Do you ever feel like your job involves a lot of hammering on the same few key points over and over? Well that’s the way it works in the world of compliance: every client and situation is different, but many of their concerns and questions are universal. If SOC 2 is raising lots of questions in your mind, you aren’t alone, and your concerns are likely shared with most others working on this type of compliance.
While getting a high-level client ready for their recent SOC 2 compliance audit, many of their people brought up questions wanting to know more about SOC 2. Luckily for me, it turns out there’s only five questions they’re really asking! Below are the most requested questions about SOC 2 and my answers that I want to share with you.
1. What is the difference between the SOC 2 Type 1 and SOC 2 Type 2 Audit?
That is a good question, and one I get on a very regular basis. The Type 1 audit only assesses if the proper controls are in place at a point in time and typically requires just a couple of examples that the controls are in place. The Type 1 audit also assesses if you have adequate controls defined to meet each Trusted Services Criteria (i.e., Security, Availability, Processing Integrity, Confidentiality, and/or Privacy) you’re pursuing. Also in a Type 1 audit, the auditor does not include their opinion on the operational effectiveness of your controls or a detailed description of tests performed on those controls.
A Type 2 audit on the other hand assess the operational effectiveness of your controls by having you provide multiple evidence for the same controls over time, usually through sampling.
2. What does 'operational effectiveness' mean?
This means assessing your controls over time, say for six months. For example, if there’s a control that states you conduct vulnerability scans every month, then an auditor should be able to sample six months’ worth of scans as evidence to assess the effective of your controls.
3. Do I need a Type 1 Audit before pursuing a Type 2 Audit?
Technically no. However, you really need to understand the risks and other considerations before deciding this, as well as your timeline. Companies sometimes pursue a Type 1 first, because it’s faster to get a Type 1 report issued, since the you don’t have to wait for the examination period to elapse. Companies also choose a Type 1 as it sets a good foundation for ensuring that all the controls in the SOC 2 report are implemented as of the report date. For example, are your security controls in place prior to recommending this decision to leadership AND can you confidently provide evidence of operational effectiveness over time?
Companies that pursue a Type 2 first typically do so because they have a firm requirement from a customer for a Type 2 audit.
If this is your first SOC 2 audit, I would recommend pursuing the Type 1 first as this reduces your risk of missing any evidence prior to pursuing the Type 2 audit and sets the starting point of all your SOC 2 controls being implemented. Remember, the Type 2 audit measures effectiveness overtime, which means you do not want any huge gaps missing in your controls or the related evidence.
4. What does a 'passing' audit look like?
Another good question. The SOC 2 compliance certification does not have a set ‘passing or failing’ score. If your controls materially meet the Trust Services Criteria, you receive an unmodified opinion, which is a “clean” opinion. It is based on the auditor’s attestation on whether your security controls are in place and if you’re performing those controls as part of your ‘business as usual’ operations. There may be some exceptions to a few of your controls, which could result in a control exception, but you can still receive a “clean” opinion. If there are pervasive exceptions due to lack of evidence or not following your control, that may lead to a modification of the opinion. This example should give you a clearer idea of what a finalized SOC 2 compliance report contains (PDF).
5. If you had to recommend one lesson learned to carry forward, what would that be?
I would strongly recommend, if possible, selecting a CPA firm and get them involved as early as possible in your SOC 2 planning and implementation process. As I mentioned in my first blog The Road to SOC2, the more involved they are in your business, the more likely they will be able to understand the nuances of your implementation. Furthermore, they’ll be able to tell you if the controls you’re implementing will satisfy a criterion or not. You do not want to do all this work implementing these controls just to learn it doesn’t meet a criterion outlined in the AICPA Trusted Services Criteria.
Just remember, the CPA firm you select early on may say if you’re implementing the correct controls or not. They can give you ideas on how to implement controls, but management must take responsibility for implementing controls in order to remain independent.
I hope this has helped clarify some questions you may have had. Before you go on this compliance journey, you must ask the right questions. My hope is that I made this journey a bit easier for you.