Today’s business climate is a balancing act in which companies are forced to juggle a dizzying array of priorities. Since 2011, one of these priorities has been the growing demand that service organizations and other entities obtain Service Organization Control (SOC) reports based on standards set forth by the American Institute of Certified Public Accountants (AICPA). Just what are they, and is it really necessary to go through the process of obtaining a SOC report on a regular basis?
It is no secret that data security is vital, particularly for companies that store the sensitive information of clients or other businesses. In essence, security and compliance in this arena is what SOC reports are all about. While a SOC 1 report delves deeply into a company’s financial transactions, SOC 2 takes it a step further by shining a light on the security that underpins those finances. The SOC 2 Type 2 report can contain any or all of the following five principles or criteria: security, availability, processing integrity, confidentiality and privacy. SOC 2 compliance is more flexible than that for other entities such as PCI DDS or HIPAA. As a result, each individual company can decide which of those topics is important to its mission and its customers and can then write its own controls to meet the requirements. In short, when a company receives a passing score on a SOC 2 report, the auditor is staking their reputation on the claim that the business can be entrusted with data and is a secure host. This attestation by an industry-respected professional such as a CPA provides the audited company with credibility and can be vital to cultivating a positive reputation that ultimately leads to stability and growth.
SOC 2 Type 1 vs SOC 2 Type 2
There is a good deal of confusion around SOC 2 Type 1 vs SOC 2 Type 2. The best way to distinguish the difference between SOC 2 Type 1 and SOC 2 Type 2 is in terms of time. The Type 1 report is designed to speak to the fairness of the way a company designs, describes and implements its internal controls as of a specific date. While the information covered in a SOC Type 2 report is similar, it covers a specific segment of time, usually a 6-month review period. It should, however, be noted that initial SOC Type 2 reports cover shorter time spans. Organizations wishing to provide assurance about their security over several years may opt for a Type 1 report, particularly on a one-time basis. Subsequently, SOC 2 Type 2 certification is generally obtained annually.
Do you need to conduct a SOC 2 Report?
Clearly, a SOC 2 Type 1 or Type 2 report requires an investment of money and time, and you might therefore be wondering if going through the process is worth all of the hassle. To come to the answer that is right for your organization, ask yourself the following questions about your company:
- Are you an organization or service provider that stores, processes or transmits any type of data?
- Is your company’s reputation and credibility important in terms of gaining new clients and keeping existing ones?
- Are you prepared to provide your clients with access to written assurance that your firm has the internal controls in place that will protect their valuable data?For most service organizations, working with a CPA or other authorized party to obtain a SOC Type 2 report is one of the best ways to comply with such a request from an existing or potential client or even a member of the public.
What to expect in your SOC 2 Report
Once you have completed the SOC 2 Type 2 audit process, you can anticipate that it will take anywhere from two to five weeks for the CPA to complete the document. The person who audits you and prepares your report will be using a set of standards formerly known as a SSAE 16 SOC 2 report. This SSAE 16 SOC 2 Type 2 report, now known as a SSAE 18 report, will be broken down into seven sections:
• Assertion. This portion answers the question of whether the set of systems you have put in place is fairly represented in the report and if it meets the AICPA trust standards you have specified.
• Independent service auditor’s report. This section gives the auditor’s opinion of how well your controls adhere to the trust standards.
• System overview. This portion of the report contains a description of your service organization, including a summary of your data security controls and why you need them. Your location and the industry in which you operate will also be detailed.
• Infrastructure. In this part of the report is a detailed accounting of the people, software, technology, processes, policies and data you deal with. If you out-source to a third-party provider, information about that company is included here.
• Relevant aspects of the control environment. This section contains descriptions of the information systems, risk assessment policies and processes and monitoring strategies that your company has put in place.
• Complementary User-entity controls. This section spells out how you are implementing your controls.
• Trust service principles, criteria related controls and tests of controls. In this last section, the auditor describes your system of controls and their effectiveness as it pertains to the relevant trust principles.
Although people often talk about getting a “passing grade” on a SOC 2 report, this is not actually the case. In reality, the auditor provides an opinion about whether your company adheres to the trust principles you have specified as relevant to your mission. If the auditor’s and your management’s assertions agree, your company will be given a “clean” or unmodified opinion that you can be trusted with the storage and transmission of sensitive data. In essence, this type of reporting provides just the official rubber stamp that your organization may need.
Companies both small and large have been rocked in recent years by disruptive and highly damaging data breaches. If clients entrust their data to your organization, it is crucial that you do everything you can to protect their information. Obtaining a SOC 2 Type 2 audit from an independent auditor with a stellar reputation can go a long way toward helping you to build and maintain the trust of your all-important customers. There is no time like the present to begin taking steps to safeguard your firm and its precious stakeholders.