Myth-busting SOC 2 Reports

Updated: Feb 16

 

There’s many misconceptions about SOC 2 reports. Let's explore 8 of the most common. These myths come from several places:

  • Clever marketing

  • Oversimplification

  • Variations in approach by service auditors and organisations

  • Variations in standards across regions

  • Revisions and updates to the standards over time

There are various opinions and interpretations of the SOC 2 standards, as well as different contexts in which they can be applied. I’ve been in many of these debates involving global SOC 2 practitioners and seen wildly different perspectives. Of course, the purpose of standards is to enforce some level of consistency and include basic requirements — but in practice, that application leads to many grey areas.

 

Myth 1: SOC 2 Means Best Practice

 

It is good practice to follow standards as a way of benchmarking an organisation’s processes and controls, as well as ensuring all key control areas have been appropriately considered.

 

However, the SOC 2 standard is designed with a lot of flexibility for the service organisation to define their own processes and controls to meet the Trust Service Principles (TSP’s) and criteria. Since the criteria are high-level, this can lead to variable methods that don’t necessarily align to best practice (or even good practice, in some cases).

 

For example, SOC 2 criteria may require defining a security policy. Thus, passing SOC 2 may involve detailing some key aspects of the security policy: roles and responsibilities, key controls for identity and access management, physical security, etc. However, the methods of actually managing security are still at the discretion of management (eg. which security monitoring tools are used and what specific processes are followed).

 

Myth 2: A Clean Report Means No Issues

 

There are many reasons why actual issues wouldn’t end up in a final SOC 2 report:

  • Sampling: The service auditor only picks a sample of items (in some cases, less than 1% of the total number of transactions during the period).

  • Nature of controls assurance: Controls are designed to give reasonable — not absolute — assurance. Even if the controls are operating effectively, they’re generally not designed to cover every possible outcome.

  • Broad range of users: SOC 2 reports are designed for a broad range of users. Certain immaterial, bespoke or client specific areas may be excluded; these often aren’t specified in the SOC 2 Scope in the report.

  • Controls are designed to identify issues: A control is considered effective if it does identify and address an issue. In these cases, the underlying issue would not be noted in a report unless it is the direct failure of another control included in the report.

  • Materiality: The concept of materiality is built in to the SOC 2 standard. Not all items are reported or considered material to the report and end users.

  • Replacement: Controls can be replaced by other controls for the report as long as the replacement controls also meet the design criteria requirements. If a control fails during the year, the service organisation can generally replace it to avoid issues being noted in the report. This is controversial — the service auditor should prevent it — but in practice it does happen, especially if identified by the organisation before the auditor.

  • Service auditor and organisation influence: Even issues that are identified may not ultimately end up in the report. Remember that service auditors are paid by the service organisation. Management can belittle or discredit issues noted based on their superior knowledge of the subject matter; service auditors have a level of discretion over reportable issues. These realities of SOC 2 in practice highlight the need for independent and high-quality service auditor firms.

 

Myth 3: SOC 2 Is a Set of Mandated Requirements That May Not Fit Business Requirements

 

The SOC 2 standard is designed to be flexible and adaptable to all relevant organisations. It is not intended to be overly prescriptive in what is required, within the confines of meeting certain qualitative criteria covering the key aspects of internal control.

 

However, in order to achieve SOC 2, a minimum control level is required…which in some cases may not align with business requirements. A common example is the requirement for segregation of duties in key control areas. For small organisations, this may not be practical (which is why SOC reporting is generally undertaken by medium to large organisations). However, with the flexibility of the SOC 2 standard, it is generally well suited to business requirements.

 

Read our post on The 4 Key Control Concepts that help align controls to business requirements.

 

Myth 4: SOC 2 Reports Have No Future Value; They Focus on the Past

 

It’s true that SOC 2 reports are limited to the past and technically do not provide any future assurance. However, a major component of SOC 2’s value is that it’s an ongoing process that becomes embedded into the service organisation.

 

Reports are typically issued annually. This ongoing process ensures a level of consistency, oversight and rigour to the company’s processes and controls…which doesn’t go away just because the auditors do.

 

Myth 5: Type I Reports Don’t Provide Any Assurance

 

Type I reports provide assurance that the processes and controls listed in the report are fairly presented, placed into operation and suitably designed to meet the SOC2 criteria, at a point in time.

 

This doesn't mean it will remain at a SOC 2 level. It's like a footy player making it to first grade; it doesn't mean they will perform for the season but they have demonstrated the capability and commitment to get to that point. More often than not, they continue to improve over time.

 

There are two main challenges with achieving SOC 2:

  1. Getting the processes and controls in place that meet the control criteria

  2. Embedding the controls to ensure they operate consistently over time

The first part is usually the majority of the work, albeit the second part can be more challenging in practice (especially if the controls have not been well thought out in advance).

 

Myth 6: Controls Reports Are Required to Have Continuous Coverage

 

Management of the service organisation have full discretion over the frequency of issuing reports and the periods covered. Management can decide to have a gap period between annual reports, shorten a reporting period, or discontinue issuing controls reports at their full discretion.

 

Thus, end users should carefully consider the period(s) of coverage and ask questions about any gaps in coverage. Typically, a gap period is a red flag — but it may be reasonable if the organisation has gone through significant changes that would make coverage of that period impractical. (However, these periods are also where internal controls are most prone to failure.).

 

It’s not unheard of for a service auditor to challenge an organisation when they are requesting a reporting period that leaves a gap. However, in practice if it becomes a sticking point the organisation can simply switch auditors. Hence, it’s at the full discretion of management.

 

Myth 7: It’s up to the Service Auditor to Find All Issues to Report on

 

The Management Assertion in the report is to attest that the organisation’s senior management believe the report to be true and fair, and have been sufficiently involved and maintained sufficient oversight to be able to sign that attestation.

 

Essentially, this mirrors the Service Auditor’s Opinion statement. Both the service organisation and the auditor are liable to end users who rely on the report, if there’s a case of any matters not identified due to negligence or deliberate concealment.

 

Naturally, service auditors are more incentivised to raise issues in the report, as it protects their reputation and covers their liability without adversely reflecting them as an organisation. Service organisations are incentivised to conceal items to protect their reputation, which is where this myth comes from.

 

Myth 8: Principles and Criteria Are Optional

 

This myth is actually a partial truth: principles beyond the Security Principle are optional. Criteria within each principle are not. However, in practice this can be controversial and lead to grey areas.

 

Although principles are optional, there is an argument that service auditors have a duty to ensure the chosen principles are reasonable. Since many (if not most) end users of the report are not privy to exactly what is included, it can be misleading if relevant areas are excluded.

For SOC 1 reports, this was a requirement of the service auditor in assessing the fairness of presentation of control objectives. I.e., does the scope include everything the intended users would expect?

 

The criteria are not optional; however, in practice there can be circumstances where the criteria don’t apply. This may be based on the scope of systems and services, the nature of third-party agreements, materiality considerations, or other circumstances. In these cases, the service auditor can assess them as not applicable and exclude them from the SOC 2 report. These may or may not be disclosed in the report with the reasons for exclusion.

 

Are there other myths keeping your organisation from implementing SOC 2 reporting or creating confusion in what SOC 2 represents? Let’s discuss in the comments.

 

SOC Reporting

We hear some wacky misconceptions about SOC 2, even from SOC 2 service auditors and consultants. We're out to set the record straight!