What is a SOC 2 Audit?

A SOC 2 audit is an audit of a service organization’s non-financial reporting controls as they relate to the Trust Services Criteria – the security, availability, processing integrity, confidentiality, and privacy of a system.

A SOC 2 audit report provides user entities with reasonable assurance and peace of mind that the non-financial reporting controls at a service organization are suitably designed, in place, and appropriately protecting sensitive client data. Below, we explore the two types of SOC 2 audit reports.

How is a SOC 2 audit different from a SOC 1 audit? Watch our SOC 1 vs SOC 2 video or explore our guide to find out!

SOC 2 Type I vs. Type II: What’s the Difference?

AspectSOC 2 Type 1SOC 2 Type 2
ObjectiveTo assess the design of controls at a specific point in time.To evaluate the operational effectiveness of controls over a period of time.
Focus on TimeExamines controls as of a specific date.Examines controls over a minimum period of six months.
Nature of AuditPoint-in-time assessment.Period-of-time assessment.
Evaluation of ControlsAssesses if the company’s controls are properly designed to meet the Trust Services Criteria.Assesses both the design and the operational effectiveness of the controls.
Report LengthGenerally shorter, as it only covers the design of controls at a single point.Generally longer, as it covers the operation of controls over a period of time.
UsefulnessUseful for organizations that want to demonstrate they have a system in place with designed controls.Useful for organizations that want to show their controls are not only designed properly but also operating effectively over time.
AudiencePotential clients, partners, and stakeholders interested in the design of controls.Potential clients, partners, and stakeholders interested in the effectiveness of controls over time.
Frequency of AuditTypically performed once as a preliminary assessment.Performed annually or as required by stakeholders.
CostGenerally less expensive due to the narrower scope.More expensive due to the extended period of evaluation and more comprehensive nature.
Ideal ForNewer companies or those in the early stages of implementing a SOC program.Established companies with mature controls looking to demonstrate effectiveness over time.
Report ContentDescribes the systems and whether the design of specified controls meets the relevant Trust Services Criteria as of a specific date.Includes the information in Type 1 and also describes the operating effectiveness of controls over a review period.
Trust Services CriteriaSecurity, Availability, Processing Integrity, Confidentiality, and Privacy.Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Certification ValidityNo ongoing validity; it’s a snapshot in time.Provides ongoing assurance about the system, valid for the duration of the audit period.

SOC 2 Type I and Type II both report on the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. There are many other similarities between SOC 2 Type I and SOC 2 Type II reports, but there is one key difference.

What is a SOC 2 Type I Report?

A SOC 2 Type I report—also written SOC 2 Type 1—is an attestation of controls at a service organization at a specific point in time. SOC 2 Type I reports on the description of controls provided by the management of the service organization and attests that the controls are suitably designed and implemented.

What is a SOC 2 Type II Report?

A SOC 2 Type II report—also written SOC 2 Type 2—is an attestation of controls at a service organization over a minimum six-month period. SOC 2 Type II reports on the description of controls provided by the management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.

During a SOC 2 Type II audit, the auditor will carry out field work on a sample of days across the testing period to observe how controls are implemented and how effective they are.

As you can see, the key difference between SOC 2 Type I and SOC 2 Type II reports is that Type II reports are conducted over a significantly longer period. This allows Type II reports to attest to control effectiveness, something that is not possible with the shorter Type 1 report, which can only attest to the suitability of design and implementation.

Which SOC 2 Compliance Report Is Right for Your Business?

As a CPA firm, we advise clients who are engaging in a SOC 2 audit for the first time to begin with a Type I and move on to a Type II the following audit period. This gives service organizations a good starting point and more time to focus on the description of their system, allowing them to mature their environment over time.

Start Your SOC 2 Audit Journey with KirkpatrickPrice Today

Many organizations are required to undergo a third-party SOC 2 audit, but we know this process can feel overwhelming. That’s why we’re here to partner with your organization from audit readiness to final report! If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, connect with one of our experts today.

More SOC 2 Resources

SOC 2 Academy 

SOC 2 Compliance Checklist

Understanding Your SOC 2 Report 

SOC 2 Compliance Handbook: The 5 Trust Services Criteria 

What’s The Difference Between SOC 1, SOC 2, and SOC 3?

It is Cybersecurity Awareness Month! Every October we are reminded of the potential threats that are up against our cybersecurity. It is no surprise that employees make their way to the top of the vulnerability lists each year. It is time we created a culture of cybersecurity in the workplace.

