What Is A SOC 2 Report?
A SOC 2 Report is designed to provide assurances about the effectiveness of security controls at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. A SOC 2 report provides an independent assessment of a company’s security and privacy control environment.
It is important to note that SOC 2 is a voluntary assessment framework. Unlike HIPAA or PCI DSS, which are have legal requirements that applicable companies must follow, SOC 2 assessment and compliance is conducted voluntarily by the organization.
When an organization goes through a SOC 2 audit, they are evaluated on one or more of AICPA’s Trust Services Criteria (TSC). Organizations must provide evidence of security controls. A SOC 2 report is written up after successful assessment and outlines the organization’s proficiency in security principles. Teams that work to receive a SOC 2 report can then use that report as a kind of security attestation and validation of the company’s security program.
What Are the Types of SOC 2 Reports?
Organizations can work to achieve two different types of SOC 2 reports, depending on their needs.
SOC 2 Type 1 – A Type 1 report highlights policies and procedures for ensuring Trust Service Criteria at a single point-in-time. This means that an auditor will evaluate an organization on a set of criteria and controls one time and ensure that the organization meets specific control requirements.
SOC 2 Type 2 – A Type 2 report is more comprehensive then a SOC 2 Type 1 report. A Type 2 report evaluates the same policies and procedures and security controls for ensuring Trust Service Criteria but is measured over a period of time, generally a 3 to 12-month audit period. This means that organizations must demonstrate that security controls are in place and working over a long period of time.
Each SOC 2 report features at least four main sections that users may look for, including the following:
- Management’s Assertion
- Description of Services
- Auditor’s Opinion
- Results of Testing
Evaluation of security controls by an independent auditing firm, allows a professional to document the last two sections of the report and provide insight around your team’s internal security controls. Your team can view an example SOC 2 type 2 report here.
Who Needs A SOC 2 Report?
Software Vendors – Large enterprises with hundreds or thousands of software vendors often ask companies for a SOC 2 Type 2 report in order ensure that an organization has a set of security controls in place. Vendors often adopt SOC 2 Report Framework standards to alleviate security risk concerns for enterprise customers.
Cloud Providers – Cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure have numerous clients managing applications and workloads across their infrastructure. These companies go through SOC 2 audits to achieve attestations such as SOC 2 Type 2 to ensure that physical, administrative, and technical controls are in place to protect client data.
Large Companies – Large organizations often go through audits to receive a SOC 2 Type 1 or SOC 2 Type 2 report in order to improve their overall security stature. Implementing SOC 2 security controls and enforcing security standards across the organization helps the company avoid potential security breaches that cost companies millions.
How Do I Obtain a SOC 2 Report?
In order to achieve SOC 2 certification and receive a SOC 2 Report, an organization must complete a SOC 2 audit with an independent SOC 2 auditor. Audits must be conducted by an independent CPA (Certified Public Accountant) or accountancy organization. In order to obtain a report, teams should consider the following steps:
Prepare Security Program – Organizations should establish a security program that addresses SOC 2 Trust Services criteria. Teams should develop administrative policies, implement technical controls, and gather all security evidence and documentation to prepare for an audit. You may also consider reading our guide to preparing for a SOC 2 audit.
Perform A SOC 2 Audit – Organizations must engage with a third-party audit firm to perform a SOC 2 audit. Teams should consider selecting a reputable firm that has worked with similar clients and security expertise.
Maintain SOC 2 Controls – After receiving a SOC 2 report organizations should continue to maintain SOC 2 controls. Teams must complete a SOC 2 audit every year in order to stay current with their SOC 2 report.
What Are The Benefits Of A SOC 2 Report?
SOC 2 reports gives teams a security attestation that provides several benefits.
Security Validation – A SOC 2 Type 1 or SOC 2 Type 2 report provides organizations with a certain level of security validation. Teams can share these reports with clients and partners as validation that the organization has an established security program with a set of security controls implemented.
Faster Enterprise Procurement – Companies and vendors working with large enterprises or organizations in regulated industries such as finance and healthcare may provide a SOC 2 report as evidence of security standards. Companies with a current SOC 2 report may be better prepared to go through security assessment and quickly move through procurement.
Better Internal Security – SOC 2 requires teams to validate security controls with an independent third-party auditor. This unbiased evaluation should help your organization identify security issues, address gaps and improve your overall security program. Teams that build a robust security program that addresses SOC 2 controls should be better prepared to manage internal security.
How Often Do I Have To Get a SOC 2 Report?
SOC reports (Both SOC 1 and SOC 2) do not technically expire, however organizations may not rely on reports depending on the amount of time that has passed since the period covered by the report. Generally, teams will work to achieve a SOC 2 Type II report on an annual basis.
Since a SOC 2 Type I report, is based on an evaluation at a single point-in-time, the value of the report is somewhat limited over time. A Type I report does not verify if an organization has effective controls after one day or even one day.
A SOC 2 Type II report cover the design and effectiveness of controls over a period of time, generally 12 months. In some cases, a Type II report may cover a shorter period of time, such as 6 months. AICPA guidance recommends that a Type II report cover a minimum of 6 months. A service organization should get a SOC report every year to ensure that there is continuous coverage by the SOC 2 reports. Coverage issues could lead to further security scrutiny by partners and clients. Dash ComplyOps can make it easier for your team to implement and maintain SOC 2 controls across your IT environment.