SOC 2 REPORT
The SOC 2 Report and Reporting Process
SOC 2 Reports are the most recognized form of assurance that service providers are protecting sensitive data and minimizing risk for their customers. And with security breaches of personally identifiable information becoming more commonplace, more companies are requesting their data centers and service providers to supply them with this sort of assurance.
Organizations that might want to request a SOC include companies that use third-party administrators or service providers and provide these entities with protected information so that they can render their services.
This restricted-use report is based on an audit of an organization or service provider to provide assurance that any data the organization consumes so it can render services is protected to the fullest extent possible. The report is good for one year.
SOC 2 reports can be extensive, with as many as 92 prescribed controls across five different areas or domains
The audit and report ideally show that the service provider is doing everything they can to protect that data as it’s being used, stored and removed. The report details how the service provider protects the data and also provides an unbiased professional opinion stating whether or not, or the degree to which the customer’s data is being safeguarded.
The reasons a company might request a SOC 2 from their vendor is to receive assurance that the data their vendor uses, accesses and stores is being protected to the fullest extent possible.
SOC 2 reports can be extensive, with as many as 92 prescribed controls across five different areas or domains, sometimes referred to as Trust Services Criteria. These domains are:
- Process Integrity
Each of the five domains includes a number of controls that are checked during the audit. For example, the Security domain examines such areas as communication and information, risk assessment, and logical and physical access controls.
Not all SOC 2 Reports necessarily include all five domains, however. The baseline report includes just Security, with the additional domains added at the option of the service provider or the entity that requested the report based on the requester’s need.
One example of a control to be assessed and tested in a SOC 2 Report is background investigations. The organization might report that they conduct background investigations on all prospective employees before they’re hired. The independent auditor would then sample the new hires to make sure this occurred.
There are times when the entity requesting the report isn’t fully clear on which of the domains needs to be included in the SOC 2 Report. In these cases we can help our clients figure out which components of the report will best accomplish their objectives, while managing resources most effectively.
Since the time and resources needed to complete the SOC Report differs based on how many of the five domains are included, the total cost of this report is usually not computed until the initial assessment is conducted.
Organizations that Benefit from SOC 2 Reports
- Software-as-a-Service Companies
- Medical Billers
- Insurance Companies
- Advertising Agencies
- Data Centers
- IT Outsourcing Companies
- Event Planners
- Health Care Program Administrators
- Financial Service Providers
- Property Management Companies
- Third-party Vendors
- Cloud Providers
The SOC 2 Reporting Process
Securing the SOC 2 report is a multi-step process that can take anywhere from 6 to 12 months to complete, depending on the organization’s maturity, familiarity with the process and whether or not the initial stages indicate there are deficiencies to be addressed before the audit takes place. But, with the proper partner, the entire process should cause minimal inconvenience to your organization.
Maloney + Novotny auditors possess decades of information technology related experience and are well versed in the related requirements and practices, so they are able to provide an unbiased, highly knowledgeable and trusted opinion.
SOC 2 reports focus heavily on the operations surrounding an organization’s cyber security controls. As such some public accounting firms may prefer to avoid these types of audits. However, many Maloney + Novotny auditors possess decades of information technology related experience and are well versed in the related requirements and practices, so they are able to provide an unbiased, highly knowledgeable and trusted opinion.
We also work to make the process as easy for our customers as possible. SOC reporting begins with a Readiness Assessment, followed by two stages or “types” of reports. Most SOC 2 reports have all three of these components.
The Readiness Assessment is the preparatory stage. It’s an overall assessment, across each criteria of the SOC 2 where together with the client, we develop an understanding of the relevant systems and controls in place that help you deliver your services, and also look for any possible gaps in operational controls that should be addressed before the audit begins.
SOC 2 reports, unlike SOC 1 Reports, have prescribed criteria to be audited. Up to five different domains can be included, and each of these domains contains a number of specific items to be assessed.
During the Readiness Assessment, we work with clients to look at the controls in place at your organization and provide a baseline that you can consider before the audit begins. Part of this includes helping you to understand which of the five domains are relevant to the services you provide and to the customers requesting the SOC 2 report.
Since SOC 2 reports are generally well prescribed with an established framework, our Readiness Assessment process usually begins with an interview and checklist of controls that we can offer to our clients to help them identify the controls that should be in place within their organization. This also helps the client to formulate the explanation of controls they’re asked to provide for the SOC 2 report.
After the Readiness Assessment is completed, we normally begin the audit with a SOC 2 Type 1. This defines the controls in place at a certain point in time and whether or not they were operating correctly, based on the results of our audit testing.
Because the Type 1 report only characterizes the controls in place at one point in time, it’s generally not the sort of information that will provide enough assurance that their controls were operating effectively over time. So once the milestone of the Type 1 report is achieved, the next phase is typically producing a Type 2 Report, attesting whether the service provider’s systems and controls were in place and operating correctly successfully for a period of time, which may be as short as 3 months but most often up to 12 months.
Once the audit begins, as in Type 1 and Type 2 of the SOC 2 process, any deficiencies uncovered will be reported and considered to render an opinion.
Components of a SOC 2 Report
A SOC 2 Report typically contains five sections:
Section 1: This is the independent auditor’s opinion, where we indicate whether or not the service provider actually met or did not meet the criteria laid out. There are three possible results that can be noted in this section: Qualified Opinion, Unqualified Opinion, or Adverse Opinion.
The best possible result here is the Unqualified Opinion. This means that the results of the audit were such that we can provide assurance without having to qualify our opinion in any way. We found that the company is being truthful in its financial reporting, and that the services it is providing which affect financial statements can be trusted as accurate.
Next is the Qualified Opinion, where we or the independent auditor, provides assurances of accuracy but they are qualified or tempered in some way based on our audit of how the controls were operating. However the qualifications aren’t significant enough to lead to us to give an adverse opinion. Clients want to avoid receiving a Qualified opinion if possible.
Third is the Adverse Opinion, which no client wants to receive, indicating it’s our opinion that the service provider is not meeting the criteria they laid out, and that the errors found in the company’s controls are such that its customer cannot depend on the operating effectiveness of the service provider’s controls.
Section 2: This is Management’s Assertion, where the service provider attests to being truthful in is processes and commits to abiding by all of the engagement rules of the audit process.
Section 3: This is the System Description, where the service provider explains in long form narrative how it runs its services using specific controls on the data that’s being used and stored. This may mean detailing how it collects information, processes that information, and accomplishes risk assessment.
Section 4: The Test Matrix section offers a short form listing of all of the controls described in Section 3, along with the testing results as performed by the independent auditor. This section also includes any exceptions noted that occurred during testing.
Section 5: This unaudited section is an opportunity for the service provider to include any additional information they’d like report recipients to see and review. This may include any responses or explanations for the exceptions noted and how these have been remediated.