Updated: Sep 20
What's SOC 2 all about? We explore the elementary questions we're often asked.
It's interesting to talk to those commencing their SOC 2 compliance efforts, or even those that have just heard about it and wanting to understand more. There's a range of common questions asked, and always one or two that are totally out of left field.
Even within the community of SOC 2 auditors and practitioners, there are differing views on many aspects of SOC 2. Let's explore the main questions that are asked and if you have any others that come to mind while reading this, feel free to contact us.
Who asks for SOC 2?
Typically, larger enterprise customers during pre-sales or as part of their ongoing vendor oversight. Particularly in financial services where regulation and compliance are front of mind. It’s more prevalent with US based customers as the SOC 2 standard is more widely known, understood and expected.
Why do customers ask about SOC 2?
In a nut shell, because SOC 2 represents an effective system of internal control. Like a Michelin Star on a restaurant, it gives a basis of credibility and trust without a third party having to do all their own investigations.
With a big increase in the number of technology providers for organisations, the vendor risk management teams are finding it increasingly challenging to get comfort over their vendors. SOC 2 provides a standardised means for comparison and a checkbox to show good practice controls over customer data and technology are in place and operating. This assists with due diligence and on-boarding, as well as ongoing monitoring activities.
Business representatives buying outsourced services now recognise that the onerous requirements from their vendor risk management teams, mean that without a SOC 2 report its often not worth the headaches and long drawn out process of trying to onboard a new vendor. It’s becoming a pre-sales screening question for that reason, where not having a SOC 2 can lead to a lost opportunity.
How does SOC 2 compare to other standards?
SOC 2 is a method of reporting over internal controls. Many other standards provide guidelines for good practices. However they don’t include a report that can be shared with customers with an independent auditors opinion on the effectiveness of the internal controls. This is a benefit of SOC 2. It provides greater assurance but naturally incurs higher costs than an ISO 27001 certification, for example.
SOC 1 vs. SOC 2
SOC 2 is newer and widely recognised as being superior for technology organisations. SOC 1 is focused on financial reporting objectives and remains the most appropriate for financial organisations like asset managers and fund administrators. SOC 1 can also be used for technology companies and is still the preference for some large organisations like IBM, which provides managed services for large financial organisations like the banks.
SOC 1 is less comprehensive but is designed for use by external auditors, which is the main purpose for the likes of IBM. Both standards broadly cover the controls over the services, including general technology controls. However, SOC 2 is more fit-for-purpose for technology services where security, availability, processing integrity, confidentiality and/or privacy are primary concerns of the end users.
SOC 2 vs. SOC 3
SOC 2 and SOC 3 are the same standard. The difference is SOC 3 is a redacted version of the report so that it can be made publicly available without all the proprietary and confidential information included in the full SOC 2 Report.
A recent question was whether SOC 3 is a shortcut because it doesn’t require the full report. In theory, yes, but in practice probably not. It does cut down a bit of the work preparing a full report which can range from 20 to 100 pages and beyond. However, SOC 3 can’t be used for Type I Reporting so it would typically be used in combination with SOC 2.
Which SOC 2 Trust Services Principles should be included?
The Security Principle is mandatory for all SOC 2 reports, as it forms part of the “common criteria” needed to support the other principles. A common approach is to start with only the Security principle for the basic report and then add further principles over time. The most common principles added are Availability (for services that are highly relied upon by customers) and Confidentiality (where proprietary customer data is held). Processing Integrity and Privacy tend to be less common, although new Privacy regulations like GDPR may change that.
How long does it take to get a SOC 2 Report?
It can be anywhere from weeks to months, or even years without the full commitment of management. It depends on the buy-in and commitment, current level of compliance, pace of change to remediate any compliance gaps, and the project management of the organisation and service auditor. With the right circumstances, it’s realistic to achieve a SOC 2 Type I Report within 3 months, and a SOC 2 Type II Report within 6 months (it requires at least a 3 month reporting period).
What companies should be considering SOC 2?
SOC 2 is most relevant to companies performing technical services and information processing or holding sensitive customer data. Companies of all sizes can achieve SOC 2, however it’s typically pursued by those looking to sell into the larger enterprises, particularly financial services market. These types of customers generally demand adequate proof of sufficient technology controls to protect their systems and data, and SOC 2 is an industry standard for providing that trust.
How will a SOC 2 audit benefit my business?
A past company I worked with regularly summarised the benefits of SOC 2 as; (a) enabling business with large enterprise customers, and (b) It just makes business sense. It makes sense because compliance with SOC 2 is a means to ensuring good practices and controls are in place that support the company’s objectives. Having an independent auditor and going through an assessment process, identifies independent insights and areas that can be improved. These improvements achieve more refined and scalable processes and a level of consistency and transparency that supports management oversight.
What’s the difference between a SOC 2 Type I and Type II audit and report?
A SOC 2 Type I audit reports on the policies and procedures a company has in place at a particular point in time. It is a test of the design of processes and controls and validates that they are in place at that time. A SOC 2 Type II audit tests the effectiveness of the controls over a period of time. This cannot be less than 6 months and is usually no longer than a year. It’s basically a validation that the company is following its own policies and the design of processes and controls consistently.
What is actually required to be SOC 2 compliant?
This is a very common question and hard to describe succinctly. There are the 5 Principles, and within those there are criteria. To be compliant, the organisation needs to satisfy all of the criteria (unless they are N/A based on the nature of the company's services). Here’s an example:
Common Criteria 1.1: The entity has defined organisational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and system requirements as they relate to Security.
Each criteria makes a number of assertions, which requires practices that meet those assertions. In this case, as it relates to Security (other TSP’s are added here if in scope), the organisation needs to have defined structures, reporting lines, authorities and responsibilities. This needs to cover the process components mentioned above within the scope of the “system” (which is the processes and IT systems within the SOC 2 report scope). Typically more than one control are required to meet each criteria.
An example of controls that partially meet this criteria are (1) The security policy defines the key responsibilities and accountability for physical and logical access to systems and data, (2) The organisation chart defines reporting lines with the CIO responsible for IT Security and supported by the Senior Leadership Team, (3) All employees job descriptions include their responsibilities to protect the systems and data from unauthorised access, and (4) The Change Management Policy includes key responsibilities and requirements around information security as it relates to system development. Etc.
How much does a SOC 2 report cost?
SOC 2 is expensive. It requires a CPA firm to sign it off, it covers a broad operational perspective, is based on a standard and guidance that's several hundred pages long, and the signatory on the report carries legal liability to a broad range of users. The fee range for a software as a service provider with outsourced infrastructure is typically in the range of $50,000 to $150,000 (AUD) for a SOC 2 Type 1 and Type 2 Report (reaching the level expected by most end users). Read our post further exploring SOC 2 Audit Cost below.