Employees are often an organization’s weakest link. Whether it be the lack of funding or misunderstanding of cybersecurity best practices, security awareness training often becomes an afterthought. The reality is that security awareness training is a vital part of your cybersecurity that cannot go without doing. If there is even one person naive of cybersecurity best practices, they could unknowingly compromise the integrity of your security and dismantle your business processes. There is an endless number of ways this can happen, whether it be someone failing to recognize a phishing attempt, recycling weak passwords, not properly disposing of sensitive documents, neglecting company-wide security policies, or falling victim to any other attack tactics, techniques, and procedures (TTPs) of malicious hackers.

To battle the outbreak of human error in cybersecurity, many information security frameworks and regulations have made security awareness training a requirement.

  • What are the security awareness training requirements from each framework?
  • What does your organization need to do to ensure compliance with these standards?
  • How can security awareness training offer you peace of mind?

What Do Common Frameworks Require for Security Awareness Training?

  • SOC 2

    • AICPA (American Institute of Certified Public Accountants) explains that to earn compliance with common criteria 2.2, entities must “communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
  • ISO 27001/27002

    • According to Requirement 8.2.2 of ISO 27001, “All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”
  • PCI DSS

    • According to requirement 12.6 of the PCI (Payment Card Industry) DSS (Data Security Standard), entities must implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
  • NIST 800-53

    • According to requirement AT-2, an organization is responsible for “providing basic security awareness training to information system users.” There are also two control enhancements that encourage the practical exercise of insider and outsider cyber-attack simulations.
  • HIPAA Security Rule

    • According to the administrative safeguard, 45 CFR 164.308(a)(5), covered entities and business associates must “implement a security awareness and training program for all member of its workforce.”
  • HIPAA Privacy Rule

    • According to administrative requirements under the HIPAA Privacy Rule, 45 CFR 164.530(b)(1) says, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information… as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
  • GDPR

    • According to article 39(1)(b), Data Protection Officers are responsible for “monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits…”
  • FISMA

    • According to U.S.C. 3544. (b). (4). (A), (B) under FISMA, entities are required to implement “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”

Prepare Your People for Cyber Threats

How can the regular training of your employees be a critical component of your organization’s compliance and security? It can have everything to do with it. By offering these resources to your employees you are ensuring that they are aware of your company’s cybersecurity policies and industry’s best practices. Security awareness training can help minimize your organization’s risk of a data breach, thus protecting your sensitive company data and your brand reputation. Security awareness training costs less than 1% of what the average breach costs, this makes the regular training of your employees worth the investment 100 times over.

We get a lot of questions about SOC 2 and PCI audits. Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 2 and PCI audit.

What are SOC 2 and PCI Audits?

Before we discuss how to go through a combined SOC 2 and PCI audit, let’s review what each of these types of audits are.

A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.

Why a Combined SOC 2 and PCI Audit?

Why would a company pursue a combined SOC 2 and PCI audit? Depending on your services, both could be valuable for your organization. PCI compliance may not actually be an option for you – rather, it’s a requirement. There are a couple different scenarios of why you would pursue a SOC 2 attestation along with your PCI RoC. You could have clients that appreciate your PCI compliance, but also specifically ask for a SOC 2 report from you. Or, in other circumstances, your clients may not know the value of your PCI RoC, so they require a SOC 2 report. Even when you’re not required to undergo a SOC 2 audit, though, you could consider doing a combined SOC 2 and PCI audit to get ahead of the competition on either or both types of compliance.

Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 2 and PCI audit is an option.

Using the Online Audit Manager

Our goal is to make SOC 2 and PCI reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 2 and PCI audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 2 and PCI audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 2 and PCI Resources

4 Reasons to Start a PCI Audit Right Now

Using the Online Audit Manager to Complete Multiple Audits

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

New Elements of SOC 2

In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.

Updates to the COSO Internal Control Framework

The COSO Internal Control Framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. While the five basic components of the COSO Internal Control Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – have not changed, the 17 principles of principles of internal control that are aligned with each of the five basic components. Additionally, there are now 81 points of focus across these 17 principles.

What are the 17 Principles of Internal Control?

The introduction of these 17 principles of internal control allow for organizations to have an explicit understanding of what each of the five basic COSO components requires, making it easier for organizations to apply them. Every organization pursuing a SOC 2 report, regardless of size, must demonstrate that each of the 17 principles of internal control are present, functioning, and operating in an integrated manner. An organization’s ability to satisfy each of the five components and their subsequent principles demonstrates that they have an effective system of internal controls. The 17 principles of internal control include:

What are the 17 Principles of Internal Control?

