.

  • Confidentiality

    • The Trust Service Criteria confidentiality is an optional criteria to include in your report that provides customers comfort that information designated as confidential is protected to meet the entity’s objectives.

  • Privacy

    • The Trust Service Criteria privacy is an optional criteria to include in your report that provides customers comfort that Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Why get a SOC 2?

A SOC 2 report is an effective mechanism for communication with your customers showing them your commitment and effectiveness to the reliability of your service, and commitment to the protection of their data.  Additionally, a SOC 2 is a great sales enablement tool that can often be the difference in completing a sale.

What to expect from a SOC 2 Audit?

  • Step 1: Scoping

    • A SOC 2 attestation is a voluntary assessment so you, as the service provider, get to determine the scope.  This will be audited to ensure it is communicating your service accurately to your stakeholders, however determining the scope is up to the service organization to define.

  • Step 2: Internal Preparation

    • A successful SOC 2 audit will require the service organization to implement and document policies, procedures, and controls that address the control criteria outlined by the SOC 2 framework.  These policies, procedures, and controls will be the evidence that gets audited by your auditor.

  • Step 3: Auditor Selection & Coordination

    • Selecting the right auditor is crucial to a successful SOC 2 environment.  There are audit firms of all sizes, and doing your due diligence in your selection process is vital.  Once an auditor is selected, you will work through logistics with them such as audit timing, initial request list coordination, and walkthrough coordination.

  • Step 4: Audit Fieldwork

    • Audit fieldwork is the agreed upon timing of when the auditor will come in and perform their audit procedures.  The auditor will provide an information request list that will need to be fulfilled by the service organization, conduct walkthroughs for design effectiveness testing, and select samples for operating effectiveness testing.

  • Step 5: Reporting

    • After fieldwork is completed, the auditor will provide a draft report for review.  If there are any exceptions identified in testing, the service organization will have to respond to those exceptions in this phase prior to the final report being issued.

bottom of page