SOC 2 Type 2 compliance reporting is becoming much more common these days, due in large part to the continued growth of technology oriented service organizations requiring regulatory audits. The old days of a one-size-fits all standard – hence SAS 70 – are long gone, so say hello to SOC 2 Type 2 compliance and the following five (5) important points you need to know about, provided by NDNB Accountants & Consultants, a nationally recognized audit and compliance CPA firm.
1. SOC 1 vs. SOC 2. SOC 1 SSAE 16 assessments are those generally conducted on service organizations with a clear nexus with financial reporting, while SOC 2 assessments are targeted more towards technology oriented service organizations. This is due to the technical and prescriptive language offered by the American Institute of Certified Public Accountants (AICPA) - developers of the SOC standards. Even with that said, you’ll find many technology companies being issued SOC 1 reports. Additionally, SOC 2 reporting is becoming quite well-known and is being received favorably in the marketplace, a clear break from its recent obscurity.
2. SOC 2 Reporting and the Trust Services Principles (TSP). SOC 2 Type 2 Compliance entails the use of what’s known as the Trust Services Principles (TSP) – a set of professional attestation and advisory services containing essential criteria based information for assessing service organizations. Unlike SOC 1 reporting, which uses control objectives, SOC 2 Type 2 reporting is thus “criteria” based. Additionally, there are five (5) Trust Services Principles which can be used for reporting, which consist of the following:
• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: The service organization’s privacy policies and practices.
3. Type 1 vs. Type 2. In the never-ending alphabet soup of regulatory compliance, it’s important to distinguish between SOC 2 Type 1 assessments and SOC 2 Type 2 assessments. For an ounce of clarity, just remember that SOC 2 Type 1 reports are issued for a specific date, such as August 27, 20xx, while SOC 2 Type 2 reports cover what’s fundamentally known as a “test period”, which is generally a minimum of six (6) months. For purposes of growing regulatory compliance mandates, most clients will request that service organizations undertake an actual SOC 2 Type 2 assessment, as it ultimately provides greater evidence of one’s internal control environment.
4. Obtain a Fixed Fee with all Supporting Documents. The key to undertaking SOC 2 Type 2 compliance in an efficient and cost-effective manner is obtaining a fixed fee from a well-skilled CPA firm, and one that also offers all necessary information security expertise. Remember, SOC 2 Type 2 compliance is heavily dependent upon validating a service organization’s procedures, and related processes. Expect SOC 2 Type 2 compliance to continue to expand and grow in the coming years as more technology-minded businesses opt for this type of reporting. Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance.