SOC 2 Type 2 compliance reporting is becoming much more common these days, due in large part to the continued growth of technology oriented service organizations requiring regulatory audits. The old days of a one-size-fits all standard – hence SAS 70 – are long gone, so say hello to SOC 2 Type 2 compliance and the following five (5) important points you need to know about, provided by NDB Accountants & Consultants, a nationally recognized audit and compliance CPA firm.
1. SOC 1 vs. SOC 2. SOC 1 SSAE 16 assessments are those generally conducted on service organizations with a clear nexus with financial reporting, while SOC 2 assessments are targeted more towards technology oriented service organizations. This is due to the technical and prescriptive language offered by the American Institute of Certified Public Accountants (AICPA) - developers of the SOC standards. Even with that said, you’ll find many technology companies being issued SOC 1 reports. Additionally, SOC 2 reporting is becoming quite well-known and is being received favorably in the marketplace, a clear break from its recent obscurity.
2. SOC 2 Reporting and the Trust Services Principles (TSP). SOC 2 Type 2 Compliance entails the use of what’s known as the Trust Services Principles (TSP) – a set of professional attestation and advisory services containing essential criteria based information for assessing service organizations. Unlike SOC 1 reporting, which uses control objectives, SOC 2 Type 2 reporting is thus “criteria” based. Additionally, there are five (5) Trust Services Principles which can be used for reporting, which consist of the following:
• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: The service organization’s privacy policies and practices.
3. Policies and Procedures. One of the biggest challenges many service organization face regarding SOC 2 type 2 compliance is that of operational and information security policies, that’s because the TSP’s require such. While companies are generally very good at what they do, they also generally very bad at documenting what they do, hence the need for policies and procedures. While there are many providers of IT policy templates, using a well-recognized firm specializing in SOC 2 type 2 compliance is suggested – such as NDB – as we have developed our own SOC 2 policy templates, which included policies, procedures, and other supporting documentation.
4. Type 1 vs. Type 2. In the never-ending alphabet soup of regulatory compliance, it’s important to distinguish between SOC 2 Type 1 assessments and SOC 2 Type 2 assessments. For an ounce of clarity, just remember that SOC 2 Type 1 reports are issued for a specific date, such as August 27, 20xx, while SOC 2 Type 2 reports cover what’s fundamentally known as a “test period”, which is generally a minimum of six (6) months. For purposes of growing regulatory compliance mandates, most clients will request that service organizations undertake an actual SOC 2 Type 2 assessment, as it ultimately provides greater evidence of one’s internal control environment.
5. Obtain a Fixed Fee with all Supporting Documents. The key to undertaking SOC 2 Type 2 compliance in an efficient and cost-effective manner is obtaining a fixed fee from a well-skilled CPA firm, and one that also offers all necessary information security and business specific policies and procedures. Remember, SOC 2 Type 2 compliance is heavily dependent upon validating a service organization’s policies, procedures, and related processes. Expect SOC 2 Type 2 compliance to continue to expand and grow in the coming years as more technology-minded businesses opt for this type of reporting.
Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.