How Often Do You Have to Do a SOC 2 Report?
Q: How Often Do You Have to Do a SOC 2 Report?
Answer: Generally speaking, (and while there is no hard and fast rule), SOC 2 reports are required annually from service organizations as validation that their controls are operating as designed. The once a year rule has been the consensus in that if you conduct your initial SOC 2 audit in year 1, then approximately twelve months later, a service organization should provide yet another report on the operating effectiveness of their controls. It’s a yearly process, and why? That’s because intended users of a SOC 2 report (i.e., clients, prospects, etc.) will want to gain assurances of a service organization’s control environment on a yearly basis – at a minimum.
6 Things to Know About SOC 2 Reports
(1). Start off with a Scoping & Readiness Assessment. It’s fundamentally important to perform an upfront scoping exercise for determining project scope, gaps that need to be corrected, third-parties that are going to be included in the audit, and much more.
(2). Remediation is Common, so don’t Be Alarmed. Very common, and it typically requires a thoughtful approach to remediating three (3) key areas. Remediating deficiencies in policies and procedures. Remediation deficiencies in terms of security tools and solutions. And remediating deficiencies in terms of operational issues. Together, these three areas can take time – no question about it – all the more reason for working with a proven, trusted firm with years of experience in helping service organizations all throughout the country, and that’s NDB.
(3). Documentation is Critically Important. Yes, it is. And when we speak about documentation, we’re talking about policies and procedures that need to be in place. Think access control, data backup, incident response, change management, and much more. Do you have policies and procedures in place for these areas – if not – you’ll need to start documenting them, and now. NDB offers a full-spectrum of policy templates – just another reason why service organizations turn to us time and time again.
Here's a short-list of information security policies and procedures you’ll need for becoming – and staying – SOC 2 compliant:
- Access control policies and procedures
- Data retention and disposal policies and procedures
- Incident response policies and procedures
- Change management policies and procedures
- Contingency planning
- Wireless Access
- Usage policies
(4). Security Tools and Solutions will Need to be Acquired. The AICPA SOC framework is becoming more technical these days, meaning that a number of security tools and solutions are required for SOC 2 compliance. Think File Integrity Monitoring (FIM), Two-Factor Authentication (2FA), Vulnerability scanning, Data Loss Prevention (DLP) and more. This requires an investment in both time and money that many service organizations are unaware of until they begin the process.
(5). Continuous Monitoring of Controls is a Must. SOC 2 audits are never one-and-done. Not at all. There’s a concept called “continuous monitoring” that’s in place and it means someone needs to take ownership of assessing one’s internal controls on a regular basis. If not, once the auditors re-appear for the annual SOC 2 audits, control deficiencies may have arisen – something you do not want.
NDB. North America’s SOC 2 Leaders. Fixed Fees