What is SOC 2?
Great question. First, you should know that there are multiple “SOC” audits: SOC 1, SOC 2, and SOC 3.
- SOC 1—Reports on the effectiveness of a service organization’s internal controls as they relate to financial reporting.
- SOC 2—Reports on a service organization’s Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy. These criteria reference the security, availability, and processing integrity of an organization’s systems and the confidentiality and privacy of data processed by those systems. The security requirement is always included; however, the other four criteria are optional and based on your specific organization.
- SOC 3—Reports on a service organization’s Trust Services Criteria, not unlike SOC 2, but can be openly distributed.
While a SOC 3 assessment isn’t usually a contractual obligation, it provides an organization with the option to publicize its security efforts. SOC 1 and SOC 2 assessments are for an organization’s current customers to verify security, whereas a SOC 3 assessment can be distributed to anyone (and can even be publicized on a website). The preparation and completion of a SOC 3 assessment mirror that of a SOC 2 assessment, but it includes different reporting requirements. A SOC 2 assessment will include the auditor’s test of controls and results, where SOC 3 will not.
Since this article is about SOC 2, let’s talk more about what makes it important.
Why is SOC 2 Important?
As I mentioned, SOC 2 assessments are specific to service organizations—namely, service organizations that handle sensitive customer data. Because these organizations are handling sensitive data, it’s important they implement security measures to protect that data—both for the safety of their customers and clients, as well as the integrity of their businesses. Beyond that, we’re seeing many more organizations make SOC 2 a contractual obligation. Their vendors are required to present a SOC 2 report in order to work with them. In fact, that may be why you’re reading this article. If it is, don’t be afraid. SOC 2 might seem intimidating at first, but once you’ve successfully completed your audit, it will become a major asset.
How to Prepare for a SOC 2 Audit
There are four major steps you should follow to prepare for a SOC 2 audit. (You can even start the first one today.)
- Find a reputable CPA firm. “Wait a minute. I thought SOC 2 focused on information security. Why are you telling me to find a CPA firm?” Great question. The AICPA (American Institute of Certified Public Accountants) developed the SOC 2 framework, so your auditor will have to be a CPA firm to issue a SOC 2 report. Technically, any CPA firm can issue one. But, not any CPA firm can do it the right way.Because SOC 2 focuses specifically on security, you want a firm that understands security and the ins and outs of the AICPA guidance. So, in this case, a “reputable” CPA firm should meet as many of these qualifications as possible:
- You have a trusted relationship with them.
- They have a large information security practice.
- They demonstrate information security thought leadership by regularly creating content around relevant information security topics.
- They have the AICPA’s Cybersecurity Advisory Services Certificate.
- They have extensive experience with SOC 2 reporting.
- Work with the firm to develop a deeper understanding of SOC 2. Talk to your chosen firm about which criteria should be in your report. There are five. Below, I’ll provide the official text, as well as a “translation” in plain English.
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
Are information and systems appropriately secured?
This requirement is included in every SOC 2 assessment and is not optional.
“Information and systems are available for operation and use to meet the entity’s objectives.”
Are information and systems appropriately available for use?
i.e. Are they reliable?
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
Is information processed appropriately by your systems?
“Information designated as confidential is protected to meet the entity’s objectives.”
Is confidential information adequately protected?
“Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.”
Is personal information adequately protected?
It is common to confuse the privacy and confidentiality criteria. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.) and confidentiality protects non-personal information and data that is still classified as “confidential.”
The most important thing to know is this: The criteria you’re assessed against should make sense according to the services you provide. At the end of the day, the CPA firm must provide an opinion on the effectiveness of the controls suited to the operational environment. So, they should verify that the criteria they’re assessing you against makes sense according to the services you provide.
- Perform a full readiness assessment with the firm you select. During this process, the firm will educate you on the requirements of all the framework’s criteria and help you understand any control gaps your organization has related to those criteria and points of focus. A point of focus (POF) is a supporting control that offers considerations and guidance. POFs are not requirements but rather serve as clarifications to criteria and assisting an organization as they create controls.
In short: A firm will work with you to help you understand the controls you’ll need to implement to receive a favorable report.
It’s important to know that your organization must create the controls. While the CPA firm can provide guidance around the types of controls you’ll need, they can’t create any controls for you. The end result of the readiness assessment is essentially a report that says something to the effect of: “Here are the controls that would be in your SOC 2 report. Here is how they map back to each criterion relevant to your business. And, here is where you have gaps that need remediation.”
