Q: How Often Do You Have to Do a SOC 2 Report?
Answer: Generally speaking, (and while there is no hard and fast rule), SOC 2 reports are required annually from service organizations as validation that their controls are operating as designed. The once a year rule has been the consensus in that if you conduct your initial SOC 2 audit in year 1, then approximately twelve months later, a service organization should provide yet another report on the operating effectiveness of their controls. It’s a yearly process, and why? That’s because intended users of a SOC 2 report (i.e., clients, prospects, etc.) will want to gain assurances of a service organization’s control environment on a yearly basis – at a minimum.
6 Things to Know About SOC 2 Reports
(1). Start off with a Scoping & Readiness Assessment. It’s fundamentally important to perform an upfront scoping exercise for determining project scope, gaps that need to be corrected, third-parties that are going to be included in the audit, and much more.
(2). Remediation is Common, so don’t Be Alarmed. Very common, and it typically requires a thoughtful approach to remediating three (3) key areas. Remediating deficiencies in policies and procedures. Remediation deficiencies in terms of security tools and solutions. And remediating deficiencies in terms of operational issues. Together, these three areas can take time – no question about it – all the more reason for working with a proven, trusted firm with years of experience in helping service organizations all throughout the country, and that’s NDB.
(3). Documentation is Critically Important. Yes, it is. And when we speak about documentation, we’re talking about policies and procedures that need to be in place. Think access control, data backup, incident response, change management, and much more. Do you have policies and procedures in place for these areas – if not – you’ll need to start documenting them, and now. NDB offers a full-spectrum of policy templates – just another reason why service organizations turn to us time and time again.
Here's a short-list of information security policies and procedures you’ll need for becoming – and staying – SOC 2 compliant:
- Access control policies and procedures
- Data retention and disposal policies and procedures
- Incident response policies and procedures
- Change management policies and procedures
- Contingency planning
- Wireless Access
- Usage policies
(4). Security Tools and Solutions will Need to be Acquired. The AICPA SOC framework is becoming more technical these days, meaning that a number of security tools and solutions are required for SOC 2 compliance. Think File Integrity Monitoring (FIM), Two-Factor Authentication (2FA), Vulnerability scanning, Data Loss Prevention (DLP) and more. This requires an investment in both time and money that many service organizations are unaware of until they begin the process.
Luckily, NDB has years of experience working with service organizations who need to become SOC 2 compliant. This means our expertise translates into helping you find viable tools and solutions that are cost-effective, and also easy-to-implement. Contact CPA Christopher Nickell at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 1-800-277-5415, ext. 706 today.
(5). Continuous Monitoring of Controls is a Must. SOC 2 audits are never one-and-done. Not at all. There’s a concept called “continuous monitoring” that’s in place and it means someone needs to take ownership of assessing one’s internal controls on a regular basis. If not, once the auditors re-appear for the annual SOC 2 audits, control deficiencies may have arisen – something you do not want.
(6). It’s an Annual Process. Finished your first SOC 2 audit – congratulations – but keep in mind that as a service organization, you’ll be expected to undergo an annual SOC 2 compliance assessment. It’s the new world of regulatory compliance, so get used to it, and get on board with a firm that offers fixed-fee, proven service, and so much more. Contact CPA Christopher Nickell at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 1-800-277-5415, ext. 706 today.
NDB. North America’s SOC 2 Leaders. Fixed Fees
NDB has issued over 1,000 SOC 1 and SOC 2 reports over the last decade. We know the AICPA SOC framework inside and out. Contact CPA Christopher Nickell at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 1-800-277-5415, ext. 706 today. Whatever the industry – from banking to IT, manufacturing and more – NDB is the firm for helping you become – and stay – SOC 2 compliant. Let’s get started today.