Many organizations outsource aspects of their operations or services (e.g., Payroll Services, Software as a Service (SaaS), Managed Services, etc.) to other entities (service organizations) that are responsible for providing assurance to the user organizations about the outsourced services. While System and Organization Controls 1 (SOC 1) reports focuses on the aspects of the services performed by a service organization that affects the user organization’s financial statements, SOC 2 reports focuses on non-financial controls at a service organization related to operations and compliance.
A SOC 2 report provides assurance about the controls at a service organization relevant to the Trust Services Categories (TSC) of security, availability, or processing integrity of the system the service organization uses or the confidentiality or privacy of the information processed by the system.
Trust Services Categories
There are five (5) Trust Services Categories:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives
- Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The nature of the services provided by the service organization determines the category or categories included in the scope of the SOC 2 report. The TSCs are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework and also contains criteria that supplement COSO principle 12 (“The entity deploys control activities through policies that establish what is expected and procedures that put policies into action”).
What is a SOC 2 Readiness Assessment
A Readiness or Gap Assessment evaluates how prepared an organization is for a Type 1 or Type 2 report. In evaluating whether an organization’s existing control environment adequately addresses the SOC 2 criteria, the service auditor will assist the service organization with the following:
- Assist the service organization with identifying and documenting its current controls specific to the system or subject matter.
- Identify control gaps that need to be implemented or remediated prior to pursuing a Type 1 or Type 2 examination.
- Provide recommendations for the control gaps that are identified.
“Although a Type 1 and Type 2 report addresses the same subject matter, a SOC 2 Type 2 report provides a greater level of assurance than a SOC 2 Type 1 report as the Type 2 report covers a period of time. This makes the Type 2 report more useful, and yields more value to user entities and their auditors because the Type 2 report covers a more substantial period of the service organization’s operations than a Type 1 report.”
What is a SOC 2 Type 1 Report
A SOC 2 Type 1 report provides a snapshot of a service organization’s system as of a specific date. Essentially, a SOC 2 Type 1 report is a point in time report and covers the suitability of the design and implementation of controls at a service organization as of a specific date.
A SOC 2 Type 1 has the following characteristics:
- An independent Auditor’s opinion letter.
- Management’s assertion.
- A detailed description of the scope of the system or service.
- Details of the selected trust services categories.
- Does not include the description of tests of controls and the results of testing
- Optional additional information.
What is a SOC 2 Type 2 Report
A SOC 2 Type 2 report covers a period of time, usually one (1) year or six (6) months. This reports covers the suitability of the design of internal controls as well as the operating effectiveness of the internal controls over a period of time under review that help to meet the trust services categories.
A SOC 2 Type 2 has the following characteristics:
- An independent Auditor’s opinion letter.
- Management’s assertion.
- A detailed description of the scope of the system or service.
- Details of the selected trust services categories.
- Description of tests of controls and the results of testing.
- Optional additional information.
Although a Type 1 and Type 2 report addresses the same subject matter, a SOC 2 Type 2 report provides a greater level of assurance than a SOC 2 Type 1 report as the Type 2 report covers a period of time. This makes the Type 2 report more useful, and yields more value to user entities and their auditors because the Type 2 report covers a more substantial period of the service organization’s operations than a Type 1 report.
Should I Pursue a SOC 2 Type 1 Report or SOC 2 Type 2 Report?
Most service organizations obtain a Type 1 or Type 2 report based on the perceived maturity of the system and related control environment, and their needs and commitments, which is sometimes driven by the specific needs and commitments of their customers and other stakeholders. Having a SOC 2 report is sometimes a pre-requisite or requirement for some organizations and stakeholders to partner and do business and in some cases the service organization may need to get a report to a customer, potential client or stake holder quickly. Most organizations typically undergo a readiness/gap assessment to determine their preparedness for a SOC 2 audit, then pursue a Type 1 report prior to pursuing a Type 2 report. The path to earning a SOC 2 Type 1 report (a point in time) is shorter than achieving a SOC 2 Type 2 report (spanning a period of time) and some organizations will utilize a Type 1 report to demonstrate and obtain comfort that they have adequate controls in place, that the controls are suitably designed and that they are ready for a Type 2 examination. As mentioned above, a Type 2 report also yields more value to user entities, their auditors and potential customers. However, the type of report to obtain depends on the service organization’s needs and commitments and the maturity of the in-scope environment.
How long does it take to complete a SOC 2 audit?
The time it takes to complete a SOC 2 audit depends on how prepared a service organization is to undergo the audit, the time the service organization commits to the audit, the size and complexity of the in-scope system(s) or subject matter, and the type of audit (Type 1 or Type 2). Type 2 reports require sample testing and provides a detailed description of the tests of controls performed by the service auditor as well as the results of those tests. This results in a greater level of effort than for a Type 1 report. It typically takes about 4-6 weeks to complete a Type 1 report and between 8-12 weeks to complete a Type 2 report. These times can be shorter for clients that are well prepared for a SOC 2 audit. Some service auditors may advertise that they can prepare a SOC 2 report in 14 days. As a tech-oriented firm, with a team with more than 25 years of combined experience, Audit Peak can unequivocally state that this is impossible. It can sometimes take a service organization weeks, even with automated systems in place, to get the service auditor the evidence and supporting documentation required for the audit. When you add the time it takes the auditors to evaluate the evidence and supporting documentation, perform follow-ups and perform various layers of quality checks and assurance against the evidence and work-papers, it quickly becomes apparent that a service organization that receives a SOC 2 report in 14 days is not obtaining a quality report and an examination of the work-papers would reveal that the service auditor did not perform adequate due-diligence.
Why do SOC 2 reports matter and who are SOC 2 audits designed for?
What do service organizations do to demonstrate to their user entities and auditors that systems and sensitive data are adequately protected, that systems and data are made available as committed and are monitored for availability issues, or that system processing is done completely, accurately, timely and is authorized? SOC 2 reports are designed to provide user entities such as customers, partners and audit firms with assurance that a service organization’s system has the appropriate controls in place necessary to mitigate security, availability, confidentiality, processing integrity, or privacy risks. In addition to providing oversight on the internal controls of the service organization, a SOC 2 report helps to provide regulatory oversight, internal governance over corporate and risk management processes, and helps to establish trust between service organizations, their customers and other stakeholders.
Who can perform a SOC 2 audit?
A SOC 2 audit can only be performed by a licensed CPA (Certified Public Accountant) firm. CPA firms are required to uphold specific professional standards established by the AICPA and also adhere to specific guidance relating to the execution of SOC 2 audits and related audit procedures. Since a SOC 2 report focuses on controls related to operations and compliance with a heavy concentration on information technology, it is also important that service organizations select a CPA firm that has experienced information technology (IT) auditors and not only auditors experienced with financial audits. Experienced IT auditors usually have certifications such as CISA, CISSP, CISM, etc., demonstrating that they have experience with audit strategies for information systems. You don’t want a tax auditor reviewing your IT systems. A successful SOC 2 audit carried out by a CPA firm permits the service organization to use the AICPA logo on its website.