SOC 2 Compliance: Requirements, Audit Process, and Benefits for Business GrowthRead article
What Is a SOC report & Why Is It Important?
Data breaches are on the rise. In Q3 2022, they increased by 70% globally compared to the previous quarter.
As a result, it’s more important than ever for your organization to earn customers’ trust.
That’s where System and Organization Controls (SOC) comes in. A SOC report is like a letter grade in the restaurant window. At a glance, it proves you pay attention to crucial details.
But what is a SOC report, and how do you get one? This article has the comprehensive introduction you need.
What is a SOC report?
A SOC report is generated by an independent audit of a company’s information security systems. It’s a comprehensive review of what the company does to secure the information it works with.
SOC stands for “System and Organization Controls” (previously, it stood for “Service Organization Controls”). The American Institute of Certified Public Accountants (AICPA) oversees the process. Only a CPA or an organization accredited by the AICPA can conduct a SOC audit.
There are multiple subcategories of SOC. There’s SOC 1 (divided into SOC 1 Type I and SOC 1 Type II), SOC 2 (divided into SOC 2 Type I and SOC 2 Type II), and SOC 3.
Preparatory materials often group controls into subjective versions of SOC 2 targeted at various goals. An example of this would be SOC for Cybersecurity, SOC for Supply Chain, and so on.
Beyond these divisions, each SOC report is personalized to the specific company under audit. Auditors must evaluate a few common criteria related to security, but they’re otherwise free to evaluate any of a long suggested internal controls list. Ultimately, no two SOC reports will look exactly alike.
What is a SOC report used for?
A SOC report is used to verify the effectiveness of an organization's internal controls and safeguards they have in place to securely handle customer data.
A company might request a SOC report because a prospective client has asked for one as a condition for working together. This is a common practice, similar to asking for references before hiring an employee.
Alternatively, a business might decide to pursue SOC compliance before anyone asks for it. This can help to attract potential customers by demonstrating that the company can be trusted. The term “audit” often implies that the subject is suspected of wrongdoing, but with SOC, that couldn’t be further from the truth.
SOC is specifically designed to test the security of information systems. Therefore, companies that seek a SOC examination tend to be in the business of handling large amounts of information on behalf of other companies. Examples include (but are not limited to) accountants, money managers, staffing firms, marketing agencies, third-party software developers, and anybody who provides cloud storage.
At Secureframe, we regularly seek SOC 2 compliance and include processing integrity within the scope of our audit to practice what we preach. As compliance automation professionals, we’re a prime example of a business that needs to build trust among our customer base.
What are the contents of a SOC report?
The AICPA provides an illustrated example of a SOC report on its website. It runs 31 pages, a fairly typical length.
A quick review of the contents reveals the following:
- Opinion letter: A summary of the auditor’s opinion, illustrating whether they think the target company passes inspection.
- An “unqualified opinion” is a pass with flying colors.
- A “qualified opinion” means the company is almost compliant, but one or more areas aren’t there yet.
- An “adverse opinion” is a failure. The company falls short in one or more non-negotiable areas.
- A “disclaimer of opinion” means the auditor doesn’t have enough evidence to support any of the first three options.
- Management assertion: Summarizes what the managers of the company under audit told the auditor about their information security controls.
- Description of systems: Explains what the company does and how they describe their own infrastructure.
- Applicable trust services criteria: Lists each internal control the company believed was applicable to their own services, alongside the results of tests of those controls.
- Other information: Information provided by the company that the auditor determined not to be relevant.
Now that you have a better idea of what SOC reporting looks like, let’s explore the four different shapes SOC comes in.
What are the different types of SOC reports?
Each type of SOC report has a slightly different set of use cases.
As you’ll read in the next section, SOC 1 and SOC 2 are subdivided into Type I and Type II. Both I and II refer to how the audit is conducted, while 1, 2, and 3 refer to the subject matter of the SOC report.
A SOC 1 audit is for any organization that provides its clients with services related to financial reporting.
To put it another way: if anything a business does could impact a financial audit of one of that business’s clients, that business might need a SOC 1 report.
Examples include accountants, payroll processors, or tax preparation assistants.
Since CPAs manage SOC, and financial statements and other information is often the most sensitive, financial controls are an area of special interest. The SOC 1 process examines a company’s security and business processes, looking for any risks to users’ financial information.
A service auditor should also check to see if any risks that arise from the audited business could impact internal controls put in place by clients. You could have the best information security in the world, but that’s not worth much if you contract with third parties who don’t uphold the same standards.
SOC 2 is by far the most commonly sought form of SOC compliance. It’s for any organization providing third-party services that require customers to trust them with sensitive data. It’s particularly popular among software-as-a-service (SaaS) companies.
Instead of a pre-determined list of controls like those that make up most ISO criteria, SOC 2 is based on the “trust services criteria'' (TSC). This groups suggested controls under five categories:
- Processing integrity
The trust principles you select inform your attestation criteria. According to the AICPA, they should be relevant, objective, measurable, and complete.
The controls grouped under Security, known as the “common criteria,” are the only ones required to undergo a SOC 2 audit. Companies are asked to document their control environment, communication and information protocols, risk management and assessment processes, and how they implement and monitor controls.
All the others are optional, though most auditors will check on more than the bare minimum. Confidentiality and availability, while not required, are often included in scope. Privacy and processing integrity are generally included based on the nature of the organization’s systems and services.
A company that gets a SOC 2 audit usually provides some sort of B2B service, but it’s not uncommon for a B2C company to seek a compliance audit as well. However, since a SOC report is not necessarily public knowledge (and isn’t easy for a non-professional to parse), the company might get a SOC 3 report instead.
