SOC 2 Reporting: Everything You Need To KnowPublished December 13, 2016 by Sherry Jones • 3 min read
Meeting the standards of a Service Organization Control Level 2 audit (more commonly known as achieving SOC 2 compliance) demonstrates your organization’s commitment to data security and to protecting the privacy of your customers’ information—increasingly important in our connected digital age.
Indeed, SOC 2 compliance has become a deal-breaker for many: if your business isn’t SOC certified, other organizations may not do business with you.
Established by the American Institute of Certified Public Accountants (AICPA), SOC 2 is a voluntary regulatory framework that examines non-financial reporting controls to assess how organizations and their service providers process, store, and secure data. SOC 2 (and its sibling, SOC 3, a more generalized version of the framework) is all about information security and privacy.
For the complete picture of SOC 2/3 and all the reporting and compliance they include, check out our free Ultimate Guide to SOC 2.
What’s in a SOC 2 Report?
A SOC 2 audit report is an auditor’s attestation that your service organization has proper and effective IT security controls in place.
There is no specific list of requirements a company can meet to qualify for certification. Instead, the AICPA provides standards known as “trust services criteria” (formerly called “trust services principles”) across five categories. Those criteria help guide the auditor in determining whether your internal controls provide adequate security.
Those categories are
- The security, availability and processing integrity of the systems the service organization uses to process users’ data; and
- The confidentiality and privacy of the information processed by these systems.
The criteria are as follows:
- Security: The effectiveness of policies and procedures governing how organizations protect themselves against unauthorized access, and how organizations respond to security breaches that result in unauthorized disclosure of information.
- Availability: Information and systems must be available for operation and use to meet the entity’s objectives.
- Confidentiality: Information designated as confidential must be sufficiently protected from unauthorized access to meet organizational effectiveness.
- Processing integrity: System processing should be complete, valid, accurate, timely, and authorized to meet organizational objectives.
- Privacy: Personally identifiable information must be collected, used, disclosed, and disposed of in a secure manner.
SOC reports may attest that an organization is doing everything right for governance, risk management, and compliance with the framework. Or, reports might identify control flaws or gaps that require either new controls or adjustments to existing ones.
The Difference Between SOC 1 and SOC 2
The AICPA also has another SOC framework that’s much different from SOC 2/3—SOC 1.
SOC 1 governs financial reporting, and a SOC 1 report will discuss organizational controls that affect the enterprise’s financial statements. Are the controls well designed? Do they work, helping the organization to meet its financial goals?
A SOC 2 audit doesn’t address financial reporting. A SOC 2 report deals with cybersecurity, discussing the effectiveness of controls that affect the organization’s information security, availability, and processing integrity, as well as data confidentiality and privacy.
That said, the frameworks and their reports do have similarities.
- Both are based on Statement on Standards for Attestation Engagements 18 (SSAE 18), formerly SSAE 16, a set of auditing standards developed by the AICPA.
- Both concern service organizations.
- Both can generate two types of SOC reports: type 1 and type 2. A type 1 report offers an attestation of the efficacy of controls at a single point in time. Type 2 examines those controls’ effectiveness over a period of time, typically one year.
A SOC 2 report is typically done so your organization can demonstrate cybersecurity to another specific party: for example, a potential customer wanting to know your controls are up to snuff before signing a contract.
SOC 3 reports are substantively the same as SOC 2, but an organization can perform that audit on itself and share the results publicly—perhaps noting on its website, “We’re SOC 3 compliant — Come and talk to us!”
Do I Need a SOC 2 Report?
If your enterprise is a service provider that handles customer data, you almost certainly need a SOC 2 report. If you outsource work, your sub-contractors should be SOC 2 compliant, as well.
Types of service organizations that typically need a SOC 2 report include
- Cloud computing
- IT security management
- Software-as-a-Service (SaaS) vendors
- Financial processing
- Accounting and auditing
- Customer support
- Sales support
- Medical claims processing
- Insurance claims processing
- Human resources
- Data analysis
- Document and records management
- Workflow management
- Customer relationship management (CRM)
- Technology consulting
Get Help with SOC 2 Compliance
Compliance with SOC 2 can be a long and arduous undertaking, requiring months (or longer) to achieve. But quality governance, risk management, and compliance software can speed the process and make it much easier.
ZenGRC helps some of the world’s leading companies with SOC 2/3 compliance.
Our software-as-a-service uses color-coded dashboards to show, at a glance, where you’re compliant and where you are not; and what you need to do to reach your goals.
Our workflow management features track tasks so you always know where things stand.
Our software helps you create vendor questionnaires for your vendor risk management program, and collects and collates them so you don’t have to.
Our Single Source of Truth repository holds all your compliance documents in one place, for easy retrieval at audit time. ZenGRC even allows you to conduct internal audits in a few clicks, as often as you want.
Worry-free SOC 2/3 compliance is the Zen way. Contact us now for your free consultation.