The 17 internal control principles do not map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

The AICPA issued new SOC 2 Trust Services Criteria in 2017. These criteria must be used for any reports issued after December 15, 2018. Until that date, you have the option of using the 2016 criteria or the 2017 criteria.

One of the big things that is new in the 2017 criteria is the inclusion of the 17 principles from the COSO Internal Control Framework. These 17 principles have to do with things dealing with governance of the organization, how you communicate issues to the employees within your organization, how you perform risk assessments, or how you monitor your controls.

You can reference some of our other materials on the COSO Internal Control Framework and also visit our web portal, where you can find resources on this topic.

[/av_toggle]

[/av_toggle_container]

SOC 2 FAQs

When a client pursues a SOC 2 audit for the first-time, they normally ask: What are the requirements of a SOC 2 audit? How are we going to be judged? What can I do to prepare? Which Trust Services Criteria should I select? KirkpatrickPrice strives to be your audit partner and will work with your organization to answer each of these SOC 2 FAQs.

Preparing for a SOC 2 Audit

One of the most common SOC 2 FAQs is: How should I be preparing for a SOC 2 audit? One of the best things to do when preparing for a SOC 2 audit is review the purpose of the final component of a SOC 2 audit report, which describes the controls in place to meet the Trust Services Criteria and describes the auditor’s test of controls to determine the effectiveness of the controls. Each category of the Trust Services Criteria has standards that you must meet to demonstrate your compliance. When preparing for a SOC 2 audit, your organization should go through these standards and review how you meet each one.

For example, the security principle requires that the entity, your organization, “has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” How would you organization review how you meet this standard?

The first element of this criteria is workforce conduct standards. An assessor would ask your organization questions like:

  • What are your workforce conduct standards? For many organizations, this will be a part of your employee handbook.
  • Do you have employees acknowledge the employee handbook?
  • Do you offer training to teach what your workforce conduct standards are?

The security principle criteria also specifies background screening procedures. To verify compliance with this criteria, an assessor would ask your organization questions like:

  • Do you have written policies and procedures? This may also be a part of your employee handbook.
  • Can we see evidence that background screening reports have been ordered? We want to ensure that when an organization says they’re doing background screening, they’re actually doing background screening.

The last element in this example is conducting enforcement procedures.

  • How do you enforce employee handbook standards that govern workplace conduct?
  • How do you enforce the policies and procedures relevant to background screening?
  • Do you communicate the consequences of violating these standards to your employees?

How would your organization prepare for a SOC 2 audit? Preparing for a SOC 2 audit requires many exercises in risk management, internal control review, and comparison with the Trust Services Criteria. To discover answers to more of your SOC 2 FAQs, contact us today.

Some of the SOC 2 FAQs that we receive from clients who contact us about a SOC 2 report are: what are the requirements? What do I need to do to prepare? How are we going to be judged against the standard?

The way that a SOC 2 audit report works is we will be looking at criteria. As part of the Trust Services Principles (recently updated to the 2017 Trust Services Criteria), each principle has criteria that you must meet to demonstrate that you have placed this criteria into operation in order to meet the purpose of the principle that’s being audited.

Let me give you an example of a criteria so this idea can start to take shape and you can picture what an audit might look like when working with us during a SOC 2 engagement. In the security principle, which is also referred to as the Common Criteria for SOC 2 audit reports, there’s criteria that states, “The entity has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” When we look at that criteria, we’re going to be asking you: What are your workforce conduct standards? For a lot of people, that will be contained within an employee handbook that governs the conduct standards that you have for your employees while they’re under your employment. Do you have them acknowledge the handbook? Do you do training in order for them to understand what the standards are? Those are the types of things that we would look at in order to determine whether or not the criteria are in place.

This piece of criteria also specifies background screening procedures. So, we would expect to see a procedure on that written out, usually part of an employee handbook. We would also want to see evidence that the background screening reports have been ordered and you’re actually doing that for any employee hired. We have encountered situations where an organization says that they’re doing background checks in accordance with the criteria, but then we see that they haven’t done the background checks. We need to see that the criteria has been met.

The last piece in this example I’ve given you is that you conduct enforcement procedures in order to enable your organization to meet its commitments. In other words, if you have an employee handbook that governs workplace conduct, if you have a policy that you must perform background checks when people are hired, how do you enforce that? How do you make sure that people are actually following the rules? We would ask you how you monitor that, if you address standards in performance reviews, and do you communicate to your employees that violation of those standards or background check requirements would result in some type of discipline up to termination.

This is an example of criteria and how you’d be able to demonstrate that you meet the criteria. That’s the type of thing to prepare for in your SOC 2 audit report.