SOC 2 is a compliance standard that covers how service providers handle customer data on the cloud. SOC 2 was developed by the AICPA, and a SOC 2 report can only be issued by a licensed CPA.
SOC 2 compliance isn’t strictly required by law, but it does provide customers with proof they can trust your business with sensitive data. In fact, many enterprises won’t do business with a cloud services provider that isn’t SOC 2 compliant.
The point of SOC 2 compliance is to assure customers and other stakeholders they can trust your company to keep their data secure. Because a SOC 2 audit is performed by an independent CPA, it offers outside proof that your business is trustworthy. It’s one thing to have a robust set of security policies and controls; through a SOC 2 report, an outside expert vouches that your business is, indeed, secure.
An SOC 2 report itself can take up to twelve months to complete, and remains valid for another twelve months. As soon as one years’ report is finished, it’s time to begin work on the next one. For this reason, SOC 2 compliance is not so much a one-and-done report as it is an ongoing standard that an organization must continually audit for.
SOC 2 offers an open-ended set of criteria on which to evaluate a business; it’s not a prescriptive set of rules that a company must implement to be compliant. For example, SOC 2 requires companies have access controls in place to protect sensitive data. It doesn’t matter whether a company implements mandatory access control or role-based access control: as long as the controls are robust enough to meet the AICPA’s standards, it’s up to the company how they want to handle things.
There are two types of SOC 2 reports:
- A SOC 2 type I report provides a snapshot of your company’s security at a specific point in time.
- A SOC 2 type II report takes six to twelve months to complete, and better represents your company’s ongoing security practices.
As you might expect, a type I report can be done more quickly, and typically costs less. But a type II SOC 2 report offers customers and stakeholders stronger proof that your company maintains a robust set of security practices to protect sensitive data.
The Five Trust Services Criteria
In a SOC 2 report, the auditor evaluates a company based on one or more of the AICPA’s five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.
- Security describes a company’s ability to protect data and systems from unauthorized access. It is the most commonly evaluated of all the trust services criteria.
- Availability entails how much of the time the service performs as intended. This means that the service is not only usable, but meets the expectations a company sets in contracts with clientele. If it takes ten minutes to load the service, for instance, that may be considered an unacceptable level of availability, even if it is still technically usable.
- Processing integrity refers to the company’s ability to keep data from being manipulated or tampered with, and the service’s ability to function without errors or other mishaps.
- Confidentiality refers to the company’s ability to restrict access to and protect sensitive data.
- Privacy describes a company’s ability to protect personally identifiable information pertaining to their customers.
A SOC 2 report doesn’t have to cover all five trust service criteria. It’s all up to the business: many companies only want the audit to cover security, where others will ask for a SOC 2 report covering multiple criteria, and many will wish to demonstrate their compliance across all five.
SOC 2 Compliance Costs
A SOC 2 audit typically costs between $10,000 and $20,000. The exact number depends on a number of factors, including the scope of the report, the duration of the audit, and which of the five trust service criteria are being assessed.
The cost also depends on the business itself. A small business that handles customer data in a limited capacity will likely pay less than a complex enterprise that processes many types of highly sensitive customer data.
The cost of the audit itself only represents a small portion of the full costs involved in SOC 2 compliance. For many companies, the biggest cost will be in terms of hours’ worked on the part of company employees. To ensure success, you’ll have to make compliance a primary focus for a senior level employee. Over the course of the six or more months to complete an evaluation, that could be valued at $50,000 or higher.
Your company may also need to make significant changes to ensure it’s up to SOC 2 standards. That could mean purchasing new software, hiring a security firm, crafting new company policies, or implementing new training programs. Every single one of those costs time or money – or both. All told, SOC 2 compliance can cost a business north of $100,000 in direct and indirect expenses.
The SOC 2 Process: How to Attain Compliance
It isn’t easy to maintain SOC 2 compliance; if it were, it wouldn’t be such a big deal. A type II audit takes a minimum of six months to complete – and that’s not counting time spent getting ready. Below, we’ll walk you through each step in turn, from planning to following up.
Step 1: Assess and Plan
A SOC 2 audit alone can take twelve months and cost $20,000 – you don’t want to book one just to fail it outright. As a first step, you need to seriously assess your company’s policies to make sure you’re up to snuff. If you don’t have a strong security team in place, this might be the time to hire a firm to help identify where you’ll need to beef up your practices to pass a SOC 2 audit.
As you assess your company’s security policies and controls, you’ll also begin planning for the audit. That means appointing a dedicated team member or consultant whose #1 focus will be on SOC 2 compliance – for at least the next six months.
This is also where you’ll determine what your company needs from a SOC 2 audit. Will a snapshot type I report suffice, or would you benefit from the more long-term type II evaluation? And which of the trust service criteria do you need to be certified for? It might make sense to audit for security alone – or you may decide you’d benefit from getting certified for multiple criteria, or even all five.
