It’s easy to get lost in all of the acronyms and "audit speak" around SOC 2 reports. Your customers may be already asking, “do you have a SOC 2?” To be more confusing, there are Type I and Type II versions, and a whole host of other reports such as SOC 1/SSAE 18. SOC 2 reports are generally best for companies that process or store information for customers. Maybe you’re a SaaS software startup, a multinational cloud company, or anything in between, the SOC 2 report is likely the best report for you.
SOC 2 reports are designed to provide external entities such as customers, partners, and audit firms with assurance that a company’s information systems have the appropriate internal controls around one or more of the Trust Services Principles and Criteria (e.g. security, availability, processing integrity, confidentiality, or privacy). Recently, the principles and criteria have been restructured into 1 common criteria that is applicable to security, availability, processing integrity, and confidentiality. The less commonly used privacy principle is now contained in the generally accepted privacy principles (GAAP).
The SOC 2 Type I report is typically the first step a company takes down the road of compliance. It provides an overview of your company and control environment, references to your policies and procedures, and an opinion on the suitability and design of the controls in place at the point in time of the audit. If a company is prepared, a Type I audit and report can be issued within a relatively short period of time. Type I reports are almost always just a stepping stone toward a SOC 2 Type II report.
The SOC 2 Type II report is the one that your customers and partners are after. It reports on the effectiveness of the controls within your company. Are you actually following all of your policies and procedures? Have you implemented all of those security controls? It takes a high level of commitment for a company to rise to the standard of a SOC 2 audit. The struggle of most companies is knowing what level of control is right for the company size. Per AICPA guidance, SOC 2 reports must cover a period of at least 6 months. This means the Type II report can not be issued until at least 6 months after the Type I. Planning ahead and getting started early is only way you’ll be able to meet the needs of your customers.
Let us help you find out what compliance framework is best for your business.
Learn how SOC 1 reports can help businesses with services that impact financial reporting meet the needs of customers and partners.
Learn how SOC 2 reports differ from SOC 1 and are best-suited for companies providing information services such as SaaS and cloud companies.
Learn how HIPAA no longer impacts just healthcare companies. If your company stores any health data (even on behalf of a customer), you're liable.