June 01, 2022
What Is SOC (System and Organization Controls) 2 and How to become Compliant?
Has a customer ever asked you to provide an assurance audit report? If confidential or private data is entrusted to you or you manage cloud computing for your customers, it’s important to provide them with proof that you are in compliance with SOC (System and Organization Controls).
SOC stands for System and Organization Controls and was developed by the American Institute of CPAs. It’s a voluntary compliance standard for service organizations, including managed service providers (MSPs), to manage how they report financial and security data to customers.
Meeting SOC compliance standards helps you build trust and confidence with customers, improve information security practices and gain a competitive advantage.
What is SOC 1 compliance?
SOC 1 compliance covers the management of financial information for customers or partners. This compliance secures the financial statements of an organization’s users as it relates to interaction, transmission and storage.
If your business outsources services that affect another company’s internal control over financial reporting, you need a SOC 1 audit report. Examples of these services are:
- Payroll processing
- Data center
- Network monitoring services
The SOC 1 audit report examines the design of your compliance project at a specific point in time (month/day/year). The report will look at your policies to protect customer data along with information security measures.
What is SOC 2 compliance?
SOC 2 compliance is for non-financial information, including security controls and processing integrity.
A SOC 2 Type 1 report describes a business' systems and if the plan complies with the relevant SOC 2 trust services principles. The audit and report happen on a specified date.
A SOC 2 Type 2 (Type ii) compliance report details the operational efficiency of systems. The audit and report occur over a specific period of time (typically six months).
Pro Tip: There are only two bodies that can conduct a SOC 2 Type 2 audit. They are independent CPAs or accounting firms. The American Institute of CPAs has standards that regulate the work of SOC auditors. All audits must undergo a peer review.
SOC 2 Trust Services Principles
SOC 2 compliance relies on adhering to the SOC 2 trust services principles. But, based on your business practices, the auditor may not include all five principles in your report. Even if this is the case, it’s best to have an understanding of all five SOC 2 trust principles.
Security measures how protected the system is against unauthorized access (physical and logical). Commonly reviewed security controls relate to the restriction of logical access to authorized individuals. There are also SOC 2 password requirements and branch protection rules.
Is the system available for operation and use as agreed? Companies must document disaster recovery and business continuity plans and procedures. This also requires the performance of backups and recovery tests.
System processing must be complete, accurate, and authorized. Processing integrity is relevant to companies that process transactions, such as payments.
Does the system protect confidential information according to policy? This can cover B2B relationships and the sharing of sensitive data from one business to another.
The auditor will consider the privacy criteria when personal information is collected, used, retained, disclosed and/or disposed of. Keep in mind: Privacy is different from confidentiality. Privacy only pertains to personal information. Confidentiality pertains to other types of sensitive information.
How to achieve SOC 2 compliance
The backbone of SOC 2 compliance is security. You can follow these steps for SOC 2 compliance.
- Create access controls. Place physical and logical restrictions on assets to prevent unauthorized access.
- Set up a change management process. Establish a controlled process for managing changes to IT systems. There should also be methods for preventing authorized changes.
- Monitor system operations. Set up controls that monitor ongoing operations. The processes should also detect and resolve deviations from the procedures.
- Mitigate risks. Put in place methods to identify, respond to and mitigate risks.
SOC 2 Type 1 vs. SOC 2 Type 2
Similar to SOC 1 compliance, there are SOC 2 Type 1 and Type 2 reports.
A Type 1 report describes a business's systems and if the plan complies with the relevant SOC trust principles. The audit and report happen on a specified date.
A SOC 2 Type 2 compliance report details the operational efficiency of these systems. The audit and report occur over a specific period. It's usually at least six months.
The SOC 2 Type 2 controls list is essential for:
- Regulatory oversite
- Vendor management programs
- Internal governance
- Risk management
How To Get a SOC II Type 2 Audit
There are only two bodies that can conduct a SOC Type 2 audit. They are independent CPAs or accounting firms. AICPA has standards that regulate the work of SOC auditors. Plus, all AICPA audits must undergo a peer review.
The standards allow CPAs to hire non-CPA professionals with relevant information to participate in preparing the SOC 2 compliance audit. But, a CPA must provide and issue the final report.
SOC 2 compliance cost
One major cost factor is whether your business needs a Type 1 or Type 2 audit. Since the evaluator must monitor for SOC 2 Type 2 compliance requirements over some time, it's more expensive.
To inform your budgeting, here’s some general pricing guidelines: SOC 2 Type 1 reports usually start around $5,000, whereas SOC 2 Type 2 reports generally start around $30,000.
Other cost factors for SOC 2 Type 2 compliance include:
- Number of trust services principles in the audit
- Organization size
- Industry risk
- The complexity of systems and internal control policies
- Outsourced services to conduct audit preparation and readiness assessments
- Additional security tools and employee training you need to close gaps and meet compliance requirements
Considering all of these factors, it can cost businesses up to $100,000 to meet SOC 2 compliance requirements.