By Mitchell Fink
Is your company being asked for a SOC 2 attestation by your customers? SOC 2 stands for Service Organization Control 2, which reports on various organizational controls related to the five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. It is an audit conducted by an authorized CPA firm, adhering to rules and a framework provided by the AICPA (American Institute of Certified Public Accountants).
If you provide a service to other companies and handle their data, they want to ensure that your processes are safe and their information is secure. To do this, you as a ‘third party’ can be subject to various queries by your customer’s Risk department. Often, they will require you to complete a complex questionnaire. If you have completed a SOC 2 audit and present it to them, the questionnaire can typically be overlooked.
Type I or Type II
Type I or Type II refers to how much information the auditor will look at to form their opinion. Type I means they will look at your company at a single point in time; whereas a Type II will cover a range of dates – from three months up to one year. Therefore, the broader scope of Type II tests the operating effectiveness of the controls.
The short answer to the question of whether a Type I or Type II audit is best for you can be considered in terms of risk factors, such as the following (on which I will elaborate in more detail in my next article):
- Positive Risk: Type II will help to obtain more business.
- Positive Risk: If we continue to attain a Type I, year-over-year, existing clients may be satisfied and business will continue.
- Negative Risk: If we do not have a Type II, we may not be able to obtain certain new clients.
- Negative Risk: If we do not attain a Type II, some existing clients may refuse to conduct additional business.
Conducting the Audit
At the beginning of a SOC 2 engagement, the firm needs to establish which combination of the five criteria will be examined. Due to the overlap of some controls, there are common criteria that can be reviewed to reduce the amount of duplicative work.
For example, the following is a control criterion examined during a SOC 2 audit:
Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity’s security and confidentiality commitments and system requirements.
The examined organization responds by stating:
Change Management requests are opened for events that require permanent fixes.
For a Type I examination, your firm would furnish documentation of a single example of a Change Management request. For a Type II examination, your firm would be asked to either furnish multiple examples over a period of time or all Change Management requests for that time period, from which the auditor would select their own sample.
SOC 2 Audit Outcomes
There are two possible outcomes to this examination:
- An Unqualified Opinion results when the examination contains no negative findings. This is the goal.
- The second results in a Qualified Opinion in which findings include weaknesses or lapses in the controls.
A SOC 2 program is not a ‘one and done’ event. Once you begin, you will need to conduct SOC 2 work (including an audit) each year. Participating in SOC2 represents your firm’s ongoing commitment to the five Trust Service Criteria on behalf of your clients: Security, Availability, Processing Integrity, Confidentiality, and Privacy. In this regard, the SOC 2 report serves as the foundation of a continuous improvement plan.
In addition to the above high-level considerations, deciding whether a Type I or Type II SOC 2 audit is best for your firm is also a financial decision. The cost of going to a Type II is more than the just the out-of-pocket expense paid to the auditing firm. There is the additional operational cost of fulfilling the sample requirements.
On the flip side, however, is that this fulfillment process often results in providing the advantage of providing for routinization and ongoing operational awareness that many firms who have gone this route have experienced.
As there are unique considerations for every business, your firm needs to consider whether the increased cost and effort of upping the game to Type II would be offset by…
- Increased business,
- Protecting existing business, or
- It may also include some pride in having achieved a higher level of certification that your firm meets the stringent SOC 2 safety and security standards.
Mitchell Fink, CDPSE, CISA has used his many years of project development experience helping companies adapt to the increase in Risk Assessments for IT environments. Your customers and regulators demand that your company comply with one or more frameworks. Mitchell helps companies achieve compliance by implementing policies and procedures and fulfilling the evidentiary requirements of attestations and certifications. Complete the form below to contact him to discuss your specific questions, circumstances, and needs.