Ultimately, these decisions come down to the nature of your business and what customers expect of you. If your company stores particularly sensitive customer data on the cloud, for instance, you’ll likely want to cover these bases as thoroughly as possible so as to reassure your clients that their data is safe in your hands.
Step 2: Prepare for the Audit
Once you’ve taken the time to assess your company’s security practices, you can make the changes necessary to pass the SOC 2 audit. Depending on your company’s current security practices, this can be the most intensive part of the entire process. You may need to implement new access control policies, training programs, security tools, and more.
You can count on your SOC 2 auditor to be thorough in evaluating your business. To prove your compliance, you need to be just as thorough.
Step 3: The SOC 2 Audit
Finally, it’s time for the licensed CPA to come in and audit the business. They’ll review your company’s security systems, from top-level policies to how those policies are – or aren’t – actually carried out on the ground.
If you’ve done the work to get ready, you hopefully won’t run into any bumps when the audit hits the road. But your journey is far from over: a type I audit can take weeks, and type II audits require at least six months for the auditor to see how your security controls play out in practice.
Step 4: The SOC 2 Report
Once the auditor has had enough time to evaluate your business, they’ll write the report itself. SOC 2 reports often run 100 pages or longer – but most stakeholders will only pay close attention to a few key sections, namely the professional opinions of the auditor.
Let’s talk about each section of the report in turn.
1. ) Auditor’s Summary & Professional Opinion
First the auditor will outline the scope of the report. They’ll specify the period in which the evaluation took place, which of the five trust service criteria they focused on, and broadly outline key details regarding the company’s security practices and their reporting process.
Then the auditor offers their professional opinion. This is where the verdict goes: here’s where they say whether your business passed or failed the audit. This is by far the most important part of the report, and you can expect many clients to flip straight to the professional opinion when you show them the report.
Alongside their verdict, the auditor may offer one of several descriptors:
- Unqualified: The company passed the SOC 2 audit without qualifications. “Unqualified” might sound scary, but this is the best outcome a business can hope for.
- Qualified: The company passed the SOC 2, but with some qualifications.
- Adverse: The company did not pass the SOC 2 audit.
- Disclaimer: The auditor did not have enough information to form a definite conclusion. You don’t want to pay for a SOC 2 audit just for it to be inconclusive, so you’ll want to be as forthcoming and helpful as possible to ensure they can render a judgement.
2.) Management Assertion
The company being reported on writes this section, describing the scope of the SOC 2 audit and providing basic details about their security practices and the nature of the report itself.
Most of the time, the information here ends up being redundant with the summary info in the first section. But that’s the point. Unless there was a serious misunderstanding, this section should show that the company and the auditor are in agreement on the fundamentals of the report.
3.) Service System Description
This section goes into greater detail on any security systems, controls, or procedures that are already in place. It outlines a company’s security practices in great detail, providing a robust portrait of the company’s security systems at the time the audit was conducted.
4.) Tests of Controls
This section, taking up the bulk of the report, conveys the auditor’s examination of a company’s security systems in great detail. This section is often presented in table form, presenting line item details about how the auditor examined each aspect of the company’s security systems and practices.
Most stakeholders won’t read this section in full. If they’re interested in a specific topic, such as your company’s access control policies, they might see how you did in that specific area. But more likely than not, they’ll focus on the auditor’s professional opinion and skim this section just to make sure they did their work.
Even companies that pass a SOC 2 audit may have minor issues noted in the tests of controls section. If one or two employees failed to complete a particular training, for instance, the auditor might note that, without it seriously hampering their judgement of the company’s overall practices.
5.) Additional Information
Some reports may tack on additional information at the end. If the auditor highlighted specific issues in the report, for instance, the company may want to respond to them in this section. Often, the best approach is for the company to acknowledge the issue and then describe how they intend to remediate it going forward.
Once the report is finished, every SOC 2 report goes through peer review by a CPA who was not involved in the audit itself. As long as that goes smoothly, you’ll have an official report that shows your business is SOC 2 compliant.
Step 4: Ongoing Auditing
A SOC 2 report is only valid from one year. Because type II reports take six to twelve months, that means SOC 2 compliance becomes an ongoing process. As soon as the finished report is filed, it’s time to start planning your next SOC 2 audit and report.
This is also the time to follow up on any issues that came out in the report. By making the effort to resolve any issues, you can ensure your SOC 2 compliance for years to come and reassure clients that they can trust your business.
One Last Thing…
Have you been wondering what SOC even stands for? Well, I don’t want to leave you hanging!
“SOC,” in this case, stands for system and organization controls. It originally stood for service organization controls, until the AICPA changed it to reflect the broader base of organizations that could benefit from SOC reporting. Although their new name doesn’t exclusively limit SOC 2 reports to service businesses, SOC 2 compliance is still chiefly focused on service providers.