A SOC 3 report is similar to a SOC 2, except it’s shorter. It’s a more digestible product that can be used for marketing or made available to customers for free. SOC 3 reports are an easy way to build trust among large groups of individuals.
How to Get a SOC Report
A SOC report is generated by a SOC audit conducted by a SOC analyst. This is usually a CPA or an AICPA-accredited organization. Before you invite an auditor to your office, your first step is to decide exactly what sort of SOC report you need.
Step 1: Choose a type of SOC report.
First, choose from among the three SOC categories in the previous section. They’re not mutually exclusive. In fact, some companies might seek all three.
Plenty of large corporations offer both financial and non-financial services and want to build trust among businesses and the public.
Say your company is a small startup that provides cloud services to larger businesses. Obviously, you would choose SOC 2.
Next, you’ll need to choose between a SOC 2 Type I and Type II report.
- SOC 2 Type I: An audit that checks whether your systems are designed according to the trust services criteria. Type I audits are relatively cheap and easy (they can be done in under a month) but aren’t as thorough as Type IIs. Think of them as dipping your toes in the water: you get a feel for what an audit is like, but you’re not diving all the way in.
- SOC 2 Type II: An audit that examines how your systems are designed AND whether the controls are implemented and effective. A Type II report takes longer (between 3 and 12 months) because the auditor needs to run control tests on your information systems. .
Choose based on your budget and the urgency of producing the certificate. Many organizations choose to start with a Type I audit and then use that report to undergo Type II.
Step 2: Conduct a readiness assessment.
Next, conduct a readiness assessment. This is like studying for and taking a practice test — it ensures the auditor doesn’t catch you unprepared.
To do a readiness assessment, you have to get familiar with the trust services criteria.
Be able to answer questions like:
- “How is my system protected against attacks?” (Security)
- “How do we decide when to make data from the system available?” (Availability)
- “Does the system work the way it needs to?” (Processing integrity)
- “How do we ensure the system keeps private information away from unauthorized personnel?” (Privacy)
- “When information must be shared, what keeps the exchange secure?” (Confidentiality)
Consider every possible way the Trust Services Criteria might apply to your infrastructure. If you discover any areas in which your system falls short, determine what you need to do to become compliant. This is called a “gap analysis” — closing the gap between where your system is and where it needs to be.
Step 3: Prepare documentation for your auditor.
Next, document everything heavily. You should be able to look at a complete list of the TSC and immediately produce documentation explaining how your information security meets each criterion.
While the kind and amount of documentation required for compliance will vary depending on the type and scope of your audit, you will need to provide the following documents at a minimum:
- Management assertion
- System description
- Control matrix
Step 4: Pick your auditor.
Finally, decide who you want to serve as your auditor. Pick a well-reviewed CPA or auditing firm that has experience in your industry.
The auditor will spend anywhere from a few weeks to several months working with your team before producing a SOC report. If you get an unqualified opinion, congratulations! If not, use the SOC report as lessons learned for closing gaps and try again for an improved report.
SOC Audit: What It Is, How it Works & How to Prepare Your Service OrganizationRead article
Frequently asked questions about SOC reports
1. How long is a SOC report valid?
Technically, SOC reports don’t expire, but generally a SOC report is considered valid for one year following the date the report was issued. Any report that’s older than one year becomes “stale” and is of limited value to potential customers.
Because of this, the vast majority of service organizations renew their attestation report every year without any gaps.
2. How much does a SOC report cost?
Most companies can expect to spend between $20K-$100K to prepare for and complete a SOC audit and get their report.
However, many factors influence the typical SOC audit cost, including:
- Type of SOC audit
- Scope of your audit
- Size of your organization
- Complexity of your systems and internal control policies
- Outsourced services, like hiring a CPA firm to conduct audit preparation and readiness assessments
- Additional security tools and employee training you’ll need to close any gaps
Compliance automation software like Secureframe saves companies thousands of dollars and hundreds of hours preparing for and completing a SOC audit. Our platform’s built-in policy libraries, security training, and readiness assessments mean you’re not paying consultants.
It can also help you save your team’s productivity costs and get a SOC report faster by streamlining the compliance process and automatically collecting evidence for your auditor.
3. Are SOC reports mandatory?
SOC reports are not mandatory. However, they are increasingly considered table stakes for growing companies. Customers are looking for companies, small and large, that can protect the security and privacy of their data and interests. A SOC report is an ideal way to demonstrate a commitment to security and privacy, while helping companies unlock growth, expand into new markets, and accelerate revenue.
4. What is the difference between SOC and ISO 27001?
Given that they’re both standards for auditing information security protocols, SOC and ISO 27001 are often confused. If you’ve ever mixed them up, you’re not alone: ISO and SOC share almost all the same controls, varying by as little as 4%.
But they’re not identical. There are two key differences between SOC and ISO 27001:
- Type of security. SOC is a freeform set of standards that measure what your company is doing to protect client information. ISO 27001 has the same goal but a more restricted way of achieving it. To achieve ISO 27001 compliance, businesses must build and document an information security management system (ISMS). That’s a slightly more stringent standard.
- Geographic area. SOC audits are better-known in North America and thus carry more weight. ISO 27001 is more popular outside of North America. This is almost always the deciding factor. Think of ISO 27001 as the metric system to SOC’s imperial system. Much of the world uses ISO 27001 while North America uses SOC.
How Secureframe can help you get the SOC report you need
Secureframe can not only help you decide what type of SOC report your business needs — we can also help you get it faster.
We save teams hundreds of hours and thousands of dollars spent writing security policies, collecting evidence, hiring security consultants, and performing readiness assessments. And because Secureframe continuously monitors your infrastructure and alerts you of vulnerabilities, you’ll be able to get and stay SOC compliant easier and faster.
Request a demo to learn more about how we can help you get the SOC report you need.