Take note of the following important SOC 2 guidelines for helping ensure that service organizations undertake a comprehensive, efficient, and cost-effective assessment process with the AICPA Service Organization Control (SOC) reporting framework.

1.            Properly Scope your SOC 2 Assessment.  With Five (5) Trust Services Principles (TSP) to choose from, it’s critically important to properly scope a SOC 2 assessment for ensuring customer expectations are met, along with not putting your organization through unnecessary testing procedures.  Many service organizations actually undertake compliance with all five (5) Trust Services Principles, yet a large number only test against one or a few of the TSP. This is important to note because substantial cost considerations can be had when reducing the number of TSP for audit scope.

2.            Understand the Need for Policies and Procedures.  SOC 2 compliance, like many other regulatory compliance laws and mandates, requires a large number of operational, business specific, and information security policies and procedures to be in place for compliance.  This is often one of the largest – and most overlooked – areas regarding SOC 2 compliance, but one that needs to be addressed early on.  The solution is finding a comprehensive security manual that can be easily customized for helping meet such needs.  Try myinformationsecuritypolicy.com, along with itpolicyportal.com, two (2) great resources for high-quality information security policies, procedures, and other supporting documentation.  Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.

3.            SOC 2 is prescriptive, but also subjective in nature. Though the Trust Services Principles (TSP) provide adequate information on the relevant “criteria” needed for meeting the intent and rigor of the stated principles, the applicable assessment evidence requested by auditors can differ from one to another.  Even more, your interpretation of what’s considered acceptable evidence may very well be in contrast to the auditor’s demands or recommendations.  It’s why service organizations should strive to undertake a SOC 2 readiness assessment for ensuring scope, audit evidence, and all other matters are clearly resolved before commencing with the assessment.

4.            Choose a firm offering a fixed fee and one with experience. There are a numerous firms offering SOC 2 assessments, so pick one that offers a fixed fee model, essentially giving you the exact cost of the audit fee upfront.  Additionally, SOC 2 assessments can become somewhat complex, all the more reason for finding a well-recognized, IR CPA firm with years of regulatory compliance experience, such as NDNB. Call and speak with SOC 2 expert Chris Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

NDNB also offers comprehensive PCI DSS, HIPAA, FISMA, SOC 1 and numerous other regulatory compliance solutions.