Post

SOC 2

Posted
By Erich Mair 3 min read

Introduction

Companies are facing a growing threat landscape, making information and data security a top priority. A single data breach can cost millions, not to mention the reputation hit and loss of customer trust. The American Institute of Certified Public Accountants (AICPA) developed SOC 2 to provide clarity on how organizations should protect customer data from unauthorized access, security incidents, and other vulnerabilities.

  • SOC 2 refers to both the security framework and the audit that checks whether a company is compliant with SOC 2 requirements.

The American Institute of Certified Public Accountants (AICPA) developed SOC 2 around five Trust Services Criteria:

[1] Security, [2] Availability, [3] Processing integrity, [4] Confidentiality, and [5] Privacy.

SOC 2 Audit

An independent auditor is brought in to verify whether the company’s controls satisfy SOC 2 requirements. After the audit, the auditor writes a report about how well the company’s systems and processes comply with SOC 2. A SOC 2 audit report includes a written letter stating the auditor’s opinion. The opinion can fall into one of four categories::

Unqualified: The company passed its audit. Qualified: The company passed, but some areas require attention. Adverse: The company failed its audit. Disclaimer of Opinion: The auditor doesn’t have enough information to make a fair conclusion.

SOC 2 compliance isn’t mandated by law or any industry regulations. However, that doesn’t mean they aren’t valuable. SOC 2 audits play an essential role in regulatory oversight, internal governance, and risk management—and they have become a minimum standard for organizations evaluating their cloud service vendors.

Types of SOC 2 audits

There are two types of SOC 2 reports:

SOC 2 Type 1- Examines security controls at a specific point in time.

  • Type 1 reports are easier and more affordable to complete as they only assess a snapshot in time.

SOC 2 Type 2- Assesses those same controls over a longer period of time (typically 6 to 12 months).

  • Type 2 reports are broader in scope and therefore costlier in terms of time, money, and resources. Type 2 reports go deeper to provide a more comprehensive audit by assessing a company’s security controls over time.

Both reports are useful for demonstrating a robust security posture and give the service provider a competitive advantage compared to organizations that do not invest in SOC 2 audits.

Performing the audit

SOC 2 audits are regulated by the AICPA and must be completed by an external auditor from a licensed CPA firm in order to receive official certification. When you’re ready for your audit, your CPA will work through the following SOC 2 audit checklist:

  • Review the audit scope: Before starting, they will sit down with you to look over the scope and make sure it’s clear.
  • Develop a project plan: With the scope in mind, the auditor will create a plan and share an expected project timeline.
  • Test security controls: Then, the auditor will dive in and begin testing your controls for design and/or operational effectiveness.
  • Document the results: They will record the results.
  • Deliver the client report: The auditor will provide a written evaluation of your controls and share a final opinion on whether the organization is suitably designed to ensure data security.

Duration of the audit

Completing a SOC 2 security audit typically takes between six to 12 months. The schedule will usually include:

  • Project kickoff and risk analysis
  • Readiness assessment
  • Remediation period
  • Information requests
  • Documentation

The exact timeline of the audit will depend on the scope and complexity of your organization.

Source: https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome

Security Frameworks, Defensive Frameworks
Security Frameworks
This post is licensed under CC BY 4.0 by the author.