Note: If this is your first SOC 2 assessment, you will almost definitely have a fair amount of control gaps and areas to remediate.
- Engage the CPA firm for a complete SOC 2 audit. Remember how there are multiple types of SOC audits? Well, to further complicate things, there are also multiple types of SOC 2 audits. Here they are:SOC 2, Type I: This type of SOC 2 reports on the design effectiveness of controls at a specific point in time.
SOC 2, Type II: This type of SOC 2 reports on both the design and operating effectiveness of a controlled environment over a period of time (minimum of 6 months and usually up to 9 months to a full year).A Type I audit is generally used as a stepping-stone to a Type II audit. So, what does the audit process actually look like? It varies by firm, but there are a few things you can count on.
- There’s going to be an on-site visit. Someone from the CPA firm (the assessor) will visit your facility to review evidence for the controls you’ve implemented to meet the requirements of the trust services criteria applicable to your organization. This generally occurs toward the end of the assessment period. So, if your assessment period ends in December, the on-site visit will likely occur during November and/or December. The assessing firm will perform testing that covers the entirety of the reporting period to ensure your controls have been operating effectively the whole time. So, while they may only be on-site toward the end of the audit period, their testing will cover the entire audit period (if you’re receiving a SOC 2, Type II report). During this on-site visit, their goal is to test the controls you have defined and make sure they effectively address the requirements and criteria of the SOC 2 framework.
- Management will need to present an accurate description of controls. Remember—the CPA firm is not responsible for helping you implement controls—only assessing them. Therefore, in the report, your company’s management is responsible for presenting an accurate description of the control environment.
- The CPA firm will issue a report after your report period’s end date. This is important. Regardless of when your assessment is completed, you won’t receive your report until after the assessment period’s end date (generally 45 – 60 days). In this report, the CPA firm issues its opinion on the design (SOC 2, Type I) or design and operating effectiveness (SOC 2, Type II) of your organization’s control environment.
Other Things You Should Know About Your SOC 2 Audit
Here are some of the other things you should know before getting into your audit.
- Compliance is not quick. It takes a lot of time and effort. Resist the urge to view it as a short-term project. Take a long-term approach. Achieving SOC 2 compliance will improve your organization’s security and help you become a better steward of customer data. The requirement for strong information security controls isn’t going anywhere. Play the long game. Build a strong foundation that will help you for years to come.
- Be completely honest during the readiness assessment. Sometimes, organizations going through the readiness process don’t tell the whole truth. Or, the CPA firm doesn’t do enough to confirm that the control would actually work. So, be completely honest with the CPA firm—because if they know there’s a gap, they can help you understand how to fix it. But, if they don’t know there’s a gap—you’ll be in for an unpleasant surprise when it’s time for your real audit.
- Exceptions are not the end of the world. An exception communicates: “Yes, there were issues here. But, overall, the company is still meeting the overall objective of the framework, etc.” …or something along those lines. Exceptions are not the end of the world, and they should not be viewed as such. It’s very rare for a report to have no exceptions at all. Do what you can to avoid them, but don’t view them as the sky caving in on your business. What you really want to avoid are these:
- Qualified Opinion, which effectively says, “Everything looks good, except for (insert large area of control gaps).”
- Adverse Opinion, which effectively says, “This company isn’t doing what they’re supposed to be doing. Buyer beware.”
- Policies are simple. Implementation is hard. It’s easy to write a policy, but it’s hard to actually implement those policies and make sure the processes are followed. While paperwork is a good place to start, make sure your controls exist in real-life—not just on the page.
- Self-monitoring is valuable. Self-monitoring is when you test your own controls. The goal is to ensure that, when the assessor performs testing, you won’t be surprised by the results. This is a challenging process, but it can give you a great indication of how your control environment is functioning before the assessor comes in.
- If your control environment changes, understand what those changes are, and make sure your CPA firm understands that, too. For example: If you know there are certain old systems that will be replaced before the end of your audit period, alert your CPA firm, so they can audit those systems before they’re gone forever.
Successfully completing a SOC 2 audit is no small feat. But, doing so can give your clients and your customers a new level of respect for your business.
Our hope is that this provides some clarity around completing a SOC 2 audit so that if (or when) you go through one, you know what to expect. If you want to learn more about how LBMC Information Security can help you complete your SOC audits, just click here to contact us.