We often find our new clients in a familiar position – An existing or potential customer, investor, or other stakeholder is demanding a SOC 2 report and they need it fast. Unfortunately, the personnel within the organization have limited to no knowledge of what a SOC 2 report is or how to obtain one. This article is intended to provide an overview of the SOC 2, why you may need one, and steps for how to obtain a report.
Overview of SOC 2
A System and Organization Controls (SOC) report is a formal description of an organization’s service offering and the system of internal controls implemented at the organization to support the service offering. The report is examined by an independent CPA firm and accompanied by the CPA firm’s opinion on the fairness of the presentation of the description, the appropriateness of the design of the specified control activities, and in most cases the operating effectiveness of the control activities over a stated period. There are five types of SOC reports (visit our post discussing all five SOC reports here for more information) which are each governed by standards issued by the American Institute of Certified Public Accountants (AICPA). These standards are codified by the AICPA into what are called Statements on Standards for Attestation Engagements (SSAEs). The most recent publication affecting SOC reports being the 18th version — therefore SOC reports are sometimes referred to as SSAE 18 reports. SOC 2 reports have in recent years become one of the most common methods for service-based organizations to demonstrate their internal control posture to stakeholders and are usually initiated via contractual requirements.
The SOC 2 is an internal control reporting framework intended for service organizations or companies offering a service-based product such as a software as a services (SaaS) solution. Many organizations request a SOC 2 report from their suppliers, vendors, or partners as a component of the due diligence process to obtain relevant information regarding the handling of their data. The SOC 2 control framework is organized into preestablished criteria known as the Trust Services Criteria. The criteria are split into five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security Category contains the baseline set of criteria common to each of the other categories and is generally required, whereas the remaining four categories are adopted at the discretion of management of the service organization. An organization planning to undergo a SOC examination should select which categories are applicable to their service offerings and relevant to their users; an experienced CPA firm can assist in that effort.
Each SOC 2 category contains a standard set of control criteria to serve as the basis for the service organization’s system of internal control. The individual criteria are broad enough to allow flexibility in how the organization chooses to satisfy them, which is one reason the SOC 2 is such a popular reporting framework. Sufficient control activities should be designed, implemented, and operated consistently to satisfy each of the criteria the organization chooses to include within the scope of its SOC 2. An evaluation of these control activities will form the bulk of the independent CPA firm’s examination procedures and are presented in a matrix format within the SOC 2 report.
Also included in a SOC 2 report is a narrative-based presentation called the “System Description.” The System Description can be lengthy and may be overwhelming for individuals who are not familiar with the contents. The good news is that the AICPA has also published criteria to guide the presentation of the System Description, which are codified into DC section 200. At a high level, the System Description contains detailed information regarding the organization, the services offered, the commitments the service organization makes to the users of the reported upon system, and information regarding the components of internal control with respect to the system. The SOC 2 is fundamentally rooted to the concept of what the AICPA refers to as the entity’s Principal Service Commitments and System Requirements. These are the commitments the service organization makes to its broad base of users and the requirements determined necessary to fulfill those commitments. These commitments and associated requirements are required to be disclosed within the SOC 2 report and form the basis for the system of controls. While an experienced CPA firm should be able to assist in the presentation of much of this information, the content is still ultimately the responsibility of the service organization.
The content of a SOC 2 report and the specified control activities within the report are examined by an independent CPA firm and the independent auditor’s report is included within the SOC 2. This independent validation is partially what makes SOC 2 reports so trusted within the industry. The examination process can include walkthroughs of procedures, inspection of evidence, or observations of control activities. The examination process can span from one-to-many weeks or even months, depending on the size of the organization and the complexity of the scope of the system being reported upon.
Who Needs a SOC 2 Report?
As previously mentioned, a SOC 2 report is designed to be obtained by service-based organizations as a mechanism to instill trust and confidence to relevant users of their service with respect to the security, availability, processing integrity, confidentiality, or privacy commitments the service organization makes. With the advancements of technology and the interconnectedness of modern business, it is increasingly important for organizations to evaluate the risks associated with vendors and business partners. A SOC 2 report is one of the most widely accepted platforms for an organization to demonstrate their internal control posture to users of their service. If your organization provides a service or platform where you access, obtain, process, host, or interact with customer data it is likely that you will be asked for a SOC 2 in your future. SOC 2 reports are not required by regulations or industry standards, however they are largely becoming standard contractual clauses as a component of doing business.
Who Does Not Need a SOC 2?
The SOC 2 is designed to be obtained by a service organization for use by their customers and stakeholders. For nonservice-oriented entities, other SOC reports are available such as the SOC for Cybersecurity and SOC for Supply Chain. If you are an organization providing a service that is relevant to your customers’ internal control over financial reporting (i.e., transaction or claim processing, payroll services, collections, billing, benefit plans, etc.) a SOC 1 is likely more appropriate – these are often used and requested by the financial statement auditors of your customers. If your organization does not provide a service in which you make commitments regarding the security, availability, processing integrity, confidentiality, and/or privacy of your user’s data then a SOC 2 may not be necessary. If you are still unsure if a SOC 2 is right for you, please contact us for a free consultation.
How to Obtain a SOC 2 Report
To obtain a SOC 2 report, a service organization should first contact a CPA firm who provides SOC examination services. An experienced professional can walk through your specific needs and help set you up for a successful examination. The typical process for a first-time examination includes a readiness or gap assessment performed by the CPA firm, reputable consultant, or competent internal personnel. During this readiness assessment, existing control activities are identified, a preliminary System Description is drafted, and any identified control gaps are communicated to organization management for remediation. We offer complimentary readiness assessment services to our clients to help ensure their examinations start off with a strong foundation. Following the readiness phase the organization has the option between two types of reports. In a Type I examination, the CPA firm evaluates the fairness of the presentation of the description and the design of the controls as of a specific date. A Type II report is much more exhaustive because it also includes an evaluation of the operating effectiveness of the controls over a predetermined period known as the review period. We recommend entities opt for a Type I examination during their first time through the examination process as it serves as a sound stepping stone before performing a full Type II and can help prevent negative disclosures in the report. Typically, a Type II report is the ultimate deliverable as users of the report expect assurance that the controls presented also operate effectively.
The first step toward obtaining your SOC 2 is to contact an experienced CPA firm. Please contact us and we’d be happy to have a SOC 2 expert reach out to discuss your needs with a free consultation.
Conclusion
Obtaining a request for a SOC 2 can seem daunting, particularly for fast-growing organizations with limited internal bandwidth or expertise. However, partnering with an experienced CPA firm that is focused on your specific needs can make all the difference and leave you feeling positive after the experience. At AssurancePoint we specialize in SOC reporting, and our experts have issued hundreds of reports. Please contact us and we’d be happy to set up a free consultation to discuss your needs.
Contact us and speak with an expert!
Written By:
Dale Crump
Dale Crump is the Founder and Managing Partner of Assurance Point, LLC. Dale oversees a variety of attestation and advisory engagements within the information security, privacy, risk management, and compliance sectors.
He has broad experience across an array of internal control and risk management frameworks and specializes in SOC reporting, having contributed to the issuance of over a thousand high-quality reports in his career.
Dale is a licensed CPA, and holds additional certifications including the CISSP, CISA, CIPP/US, CCSK, ISO 27001 Lead Auditor, and the Advanced SOC for Service Organizations credential. Dale is an active member of the AICPA, Georgia Society of CPAS, ISACA, and the IAPP, among others. In his spare time Dale is an avid outdoors enthusiast, Atlanta sports fan, and enjoys spending time with his two kids.