Data drives most of today’s cloud-based organizations. If your company is one of the many enterprises that transmits, stores, manages or otherwise handles data for your own use or as a service to customers, you have also established a system of security controls that protect this precious information from the data breach, human error and other types of damage stemming from unauthorized access.
The American Institute of Certified Public Accountants (AICPA) has recognized the importance of companies being able to demonstrate that the measures they had established were effective in securing this information. To that end, they formulated an assessment framework known as the systems and organization control (SOC) report.
What is a SOC 2 Report?
There are three major types of SOC reports. SOC 1 assessments are used to examine a company’s financial transactions. SOC 2 reports go a step further and handle the security controls that support and protect those vital monetary transactions. The SOC 2 report can measure one or all of the following criteria known as the trust service principles:
- Processing integrity
This type of assessment allows for a great deal of flexibility; a business can determine which controls are relevant to their own unique organizational purposes and implement security technologies, policies, practices, and procedures that address those priorities. The SOC auditor, a third-party contractor, issues an expert opinion as to how well the controls address each of the criteria. When a firm is given a clean or “passed” certification by the auditor, this means that, in that person’s opinion, the business can be trusted as a data host.
The findings of a SOC 2 assessment frequently discuss sensitive systems, products, and security details. For that reason, this information is not shared outside the company. If you are looking for a broad overview of the findings that can be used for marketing purposes or shared far and wide, you might also want to request a SOC 3 report.
SOC 2: a Step-by-Step Approach
As you might imagine, the SOC reporting and compliance process is complex, making it somewhat of a challenge to specify exactly how long it will take to complete. All organizations, however, will need to walk through the following steps of the timeline:
- Lay the groundwork
This vital first step involves conferring with stakeholders to decide which trust criteria will be contained in the assessment. In addition, you will determine which locations and systems are to be evaluated as well as the measures you plan to use to track your progress.
During this time, you will also confer with the members of your team who will be participating in the reporting procedure, making sure that all learn about their responsibilities and understand that they will be held accountable. This portion usually takes anywhere from one to three weeks.
- Pre-audit gap analysis
Before your auditor enters into the picture, it makes sense to get a preliminary idea of where your organization stands. To accomplish this readiness task, hire a team of gap experts to identify flaws in your systems that you can then work to remediate before the SOC 2 assessment is conducted.
Common holes include insufficient password and other authentication policies, missing employee background checks and contracts or agreements, and flaws in your core security policies that protect users and customer information. From start to finish, this can take anywhere from two to four weeks.
- Fix the identified issues
The timing of this can vary wildly depending on your management team’s level of buy-in as well as the severity of the problems, but expect an average of one to two months.
- Receive the list of resources and data the auditor sends before beginning the process, giving yourself enough time to gather all that the firm needs. In most cases, this requires cooperation from numerous colleagues.
- Work with the SOC auditor remotely and/or on-site to gather evidence about your company’s services, systems, and security controls.
- Using the information gathered during field investigations, the auditor prepares the final SOC report. They also compile and submit the administrative documents necessary to meet AICPA compliance requirements and standards. Before the finalized document is sent for official review, you and your team will have a chance to look at it and make comments. For most companies, this step takes anywhere from two to four weeks.
Safeguarding the information you hold and transmit for your customers is a serious business. SOC assessments are designed to give you a framework to ensure that the security controls you have put in place will actually be effective.
The SOC 2 reporting process does not end with the submission of the document or with the revelation of the auditor’s findings. Even if you pass with flying colors, you must put mechanisms in place to conduct internal audits that ensure continued compliance with the requirements you have set. Think of your audit findings as a guide that will help you prepare for the next assessment. Before you know it, the year will be up, and you will be mandated to obtain another SOC 2 report.