Starting up with SOC 2: Know the SOC 2 controls and how CPAs are involved

You’ve been asked for your SOC 2, and you’re just diving into figuring out how to get it done. In this post we’ll share an overview of what organizations are looking for when they request your SOC 2, outline the SOC 2 controls that make up the report, explain how CPAs are involved in the process, and show how automation can help your company earn its SOC 2. 


Why did my company get asked for a SOC 2?


If you’ve been asked for your SOC 2, you might be a B2B, Software as a Service (SaaS), or Platform as a Service (PaaS) provider, and your company likely processes or stores personal or confidential customer information. Your company may work with organizations in the retail or financial sectors, in healthcare, or in other industries that collect and manage customer data. 


As organizations outsource various functions of their work — and come to you to utilize your company’s services — outsourcing means that customer data and information is shared among increasing numbers of service providers. With more companies accessing and storing an organization’s data to provide multifaceted services, the risk of data breaches increases. Organizations (known as user entities) may engage the work of service organizations to streamline their business, but they maintain overall responsibility for the safety and security of their customers’ data. As orgs partner with vendors to deliver key services, they need a way to ensure that vendors are keeping data safe and secure — and service organizations need to demonstrate that they can maintain appropriate security practices. That’s where the SOC 2 comes in.


The American Institute of CPAs (AICPA) has developed three different SOC for Service Organization assessment frameworks: these are the SOC 1, SOC 2, and SOC 3. A SOC 2 report is often the primary document that security departments reference to assess a vendor’s security risk. SOC 2 reports assure customers and other business partners that you have security guidelines in place and that you follow through on them. (A SOC 1 documents controls relevant to an audit of a customer's financial statements, and a SOC 3 summarizes a SOC 2 report for general consumption.) SOC audits and their resulting reports were created to provide a trustworthy third-party review of the security controls in place at a service organization — helping user entities choose vendors who employ verified security practices, and helping service organizations build credibility and trust with the organizations they serve.

What are the SOC 2 controls that make up a SOC 2 report?


A SOC 2 audit entails a review and report on the controls in place at a service organization across five categories known as the Trust Services Criteria. A SOC 2 assesses an organization’s controls relevant to the Security, Availability, and Processing Integrity of the systems the organization uses to process users’ data, as well as the Confidentiality and Privacy of the information processed by these systems. No two SOC 2 reports look the same, because companies follow different security practices and must address different client needs.

Category
Description
Security
All SOC 2 reports include the Security category

Your systems and the data you store are protected against unauthorized access and unauthorized disclosure.
Availability
Your information and systems are available for operation and use.
Confidentiality
Confidential information is protected.
Processing integrity
System processing is complete, valid, accurate, timely, and authorized. Customer data remains correct throughout the course of data processing.
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies.

Although the Confidentiality category applies to any sensitive information, the Privacy category applies only to personal information.


You play a role in shaping your company’s SOC 2 audit process — which means you have some decisions to make. Your company determines how your audit and report are structured — i.e. which of the SOC controls you’ll want to focus on to address your clients’ needs and other industry compliance requirements — and with whom you’ll work to complete your audit. 


Note that of the five Trust Services Criteria, only the Security category is required to obtain a SOC 2; a Security audit seeks to monitor and confirm that systems and data stored by a company are protected against unauthorized access and unauthorized disclosure. The other categories are optional, and relevant to your company depending on your business model, the industry in which you work, and your customers’ needs. Many early-stage startups may choose to start the SOC 2 process with an evaluation of the Security category alone.

Speed up your SOC 2 with a CPA + automation


As you build a SOC 2 roadmap for your company in preparation for your audit, know that you’ll need to work with a CPA to complete your audit and obtain your report. The CPA plays an essential role in your SOC 2 process, providing an objective third-party assessment of your company’s security controls and practices. 


Getting a SOC 2 has typically meant embarking on a lengthy plan of extensive manual evidence collection and systems monitoring by multiple team members; some companies even have teams dedicated specifically to managing the SOC 2 process. The SOC 2 previously would have involved many pre-audit hours on-site with an auditor, conducting in-depth staff interviews and manually collecting evidence on a range of security practices. Then companies would implement fixes in preparation for the audit itself, followed by more interviews and evidence collection. Capping it all off, an auditor would document the lengthy process and prepare the official report. A SOC 2 is typically valid for 12 months — at which point it’s time to start the process again. 


Your company also has the option of integrating Vanta’s compliance software into your SOC 2 process — streamlining the audit and SOC 2 report development for you and your auditor alike. Vanta is “security in a box” for companies of all sizes — helping you get audit-ready fast, and supporting your company through a successful SOC 2 audit and beyond. Vanta works by connecting to your company’s major software, administration, and security systems; the software continuously monitors your system and services, collecting information about your security to prove your compliance over time. We’ll work with you to customize your security monitoring needs, and to tailor your SOC 2 to meet the needs of your company and your customers.


Vanta also partners with AICPA-registered audit firms to connect you with a trusted CPA to conduct your audit. Our audit firm partners are trained on Vanta’s software, and are experts in how to best leverage its resources to gather evidence to support your smooth and effective audit.


Kick off your compliance journey with a seasoned traveler by your side: get started with Vanta today.

Related blog posts

Starting up with SOC 2: Know the SOC 2 controls and how CPAs are involved

READ MORE

Get up to date on HIPAA compliance: What you need to know in 2020

READ MORE
SOC 2 preparation

Eight vendor management best practices for monitoring security

READ MORE
SOC 2 preparation
We'll email you in 15 minutes
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.