Since the American Institute of Certified Public Accountants (AICPA) created the System and Organization Controls for Service Organizations 2 (SOC 2), it should come as no surprise that only CPAs and CPA firms are qualified to conduct SOC 2 attestation audits.
The auditor or auditing firm must be independent, meaning that they have no relationship, professional or otherwise, with the organization they are auditing.
What is SOC 2?
SOC 2 is a framework for determining whether a service organization’s controls and practices are effective at safeguarding the privacy and security of its customer and client data. The AICPA created SOC 2 in response to growing concerns over data privacy and security.
SOC 2 is one of three AICPA frameworks for third-party service organizations:
- SOC 1 governs organizational internal controls that affect the enterprise’s financial reporting and statements. Are the controls well designed? Do they work, helping the organization to meet its financial goals?
- SOC 3 covers the same subject matter as SOC 2, but the report generated is somewhat different and less detailed. SOC 3 reports are less technical, aimed at a general audience. They are often used for marketing purposes to demonstrate compliance with SOC 2.
Audits for all three reports use a set of AICPA auditing standards known as Statement on Standards for Attestation Engagements No. 18 (SSAE-18).
There are two types of SOC 2 reports:
- Type 1, often an organization’s first-ever SOC 2 report, looks at controls governing data security and privacy at the time of the audit.
- Type 2 reports discuss the effectiveness of your organization’s information security and privacy controls since your last SOC audit, which typically means one year.
The two types of reports are used differently by organizations:
- SOC 2 Type 1 takes a “snapshot-in-time” approach, setting a baseline for future audits.
- SOC 2 Type 2 asks how well your data security and privacy controls have worked since your last SOC 2 audit.
So, the audit procedure some organizations follow is:
- Type 1 for the first SOC 2 audit
- Type 2 for subsequent SOC 2 audit.
How SOC Audits Work
SOC auditors are regulated by the AICPA and must comply with its professional standards. They must also adhere to AICPA guidance on planning, executing, and supervising audit procedures, and submit to a peer review attesting to their credentials and the validity of their audits—whether they use accepted auditing standards.
CPA organizations may employ IT and cybersecurity professionals to help them prepare for a SOC 2 audit, but a CPA must issue the final report.
A SOC 2 assessment works much like any other audit. The independent CPA or accounting firm you choose can help you determine your audit scope, a critical first step in which you determine:
- Which of the 5 SOC principles, now called Trust Services Categories (TSC), apply to your organization?
- Which SOC report you need: Type 1 or Type 2?
The five SOC Trust Services Categories are:
- “The security, availability, and processing integrity of the systems the service organization uses to process users’ data,” and
- “The confidentiality and privacy of the information processed by these systems.”
For each applicable Trust Services Category, the auditor will examine your controls, a process that includes evidence collection, to evaluate whether they are working as they should. Documents the auditor may examine include:
- Organizational charts
- Asset inventories
- Onboarding and off-boarding processes
- Change management processes.
If the auditor finds problems or gaps, no worries: You’ll have an opportunity for remediation. Findings can drive up audit costs, however, so thorough preparation using a SOC 2 audit checklist is your best bet for efficiency and ease.