System and Organization Control reports—otherwise known as SOC reports—are designed to help companies measure (and prove) the effectiveness of the internal controls that they use to reduce risk for their customers.
If your organization handles data for your customers, a SOC 2® report is likely the appropriate report for your business. In fact, it’s becoming a common expectation that organizations like SaaS companies, cloud service providers, data processors and similar vendors have a SOC 2 report.
If you’ve determined that a SOC 2 report is the right report for your business, you’ll also need to decide if you’ll pursue a SOC 2 Type 1 or a SOC 2 Type 2 report.
Both types of SOC 2 reports include:
- A review of the company’s system description to determine if it is in accordance with the DC 200 Description Criteria and to outline the company’s service commitments and system requirements; and
- An evaluation of the company’s controls to determine they are suitably designed and implemented.
The difference is that a Type 1 report stops there, and the Type 2 report additionally provides validation of the operating effectiveness of the controls through detailed testing.
If you’re in need of a SOC 2 Type 2 report, it will be helpful to understand what a Type 2 report entails. Below, we address the most common questions about the SOC 2 Type 2 report so that you’ll know what to expect (and understand what you’ll gain) from the process.
What is Tested in SOC 2 Type 2?
A SOC 2 Type 2 report extends the scope of the Type 1 report (description of a company’s systems and controls) to include the actual testing of those controls.
The focus in a SOC 2 Type 2 report is on:
- Reviewing the trust services criteria and evaluating the five trust services categories to determine which categories are relevant to the services the company provides;
- Determining what controls the company has in place to meet the criteria;
- Testing of those controls by the service auditor to determine if they are operating effectively over a period of time.
The trust services criteria outline the following five trust services categories that can be included in a SOC 2 report:
- Security: Also known as the Common Criteria, these controls pertain to how systems are secured against unauthorized access, unauthorized disclosure or damage.
- Availability: These are controls around the capacity and availability of the system to its users; they address things like business continuity and disaster recovery plans and system backups.
- Confidentiality: These controls show that information that is deemed confidential by policy or agreement is protected.
- Processing Integrity: These controls revolve around ensuring that any data processing is accurate, complete and authorized and that there are processes to catch errors and correct them.
- Privacy: Privacy controls are separate from those covering confidential information. Privacy pertains to personal information, as opposed to other sensitive information.
It’s important to note that the Security Category is required, but the other four categories are optional. The services that a company provides would determine if any of the other four categories would be added.
How Long Are Internal Controls Tested for a SOC 2 Type 2 Report?
Gaining a complete and comprehensive understanding of an organization’s controls and their effectiveness requires time. Typically, a SOC 2 Type 2 report tests controls over a six- to twelve-month period.
How Are Those Controls Tested?
In a SOC examination, the SOC auditors will evaluate the assertions provided by your company and design and perform tests that will give them an idea of how effective your controls are. This testing may come in the form of interviews, physical reviews (walkthroughs of your physical office space or data centers), observations and close examination of requested documentation.
What is the Process Like For Going Through a SOC 2 Type 2 Exam?
The initial stages of the SOC 2 Type 2 exam will include a review of the documentation provided. The testing itself can take a variety of forms, including those mentioned above.
Once the evaluation and testing are completed, the auditors will then create a report that notes the operating effectiveness of the controls, as well as any exceptions that are found.
How Should My Company Prepare?
It’s beneficial for a company to review the effectiveness and gaps in their own controls before beginning a SOC 2 Type 2 engagement. An independent CPA firm can help with this by providing a Readiness Assessment.
How Would a Company Decide They Need a SOC 2 Type 2 Report Over a Type 1?
A SOC 2 Type 2 report may be the right decision for your organization depending on a number of factors. A common reason to choose a SOC 2 Type 2 report is that your customer has requested the more extensive report type.
However, you may also consider a SOC 2 Type 2 report for your own benefit. With the addition of testing of the controls, your company will have a clearer understanding of any areas in need of attention—or those which do not fully meet the expectations of the SOC auditors and your customers.
This can be an opportunity to make corrections or additions to your security and data handling policies and procedures before—and preferably instead of—dealing with a data breach.
A SOC 2 Type 2 can also be a powerful indicator to customers that your organization takes the security of their data seriously. It can serve as a competitive differentiator in crowded or highly competitive fields or markets, and many potential customers use SOC reports as a means of weeding out companies when evaluating new vendors.
Does My Company Need a Type 1 Report Before Getting a Type 2 Report?
No. A SOC 2 Type 2 report will include all of the elements of the Type 1 report, plus the additional testing. However, a Type 1 may be recommended to determine that the controls are suitably designed and implemented before jumping into a Type 2 too quickly.
What Are the Benefits of a SOC 2 Type 2 Report, and How Would a Company Use the Report?
A SOC 2 Type 2 report can help uncover opportunities for improvement in your processes and procedures.
A SOC 2 Type 2 report sends a clear message about your organization’s commitment to protecting customer data. Customers may be able to outsource services, but they cannot outsource their responsibility for the data that has been entrusted to them. This means your customers will want to be sure that your organization takes the security of their data as seriously as they do.
The SOC 2 Type 2 report can be an easy reason for a potential customer to choose your organization over another.
When is the Right Time to Pursue a SOC 2 Type 2 Report?
It’s beneficial to start a SOC 2 Type 2 report sooner than later, especially because it will take several months from the time you engage a SOC auditor until you receive your SOC 2 Type 2 report. These exams and reports take time to complete, and the sooner you have it available to share, the better your chances of winning the trust of new customers.
Learn More and Start the Process of Getting a SOC 2 Type 2 Exam and Report
A SOC 2 Type 2 report is a significant commitment, both in resources and in the message that it sends to customers. The benefits far outweigh the costs and time invested and offer reasonable assurance that you take the security and trust of your customers seriously and are doing everything you can to mitigate risks.
Warren Averett has the expertise to complete a SOC report engagement for all different types of organizations. Contact us today to start the conversation about reaching your SOC reporting goals.