What is a SOC 2 Report? Expert Advice You Need to Know
BY ROB PIERCE, PARTNER | CISSP, CISA ON JANUARY 16, 2019
In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although with some of the terminology, it can initially be confusing. So what are SOC 2 reports and examinations? Let’s dive in!
What is SOC 2 Certification or Attestation?
While there is no such thing as a SOC 2 certification, many still refer to a SOC 2 certification. One of our clients recently received a request from a prospective client asking whether they were a SOC 2 certified data center. Our client, being more savvy than most, said, “We don’t have a SOC 2 certification. We have a SOC 2 attestation.” Our client’s prospect, or user organization, in SOC language, wanted to hop on a call to discuss.
The prospect was considering backing out of the deal because our client was not SOC 2 “certified.” We joined on the call and told our client’s prospect that our client did in fact have a SOC 2 report, but they were not SOC 2 “certified.” The prospect then said, “oh, so you are SOC 2 certified” and the deal moved forward. We laughed afterwards with our client because our client’s prospect could not grasp the terminology.
What is a SOC 2 Report?
SOC 2s differ from some other information security standards and frameworks because there is not a comprehensive list of “thou shalt” requirements. Instead, the AICPA provides criteria that can be selected by a service organization to demonstrate they have controls in place to mitigate risks to the service they provide. This can be a bit annoying for some first time clients since there isn’t one right answer for how to address the applicable criteria. Instead, a good auditor’s job is to identify what is already being done by their clients to meet the applicable criteria. In some cases, there are gaps and clients must implement new controls. In other cases, existing controls need to be tweaked slightly to better address the criteria. Our goal is for our clients to meet the criteria selected, but to create the least impact and additional overhead when remediating controls as possible.
SOC 2 reports are considered attestation reports. For a SOC 2 attestation, management of a service organization asserts that certain controls are in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC). Management also selects which of the five TSCs best address the risk of the services provided by the service organization.
See the AICPA page related to attestation reports for more information.
When a service organization completes a SOC 2 report, the report contains an opinion from a CPA firm that states whether the CPA firm agrees with management’s assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report). In many cases, the opinion is positive and the CPA firm agrees with management’s assertion. In other cases, the CPA firm does not agree with management’s assertion and provides a qualified or adverse opinion. See past blog post on qualified opinions.
What Does SOC 2 Stand For?
A SOC 2 is a System and Organization Control 2 report. There are three types of SOC reports. See this AICPA whitepaper comparing the reports. Some companies struggle with the differences between SOC reports, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders asking for the report as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.
If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be the best report for the service organization’s clients.
SOC 2 Report Structure
The SOC 2 report structure is similar to a SOC 1 report structure, which we outlined in our SOC 1 article, and consists of:
Who Needs a SOC 2 Report?
Service organizations that do not materially impact the ICFR of their user organizations, but do provide key services to user organizations may need a SOC 2 report.
SOC 2 Report Example
Many companies outsource IT infrastructure to service organizations, such as data centers and cloud hosting providers (e.g., Amazon’s AWS). What do these service organizations do to prove to clients and stakeholders that they are adequately protecting their servers and sensitive data? Service organizations receive SOC 2 reports to demonstrate they have certain controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks. A SOC 2 report will include a CPA firm’s opinion on controls design and potentially operating operating effectiveness over a period of time.
Using AWS as an example, many companies use AWS and request assurance from AWS that there are controls in place to mitigate the risk of AWS’ systems and data being compromised. AWS could attempt to provide different answers to every single client that asks security related questions, but that would take too much time. Instead, AWS has selected an independent CPA firm to perform a SOC 2 examination (among many other AWS compliance exams). Then, rather than respond to all the questions regarding AWS’ security posture, AWS provides its SOC 2 report, which answers many of the common questions asked by its user organizations related to security, availability, confidentiality, processing integrity, and privacy.
Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.
What is SOC 2 Compliance? The Trust Services Criteria (TSC)
A service organization should choose the SOC 2 TSCs that mitigate the risk of their user organizations use of the service organization’s services. At a minimum, SOC 2 reports must include the Security or Common Criteria. The other TSCs can be added depending on the needs of user organizations.
Recently we had a prospective client say they wanted all of the TSCs included within their report because they wanted it to be the strongest report possible. Unfortunately, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable. I’ve heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that is applicable to your services and answer the questions you hear most from your clients and prospective clients.
The Trust Services Criteria are noted below:
Other Common Questions About SOC 2 Reports
Is There a SOC 2 Checklist?
There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria is also going through an update. See our blog post on the updated SOC 2 criteria which now more closely aligns with COSO.
Should You Get a SOC 2, Type 1 or Type 2 Report?
SOC 2 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.
SOC 2 Type 1 reports reports are as of a particular date (sometimes referred to as point-in-time reports) that include a description of a service organization’s system as well as tests to help determine whether a service organization’s controls are designed appropriately. They test the design of a service organization’s controls, but not the operating effectiveness.
SOC 2 Type 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.
Learn more in our article, SOC Report Types: Type I vs Type II.
How Much Does a SOC 2 Report Cost?
SOC 2 examinations are not cheap and fees depend on a number of factors. Factors include the scope of services included within the report, the TSCs included, the size of the organization, and the number of in scope systems and processes. For example, if a company has 3 different patch management processes to ensure servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed operating effectively. Learn more in our article, How Much Does A SOC Audit Cost?
Who Can Perform a SOC 2 Audit?
Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. There are some companies that perform SOC 2 audits and have a CPA firm sign off on their report even though the CPA firm did not perform the audit. We recommend staying away from that approach. We also recommend selecting a firm that has experienced IT auditors and not financial audit CPAs only. When selecting a firm to perform a SOC 2, we recommend asking for the resumes or bios for any of the auditors that will complete the work. Then, ensure the firm you select has auditors with the appropriate skills and expertise. Certifications such CISA or CISSP are good to look for. Also, check references and ensure the firm you select has experience in the field you are in.
Updated SOC 2 Guidance
On December 15, 2018, new SOC 2 guidance went into effect and all reports following that date must include the updated criteria. See our previous blog post related to the latest SOC 2 criteria update.