After your first System and Organization Controls for Service Organizations 2 (SOC 2) report, you’ll most likely want to follow up every year with a new audit and report.
But you can have them done more often. And in some cases, you probably should.
First, however, it’s important to determine which kind of SOC audit your organization needs. The answer will depend on your entity’s objectives.
- A SOC 1 audit examines internal controls that affect your enterprise’s financial reporting. Is your control environment well designed? Do they work, helping your organization produce accurate financial statements and to meet its financial goals?
- A SOC 2 audit assesses your service organization’s controls that affect its information security, availability, and processing integrity, as well as data confidentiality and privacy (the five “trust services categories,” also known as “trust services criteria” and “trust services principles.”)
- SOC 3 reports stem from the same SOC 2 audit, but generate a shorter, less-detailed, made-for-public-consumption report. These SOC 3 reports are commonly used for marketing purposes.
What is a SOC 2 audit?
SOC 2 auditors, who must be certified public accountants or a CPA firm, use as their auditing standard the American Institute of Certified Public Accountants’ (AICPA) Statement on Standards for Attestation Engagements No. 18 (SSAE-18), which emphasize data security, especially of personal information. (Formerly they used SSAE-16.)
The audit report produced is not a SOC certification, but an attestation of compliance with SOC 2.
All SOC reports come in two types.
- Type 1 (type I) discusses SOC compliance at a single point in time, taking a “snapshot-in-time” approach and setting a baseline for future audits. Typically, a type 1 report follows an organization’s first-ever SOC audit.
- Type 2 (type II) reports audit SOC controls since your last report, a period of time of up to 12 months.
Some organizations, however, get audited every six months. Often, these enterprises have ongoing concerns about their cybersecurity controls, including those designed to prevent unauthorized access to, and unauthorized disclosure of, information, and protect sensitive customer data. They may also feel the need to pay extra attention to their regulatory compliance.
Since many companies won’t do business with a non-compliant service provider—examples are Software-as-a-Service (SaaS) companies, payment processors, data center service providers, and cloud computing service providers—having an up-to-date attestation report is essential.