Build trust with SOC 2 in 2024

SOC 2 reports are independent assessments conducted by certified public accounting firms or other qualified auditors. These reports assure customers, stakeholders and regulatory bodies that a service organisation has implemented effective controls to protect the confidentiality, integrity and availability of customer data. The SOC 2 framework is based on a set of Trust Services Criteria (TSC) defined by the AICPA. These include Security, Availability, Confidentiality, Privacy and Processing Integrity.

Service organisations undergo a SOC 2 audit to assess the design and operating effectiveness of controls related to the TSC. The audit process involves evaluating the organisation's control environment, conducting testing procedures, and issuing a SOC 2 report that outlines the findings and conclusions.

No, it is an attestation report. It is commonly treated like a certification and often has accreditation logos, but there are three key differences:

1. You can achieve a SOC 2 report with exceptions or qualifications, but the report itself is still valid with those disclaimers included.
2. Instead of a single-page certificate, a SOC 2 report provides details of your compliance scope and processes in a system description. It also includes details of your controls and the auditor’s tests that validated those controls (for Type 2 reports).
3. There is no prescribed certification period. For SOC 2 you can choose your reporting dates and periods for Type 1 and Type 2 reports as needed.

SOC 2 follows a common industry standard when determining the scope. That is, by looking at which services, systems, data, processes and people are relevant to be secured to protect the customers and other parties that rely on that security.

This scope is formed by starting with a focus on a specific service. That may be one or more Software-as-a-Service offerings, platform infrastructure another function as a service, or professional services. This then cascades down to what systems are used to deliver the service(s), the data that is collected, the people that operate and support it, and the processes to manage the services in a secure manner that covers the SOC 2 Trust Services Criteria.

All SOC 2 reports include the Common Criteria for Security: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security is always included, but the subsequent areas can be added optionally.

• Security: included in all reports, this covers basic system and data security
  
• Availability: the reliability and resilience of your systems and services
  
• Confidentiality: how data is classified, handled and retained in line with its level of sensitivity
  
• Processing Integrity: the objectives of your services and how those are managed to ensure complete and accurate data processing
  
• Privacy: managing personally identifiable data in line with individuals’ privacy rights.
  

There are a few things to be aware of for SOC 2 reporting:

• There are 33 common criteria to satisfy by mapping your controls and implementing a state of compliance. We integrate with several compliance platforms to assist your compliance journey.
  
• The controls include documented policies, system configurations, and defined processes. Our PolicyTree solution generates your tailored set of policies that are the foundations of your compliance program.
  
• An audit is conducted to verify your compliance, which AssuranceLab performs. We have some flexibility for first-time reports, especially Type 1, that lets you fix things as we work through.
  
• A system description is prepared to overview your compliance scope and activities. We add your tailored controls, mapped to the criteria and the results of the audit (Type 2); we then both sign off to issue the final report.
  

The service organisation control, sometimes referred to as system and organisational control (SOC) standards has been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests like in asset management or superannuation. 

As reliance on third-party services evolved with the rise in software as a service companies, these reports naturally evolved to being used for assurance over those third-party services even when no direct financial objectives were involved. The Trust Services Criteria were then introduced to better align with the modern needs of third parties that were reliant on security, availability, confidentiality, processing integrity and privacy. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.

A SOC 3 report is a redacted version of a SOC 2 Type 2 report that can be published or more easily shared without the confidential information included in SOC 2 reports. A CPA firm like AssuranceLab issues the SOC 3 report using the relevant information from a SOC 2 Type 2 audit and it is usually issued alongside the SOC 2 Type 2 report.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 1 control objectives. 

A Type 2 report attests to your compliance by both design and operation over a set period of time, usually between 3-12 months, to show your systems and processes have been operating consistently to satisfy the SOC 2 control criteria. 

Usually, a Type 1 report is issued first as baseline compliance. That marks the start of the live and recurring Type 2 audit period for reports issued annually. That is the industry standard but the SOC standards have the flexibility to choose the report dates and periods as desired (usually driven by customers’ expectations that drive the industry-standard approach).