Q: What Does SOC 2 stand for?

A: SOC (System and Organization Controls) is frequently divided into 3 report types called SOC 1, SOC 2, and SOC 3. SOC 2 is an auditing procedure that ensures service providers provide management over outside data by evaluating data based on five “trust service criteria”- security, availability, processing integrity, confidentiality and privacy.

 

Q: What are the Trust Services Criteria?

A: The Trust Service Criteria (TSC) is the control criteria used for assessment and reporting of controls for systems and information. They are as follows:

1.      Security

2.      Availability

3.      Processing Integrity

4.      Confidentiality

5.      Privacy

 

Q: Is SOC 2 the same as SSAE 16?

A: No. SOC2 and SSAE 16 are different. SSAE 16 was the attestation standard for SOC1 and AT101 was the attestation standard for SOC2.  SSAE18 was implemented in 2018 and is now that Attestation Standard for both SOC1 and SOC2

 

Q: Are SOC 2 reports required?

A: SOC 2 is not a requirement for SaaS and cloud computing vendors, but prospective partner organizations could ask for the report at a minimum before conducting business. This is particularly true of enterprise-level prospects, along with those in a regulated industry like Financial Services.  As vendor management requirements become increasingly complex, SOC 2 may be necessary to remain competitive in the market.

 

Q: Are SOC 2 reports public?

A: Because of the sensitive data within them, SOC 2 reports are not designed for general public.   SOC2 reports should only be provided to clients who utilize the in-scope system and have signed appropriate non-disclosure agreements.  SOC 3 reports are designed for public consumption.

 

Q: Who can perform a SOC 2 audit?

A: A SOC 2 audit must be conducted by a third-party, independent Certified Public Accounting firm (CPA). It is recommended utilizing a firm with a strong technical background experience in the areas of both IT audits, financial audits, and SOC exams to ensure the process is done correctly.

 

Q: How often are SOC 2 reports required?

A: Most SOC 2 reports cover a 12-month period. Some organizations, particularly those serving many corporate clients or that have ongoing concerns regarding their controls, may choose to perform this audit every 6 months.

 

Q: What is SOC 2 Type 1?

A: A SOC 2 Type 1 is attestation of controls at a service organization at a specific point in time that reports on the description of controls provided by management of the service organization attesting that controls are correctly designed and implemented.  For example, during a Type I the auditor will examine the disaster recovery policy and the backup job configuration to verify it matches the policy.  A single backup job completion may also be examined.

 

Q: What is SOC 2 Type 2?

A: A SOC2 Type 2 is attestation of controls at a service organization over a minimum six-month period that reports on the description of controls provided by management of the service organization attesting that controls are correctly designed and implemented as well as attests the operating effectiveness of those controls.  Going back to the previous example, the auditor will examine the policy, backup job configuration and will then inspect job completions for a sample of days throughout the period.

 

Q: What is a SOC 2 Readiness Assessment?

A: Occurring before an official SOC 2 audit, readiness testing is a test-case for the official report which hopes to narrow the scope of the audit, clarify remediation strategies, and shore-up the control environment prior to a full assessment.

 

Q: How can I start my SOC 2 audit process?

A: Contact our team of SOC 2 experts that can begin to assist you through the readiness and audit process. We pride ourselves in creating procedures that simplify the complexities of IT for our clients and preparing strategies that are applicable to their unique businesses. Our SOC 2 team can offer insight as to if SOC 2 attestation is necessary for your enterprise.